platform/marmotta-security/src/main/resources/security-profile.simple.properties - marmotta - Git at Google

 #
 # Licensed to the Apache Software Foundation (ASF) under one
 # or more contributor license agreements. See the NOTICE file
 # distributed with this work for additional information
 # regarding copyright ownership. The ASF licenses this file
 # to you under the Apache License, Version 2.0 (the
 # "License"); you may not use this file except in compliance
 # with the License.  You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #

 # Simple Security Configuration;
 # - grants access to all Marmotta services to all users
 # - restricts access to management functions to localhost

 # a security rule to allow SOLR updates from localhost
 security.permission.solr_local_update.pattern=/solr/.*/update
 security.permission.solr_local_update.host=LOCAL
 security.permission.solr_local_update.methods=GET,POST,PUT
 security.permission.solr_local_update.priority=5

 # a security rule to allow SOLR admin from localhost
 security.permission.solr_local_admin.pattern=/solr/admin/.*
 security.permission.solr_local_admin.host=LOCAL
 security.permission.solr_local_admin.methods=GET,POST,PUT,DELETE
 security.permission.solr_local_admin.priority=5

 # a security rule to restrict all other accesses to SOLR update
 security.restriction.solr_remote_update.pattern=/solr/.*/update
 security.restriction.solr_remote_update.methods=GET,POST,PUT
 security.restriction.solr_remote_update.priority=2

 # a security rule to restrict all other accesses to SOLR admin
 security.restriction.solr_remote_admin.pattern=/solr/admin/.*
 security.restriction.solr_remote_admin.methods=GET,POST,PUT,DELETE
 security.restriction.solr_remote_admin.priority=2

 # a security rule to allow /system admin from localhost
 security.permission.system.pattern=/system/.*
 security.permission.system.host=LOCAL
 security.permission.system.methods=GET,POST,PUT,DELETE
 security.permission.system.priority=5

 # a security rule to deny /system admin from all other hosts
 security.restriction.system.pattern=/system/.*
 security.restriction.system.methods=GET,POST,PUT,DELETE
 security.restriction.system.priority=2

 # a security rule to allow /system admin from localhost
 security.permission.security.pattern=/security/.*
 security.permission.security.host=LOCAL
 security.permission.security.methods=GET,POST,PUT,DELETE
 security.permission.security.priority=5

 # a security rule to allow /system/public access (for images)
 security.permission.security_public.pattern=/security/public/.*
 security.permission.security_public.methods=GET
 security.permission.security_public.priority=3

 # a security rule to deny /system admin from all other hosts
 security.restriction.security.pattern=/security/.*
 security.restriction.security.methods=GET,POST,PUT,DELETE
 security.restriction.security.priority=2

 # a security rule to allow /config admin from localhost
 security.permission.config.pattern=/config/.*
 security.permission.config.host=LOCAL
 security.permission.config.methods=GET,HEAD,OPTIONS,POST,PUT,DELETE
 security.permission.config.priority=5

 # a security rule to deny /config admin from all other hosts
 security.restriction.config.pattern=/config/.*
 security.restriction.config.methods=GET,HEAD,OPTIONS,POST,PUT,DELETE
 security.restriction.config.priority=2

 # a security rule to allow /transaction admin from localhost
 security.permission.transaction.pattern=/transaction/.*
 security.permission.transaction.host=LOCAL
 security.permission.transaction.methods=GET,POST,PUT,DELETE
 security.permission.transaction.priority=5

 # a security rule to deny /transaction admin from all other hosts
 security.restriction.transaction.pattern=/transaction/.*
 security.restriction.transaction.methods=GET,POST,PUT,DELETE
 security.restriction.transaction.priority=2

 # a security rule to allow /groovy admin from localhost
 security.permission.groovy.pattern=/groovy/.*
 security.permission.groovy.host=LOCAL
 security.permission.groovy.methods=GET,POST,PUT,DELETE
 security.permission.groovy.priority=5

