[Geoserver-devel] Call for vote, backport disabling security

Disabling security does not work for 2.3.x and 2.4.x.

The problem is described here

https://jira.codehaus.org/browse/GEOS-5820

The fix is committed to master and the changes are here

https://github.com/mcrmcr/geoserver-1/commit/eaf2de921028dc1e8dcb66d4547b835868b5cac0

This is not a trivial fix. We can stay with a broken feature on 2.3.x or we can decide to backport.

Thanks for you votes in advance.

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Sun, Jun 9, 2013 at 10:54 AM, Christian Mueller <
christian.mueller@anonymised.com> wrote:

Disabling security does not work for 2.3.x and 2.4.x.

The problem is described here

https://jira.codehaus.org/browse/GEOS-5820

The fix is committed to master and the changes are here

https://github.com/mcrmcr/geoserver-1/commit/eaf2de921028dc1e8dcb66d4547b835868b5cac0

This is not a trivial fix. We can stay with a broken feature on 2.3.x or
we can decide to backport.

Had another look at the patch, I like how it centralizes the checks for
admin users, but still don't
know enough about the auth system to have an idea of whether it might have
side effects on the
stable series, or not.

+0 here

Cheers
Andrea

--

GeoServer training in Milan, 6th & 7th June 2013! Visit
http://geoserver.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

-1 for backport to 2.3.x for inclusion in 2.3.4. We are too close, and in my view, living with this broken feature is better than a late change to stable.

+0 for backport to 2.3.x for inclusion in 2.3.5. I am not sure how important the ability to disable a feature is. You are right, these are a lot of changes, with a significant risk of unintended side-effects.

I am open to argument, particularly from our expert (you). :slight_smile:

Kind regards,
Ben.

On 09/06/13 16:54, Christian Mueller wrote:

Disabling security does not work for 2.3.x and 2.4.x.

The problem is described here

https://jira.codehaus.org/browse/GEOS-5820

The fix is committed to master and the changes are here

https://github.com/mcrmcr/geoserver-1/commit/eaf2de921028dc1e8dcb66d4547b835868b5cac0

This is not a trivial fix. We can stay with a broken feature on 2.3.x
or we can decide to backport.

Thanks for you votes in advance.

--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j

_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre

The patch was triggered by the following thread on the mailing list

http://sourceforge.net/mailarchive/forum.php?thread_name=CA%2BnxMTvfXH2%3DD7Dt_roHbU76OMw3WAiWmLLvqY7wENDt8MKGUw%40mail.gmail.com&forum_name=geoserver-users

The user wants to protect the admin GUI with an ssh tunnel, no GoeServer security features are needed.

I am fine with 2.3.5 and I am hoping for vote of Justin because he was involved in the new security architecture.

Cheers
Christian

···

2013/6/10 Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>

-1 for backport to 2.3.x for inclusion in 2.3.4. We are too close, and in my view, living with this broken feature is better than a late change to stable.

+0 for backport to 2.3.x for inclusion in 2.3.5. I am not sure how important the ability to disable a feature is. You are right, these are a lot of changes, with a significant risk of unintended side-effects.

I am open to argument, particularly from our expert (you). :slight_smile:

Kind regards,
Ben.

On 09/06/13 16:54, Christian Mueller wrote:

Disabling security does not work for 2.3.x and 2.4.x.

The problem is described here

https://jira.codehaus.org/browse/GEOS-5820

The fix is committed to master and the changes are here

https://github.com/mcrmcr/geoserver-1/commit/eaf2de921028dc1e8dcb66d4547b835868b5cac0

This is not a trivial fix. We can stay with a broken feature on 2.3.x
or we can decide to backport.

Thanks for you votes in advance.


DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

Geoserver-devel mailing list
Geoserver-devel@anonymised.comsourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Ben Caradoc-Davies Ben.Caradoc-Davies@anonymised.com
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Just looked over the patch. Code wise it looks ok, i made a few comments about documentation. It is not clear to me what exactly gets disabled? It is just the authentication system? Or authorization with data and service security?

And sorry if i am missing something obvious but what are the prerequisites for disabling security other than the http request parameter?

···

On Sun, Jun 9, 2013 at 11:31 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

The patch was triggered by the following thread on the mailing list

http://sourceforge.net/mailarchive/forum.php?thread_name=CA%2BnxMTvfXH2%3DD7Dt_roHbU76OMw3WAiWmLLvqY7wENDt8MKGUw%40mail.gmail.com&forum_name=geoserver-users

The user wants to protect the admin GUI with an ssh tunnel, no GoeServer security features are needed.

