[GeoNetwork-devel] [GeoNetwork opensource Developer website] #1177: force sending credentials to geoserver REST api

#1177: force sending credentials to geoserver REST api
---------------------+------------------------------------------------------
Reporter: landry | Owner: geonetwork-devel@…
     Type: defect | Status: new
Priority: major | Milestone: v2.9.0
Component: General | Version: v2.8.0RC2
Keywords: |
---------------------+------------------------------------------------------
I've experienced a strange issue with the geopublishing feature :

- my geoserver 2.2.2 is configured this way in security/rest.properties

/**;GET=IS_AUTHENTICATED_ANONYMOUSLY
/**;POST,DELETE,PUT=ROLE_AUTHENTICATED

I want to be able to anonymously get layers/style, and all my users to be
able to publish layers/styles.

In certain circumstances, the geopublishing fails. After PUT'ing the zip
file, i correctly get a 201 code, but the next REST call is a GET on the
layer, and since by default we only send the auth header if asked for
credentials, for some reason geoserver returns a 404. If forcing the
authentification, i correctly get a 200.

The problem can be reproduced with wget and curl. By default curl sends
the auth in all cases, wget only send it if asked for it, or if --auth-no-
challenge is used :

#curl -v http://localhost:8080/geoserver/rest/layers/CRAIG_201206_PCI.xml
...
< HTTP/1.1 404 Not Found
...
No such layer: CRAIG_201206_PCI

#curl -u admin:admin -v
http://localhost:8080/geoserver/rest/layers/CRAIG_201206_PCI.xml
...
< HTTP/1.1 200 OK
...
<layer>
   <name>CRAIG_201206_PCI</name>

#wget -d --user admin --password admin
http://localhost:8080/geoserver/rest/layers/CRAIG_201206_PCI.xml
...
Host `localhost' has not issued a general basic challenge.
...
HTTP/1.1 404 Not Found

#wget -d --auth-no-challenge --user admin --password admin
http://localhost:8080/geoserver/rest/layers/CRAIG_201206_PCI.xml
...
Auth-without-challenge set, sending Basic credentials.
...
HTTP/1.1 200 OK

I don't know if the problem lies in geoserver way of handling auth (for
REST i'm using the http header auth filter first, then basic auth filter)
or if the problem is in geonetwork itself. The thing is, if i force the
Geopublisher to send the auth credentials 'preemptively' it fixes the
issue i've been seeing.

---
a/web/src/main/java/org/fao/geonet/services/publisher/GeoServerRest.java
+++
b/web/src/main/java/org/fao/geonet/services/publisher/GeoServerRest.java
@@ -658,6 +658,7 @@ public class GeoServerRest {
                 }

                 m.setDoAuthentication(true);
+ c.getParams().setAuthenticationPreemptive(true);

If that 'fix' is acceptable i'll attach it as a proper git commit.

--
Ticket URL: <http://trac.osgeo.org/geonetwork/ticket/1177&gt;
GeoNetwork opensource Developer website <http://sourceforge.net/projects/geonetwork/&gt;
GeoNetwork opensource is a standards based, Free and Open Source catalog application to manage spatially referenced resources through the web. It provides powerful metadata editing and search functions as well as an embedded interactive web map viewer. This website contains information related to the development of the software.

#1177: force sending credentials to geoserver REST api
---------------------+------------------------------------------------------
Reporter: landry | Owner: geonetwork-devel@…
     Type: defect | Status: new
Priority: major | Milestone: v2.9.0
Component: General | Version: v2.8.0RC2
Keywords: |
---------------------+------------------------------------------------------

Comment(by mcr):

Hi

I am one of the geoserver developers for authentication mechanisms. Which
authentication filters do you have on the REST filter chain ?.

If the last filter is the anonymous filter, the client never gets a
challenge. The order of the filters is important, the last filter is
responsible for the challenge. As an example, if your order is

http header
basic auth
anonymous auth

you will never get a challenge. If you want to login a user, you have to
send the credentials preemptive.

If you have

http header
basic auth

the client will get a basic authentication challenge.

Hope that helps.

--
Ticket URL: <http://trac.osgeo.org/geonetwork/ticket/1177#comment:1&gt;
GeoNetwork opensource Developer website <http://sourceforge.net/projects/geonetwork/&gt;
GeoNetwork opensource is a standards based, Free and Open Source catalog application to manage spatially referenced resources through the web. It provides powerful metadata editing and search functions as well as an embedded interactive web map viewer. This website contains information related to the development of the software.

#1177: force sending credentials to geoserver REST api
---------------------+------------------------------------------------------
Reporter: landry | Owner: geonetwork-devel@…
     Type: defect | Status: new
Priority: major | Milestone: v2.9.0
Component: General | Version: v2.8.0RC2
Keywords: |
---------------------+------------------------------------------------------

Comment(by landry):

Okay, that explains, thanks! Since originally i wanted to let some REST
paths accessible to everyone i had let the anonymous filter in the list of
filters. Now i'm facing other data acl issues, but i'll send them to the
geoserver list :slight_smile:

Maybe this could be added as an boolean option in geoserver-nodes.xml,
letting the administrator decide if geonetwork needs to preemptively send
the credentials or not ? I could wrap a patch for that.

--
Ticket URL: <http://trac.osgeo.org/geonetwork/ticket/1177#comment:2&gt;
GeoNetwork opensource Developer website <http://sourceforge.net/projects/geonetwork/&gt;
GeoNetwork opensource is a standards based, Free and Open Source catalog application to manage spatially referenced resources through the web. It provides powerful metadata editing and search functions as well as an embedded interactive web map viewer. This website contains information related to the development of the software.

#1177: force sending credentials to geoserver REST api
---------------------+------------------------------------------------------
Reporter: landry | Owner: geonetwork-devel@…
     Type: defect | Status: new
Priority: major | Milestone: v2.9.0
Component: General | Version: v2.8.0RC2
Keywords: |
---------------------+------------------------------------------------------

Comment(by mcr):

If you like you can open a geoserver JIRA isssue (improvement). A
possibility would be to configure the http request methods for each
filter. If the the actual request method is not in the configured list,
the filer does nothing.

To be fair, I have no time for implementing at the moment, but it would be
a good reminder to cover such configurations.

--
Ticket URL: <http://trac.osgeo.org/geonetwork/ticket/1177#comment:3&gt;
GeoNetwork opensource Developer website <http://sourceforge.net/projects/geonetwork/&gt;
GeoNetwork opensource is a standards based, Free and Open Source catalog application to manage spatially referenced resources through the web. It provides powerful metadata editing and search functions as well as an embedded interactive web map viewer. This website contains information related to the development of the software.