 # a security rule to deny /groovy admin from all other hosts
 security.restriction.groovy.pattern=/groovy/.*
 security.restriction.groovy.methods=GET,POST,PUT,DELETE
 security.restriction.groovy.priority=2

 # a security rule to allow H2 console from localhost
 security.permission.database.pattern=/database/.*
 security.permission.database.host=LOCAL
 security.permission.database.methods=GET,POST,PUT,DELETE
 security.permission.database.priority=5

 # a security rule to deny H2 console from all other hosts
 security.restriction.database.pattern=/database/.*
 security.restriction.database.methods=GET,POST,PUT,DELETE
 security.restriction.database.priority=2

 # restrict updating reasoning programs to the "manager" role
 security.permission.reasoner_update.pattern=/reasoner/.*
 security.permission.reasoner_update.methods=POST,PUT,DELETE
 security.permission.reasoner_update.host=LOCAL
 security.permission.reasoner_update.priority=5

 # restrict all other updates
 security.restriction.reasoner_update.pattern=/reasoner/.*
 security.restriction.reasoner_update.methods=POST,PUT,DELETE
 security.restriction.reasoner_update.priority=4

 # allow reading the configuration
 security.permission.reasoner_read.pattern=/reasoner/.*
 security.permission.reasoner_read.methods=GET
 security.permission.reasoner_read.priority=4

 # a security rule to allow all read access to the system
 security.permission.default_read.pattern=/.*
 security.permission.default_read.methods=GET,HEAD,OPTIONS
 security.permission.default_read.priority=2

 # a security rule to deny all write access to the system
 security.restriction.default_write.pattern=/.*
 security.restriction.default_write.methods=PUT,POST,DELETE
 security.restriction.default_write.priority=2

 # a security rule to allow full access to the system from local
 security.permission.default_local.pattern=/.*
 security.permission.default_local.methods=GET,HEAD,OPTIONS,POST,PUT,DELETE
 security.permission.default_local.host=LOCAL
 security.permission.default_local.priority=5
	#
	# Licensed to the Apache Software Foundation (ASF) under one
	# or more contributor license agreements. See the NOTICE file
	# distributed with this work for additional information
	# regarding copyright ownership. The ASF licenses this file
	# to you under the Apache License, Version 2.0 (the
	# "License"); you may not use this file except in compliance
	# with the License. You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	#

	# Simple Security Configuration;
	# - grants access to all Marmotta services to all users
	# - restricts access to management functions to localhost

	# a security rule to allow SOLR updates from localhost
	security.permission.solr_local_update.pattern=/solr/.*/update
	security.permission.solr_local_update.host=LOCAL
	security.permission.solr_local_update.methods=GET,POST,PUT
	security.permission.solr_local_update.priority=5

	# a security rule to allow SOLR admin from localhost
	security.permission.solr_local_admin.pattern=/solr/admin/.*
	security.permission.solr_local_admin.host=LOCAL
	security.permission.solr_local_admin.methods=GET,POST,PUT,DELETE
	security.permission.solr_local_admin.priority=5

	# a security rule to restrict all other accesses to SOLR update
	security.restriction.solr_remote_update.pattern=/solr/.*/update
	security.restriction.solr_remote_update.methods=GET,POST,PUT
	security.restriction.solr_remote_update.priority=2

	# a security rule to restrict all other accesses to SOLR admin
	security.restriction.solr_remote_admin.pattern=/solr/admin/.*
	security.restriction.solr_remote_admin.methods=GET,POST,PUT,DELETE
	security.restriction.solr_remote_admin.priority=2

	# a security rule to allow /system admin from localhost
	security.permission.system.pattern=/system/.*
	security.permission.system.host=LOCAL
	security.permission.system.methods=GET,POST,PUT,DELETE
	security.permission.system.priority=5

	# a security rule to deny /system admin from all other hosts
	security.restriction.system.pattern=/system/.*
	security.restriction.system.methods=GET,POST,PUT,DELETE
	security.restriction.system.priority=2

	# a security rule to allow /system admin from localhost
	security.permission.security.pattern=/security/.*
	security.permission.security.host=LOCAL
	security.permission.security.methods=GET,POST,PUT,DELETE
	security.permission.security.priority=5

	# a security rule to allow /system/public access (for images)
	security.permission.security_public.pattern=/security/public/.*
	security.permission.security_public.methods=GET
	security.permission.security_public.priority=3

	# a security rule to deny /system admin from all other hosts
	security.restriction.security.pattern=/security/.*
	security.restriction.security.methods=GET,POST,PUT,DELETE
	security.restriction.security.priority=2

	# a security rule to allow /config admin from localhost
	security.permission.config.pattern=/config/.*
	security.permission.config.host=LOCAL
	security.permission.config.methods=GET,HEAD,OPTIONS,POST,PUT,DELETE
	security.permission.config.priority=5

	# a security rule to deny /config admin from all other hosts
	security.restriction.config.pattern=/config/.*
	security.restriction.config.methods=GET,HEAD,OPTIONS,POST,PUT,DELETE
	security.restriction.config.priority=2

	# a security rule to allow /transaction admin from localhost
	security.permission.transaction.pattern=/transaction/.*
	security.permission.transaction.host=LOCAL
	security.permission.transaction.methods=GET,POST,PUT,DELETE
	security.permission.transaction.priority=5

	# a security rule to deny /transaction admin from all other hosts
	security.restriction.transaction.pattern=/transaction/.*
	security.restriction.transaction.methods=GET,POST,PUT,DELETE
	security.restriction.transaction.priority=2

	# a security rule to allow /groovy admin from localhost
	security.permission.groovy.pattern=/groovy/.*
	security.permission.groovy.host=LOCAL
	security.permission.groovy.methods=GET,POST,PUT,DELETE
	security.permission.groovy.priority=5

	# a security rule to deny /groovy admin from all other hosts
	security.restriction.groovy.pattern=/groovy/.*
	security.restriction.groovy.methods=GET,POST,PUT,DELETE
	security.restriction.groovy.priority=2

	# a security rule to allow H2 console from localhost
	security.permission.database.pattern=/database/.*
	security.permission.database.host=LOCAL
	security.permission.database.methods=GET,POST,PUT,DELETE
	security.permission.database.priority=5

	# a security rule to deny H2 console from all other hosts
	security.restriction.database.pattern=/database/.*
	security.restriction.database.methods=GET,POST,PUT,DELETE
	security.restriction.database.priority=2

	# restrict updating reasoning programs to the "manager" role
	security.permission.reasoner_update.pattern=/reasoner/.*
	security.permission.reasoner_update.methods=POST,PUT,DELETE
	security.permission.reasoner_update.host=LOCAL
	security.permission.reasoner_update.priority=5

	# restrict all other updates
	security.restriction.reasoner_update.pattern=/reasoner/.*
	security.restriction.reasoner_update.methods=POST,PUT,DELETE
	security.restriction.reasoner_update.priority=4

	# allow reading the configuration
	security.permission.reasoner_read.pattern=/reasoner/.*
	security.permission.reasoner_read.methods=GET
	security.permission.reasoner_read.priority=4

	# a security rule to allow all read access to the system
	security.permission.default_read.pattern=/.*
	security.permission.default_read.methods=GET,HEAD,OPTIONS
	security.permission.default_read.priority=2

	# a security rule to deny all write access to the system
	security.restriction.default_write.pattern=/.*
	security.restriction.default_write.methods=PUT,POST,DELETE
	security.restriction.default_write.priority=2

	# a security rule to allow full access to the system from local
	security.permission.default_local.pattern=/.*
	security.permission.default_local.methods=GET,HEAD,OPTIONS,POST,PUT,DELETE
	security.permission.default_local.host=LOCAL
	security.permission.default_local.priority=5