I am fine with 2.3.5 and I am hoping for vote of Justin because he was involved in the new security architecture.

Cheers

Christian


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

2013/6/10 Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>

-1 for backport to 2.3.x for inclusion in 2.3.4. We are too close, and in my view, living with this broken feature is better than a late change to stable.

+0 for backport to 2.3.x for inclusion in 2.3.5. I am not sure how important the ability to disable a feature is. You are right, these are a lot of changes, with a significant risk of unintended side-effects.

I am open to argument, particularly from our expert (you). :slight_smile:

Kind regards,
Ben.

On 09/06/13 16:54, Christian Mueller wrote:

Disabling security does not work for 2.3.x and 2.4.x.

The problem is described here

https://jira.codehaus.org/browse/GEOS-5820

The fix is committed to master and the changes are here

https://github.com/mcrmcr/geoserver-1/commit/eaf2de921028dc1e8dcb66d4547b835868b5cac0

This is not a trivial fix. We can stay with a broken feature on 2.3.x
or we can decide to backport.

Thanks for you votes in advance.


DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

Geoserver-devel mailing list
Geoserver-devel@anonymised.comsourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Ben Caradoc-Davies Ben.Caradoc-Davies@anonymised.com
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Hi Justin

The idea is the following:

You can disable security for each filter chain individually. Any filter chain protecting resources has a GeoServerPersistenceContextFilter at first position. Disabling security for a filter chain results in an empty filter chain.

An incoming request is flagged with “security is off” using a servlet attribute. If a request travels through a disabled filter chain nothing happens. Traveling through an enabled filter chain requires that the request travels through a GeoServerPerstinceContextFilter . This filter flags the request “security on”.

The request itself is stored in a thread local variable and there is a static public method informing you if security is on/off for this particular request. All GeoServer code can query this information.

The code checking for admin access checks if security is off. If it is off, access is allowed in any case. (For the admin, the logic is centralized in GeoServerSecurityManager).

Concerning your questions

  1. Authentication and authorization is disabled for the concrete filter chain
  2. The http request parameter and GeoServerPersistenceContextFilter do the trick. If such a filter is on the chain → security on, if not → security off

Hope this helps

Christian

···

2013/6/10 Justin Deoliveira <jdeolive@anonymised.com>

Just looked over the patch. Code wise it looks ok, i made a few comments about documentation. It is not clear to me what exactly gets disabled? It is just the authentication system? Or authorization with data and service security?

And sorry if i am missing something obvious but what are the prerequisites for disabling security other than the http request parameter?

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Sun, Jun 9, 2013 at 11:31 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

The patch was triggered by the following thread on the mailing list

http://sourceforge.net/mailarchive/forum.php?thread_name=CA%2BnxMTvfXH2%3DD7Dt_roHbU76OMw3WAiWmLLvqY7wENDt8MKGUw%40mail.gmail.com&forum_name=geoserver-users

The user wants to protect the admin GUI with an ssh tunnel, no GoeServer security features are needed.

I am fine with 2.3.5 and I am hoping for vote of Justin because he was involved in the new security architecture.

Cheers

Christian


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

2013/6/10 Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>

-1 for backport to 2.3.x for inclusion in 2.3.4. We are too close, and in my view, living with this broken feature is better than a late change to stable.

+0 for backport to 2.3.x for inclusion in 2.3.5. I am not sure how important the ability to disable a feature is. You are right, these are a lot of changes, with a significant risk of unintended side-effects.

I am open to argument, particularly from our expert (you). :slight_smile:

Kind regards,
Ben.

On 09/06/13 16:54, Christian Mueller wrote:

Disabling security does not work for 2.3.x and 2.4.x.

The problem is described here

https://jira.codehaus.org/browse/GEOS-5820

The fix is committed to master and the changes are here

https://github.com/mcrmcr/geoserver-1/commit/eaf2de921028dc1e8dcb66d4547b835868b5cac0

This is not a trivial fix. We can stay with a broken feature on 2.3.x
or we can decide to backport.

Thanks for you votes in advance.


DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

Geoserver-devel mailing list
Geoserver-devel@anonymised.comsourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Ben Caradoc-Davies Ben.Caradoc-Davies@anonymised.com
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Mon, Jun 10, 2013 at 8:56 AM, Christian Mueller <
christian.mueller@anonymised.com> wrote:

Hi Justin

The idea is the following:

You can disable security for each filter chain individually. Any filter
chain protecting resources has a GeoServerPersistenceContextFilter at first
position. Disabling security for a filter chain results in an empty filter
chain.

An incoming request is flagged with "security is off" using a servlet
attribute. If a request travels through a disabled filter chain nothing
happens. Traveling through an enabled filter chain requires that the
request travels through a GeoServerPerstinceContextFilter . This filter
flags the request "security on".

Ok, i still don't quite understand. So disabling security is a two step

process?

1. Disable the relevant filter chains
2. Make the request with with the special flag disabled

?

The request itself is stored in a thread local variable and there is a

static public method informing you if security is on/off for this
particular request. All GeoServer code can query this information.

The code checking for admin access checks if security is off. If it is
off, access is allowed in any case. (For the admin, the logic is
centralized in GeoServerSecurityManager).

Concerning your questions

1) Authentication and authorization is disabled for the concrete filter
chain
2) The http request parameter and GeoServerPersistenceContextFilter do the
trick. If such a filter is on the chain --> security on, if not -->
security off

Hope this helps

Christian

2013/6/10 Justin Deoliveira <jdeolive@anonymised.com>

Just looked over the patch. Code wise it looks ok, i made a few comments
about documentation. It is not clear to me what exactly gets disabled? It
is just the authentication system? Or authorization with data and service
security?

And sorry if i am missing something obvious but what are
the prerequisites for disabling security other than the http request
parameter?

On Sun, Jun 9, 2013 at 11:31 PM, Christian Mueller <
christian.mueller@anonymised.com> wrote:

The patch was triggered by the following thread on the mailing list

http://sourceforge.net/mailarchive/forum.php?thread_name=CA%2BnxMTvfXH2%3DD7Dt_roHbU76OMw3WAiWmLLvqY7wENDt8MKGUw%40mail.gmail.com&forum_name=geoserver-users

The user wants to protect the admin GUI with an ssh tunnel, no GoeServer
security features are needed.

I am fine with 2.3.5 and I am hoping for vote of Justin because he was
involved in the new security architecture.

Cheers
Christian

2013/6/10 Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>

-1 for backport to 2.3.x for inclusion in 2.3.4. We are too close, and
in my view, living with this broken feature is better than a late change to
stable.

+0 for backport to 2.3.x for inclusion in 2.3.5. I am not sure how
important the ability to disable a feature is. You are right, these are a
lot of changes, with a significant risk of unintended side-effects.

I am open to argument, particularly from our expert (you). :slight_smile:

Kind regards,
Ben.

On 09/06/13 16:54, Christian Mueller wrote:

Disabling security does not work for 2.3.x and 2.4.x.

The problem is described here

https://jira.codehaus.org/**browse/GEOS-5820&lt;https://jira.codehaus.org/browse/GEOS-5820&gt;

The fix is committed to master and the changes are here

https://github.com/mcrmcr/**geoserver-1/commit/**
eaf2de921028dc1e8dcb66d4547b83**5868b5cac0<https://github.com/mcrmcr/geoserver-1/commit/eaf2de921028dc1e8dcb66d4547b835868b5cac0&gt;

This is not a trivial fix. We can stay with a broken feature on 2.3.x
or we can decide to backport.

Thanks for you votes in advance.

--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

------------------------------**------------------------------**
------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/**servicenow-d2d-j&lt;http://p.sf.net/sfu/servicenow-d2d-j&gt;

______________________________**_________________
Geoserver-devel mailing list
Geoserver-devel@anonymised.com**sourceforge.net<Geoserver-devel@lists.sourceforge.net>
https://lists.sourceforge.net/**lists/listinfo/geoserver-devel&lt;https://lists.sourceforge.net/lists/listinfo/geoserver-devel&gt;

--
Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre

--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

Hi Justin

No, its a one step process.

  1. Disable the relevant filter chains → finish

The special flag is handled internally. As an example, if you disable security on the web filter chain, http://…/geoserver/web will show you the full admin GUI, no need to log in.

Cheers
Christian

···

2013/6/10 Justin Deoliveira <jdeolive@anonymised.com501…>

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Mon, Jun 10, 2013 at 8:56 AM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi Justin

The idea is the following:

You can disable security for each filter chain individually. Any filter chain protecting resources has a GeoServerPersistenceContextFilter at first position. Disabling security for a filter chain results in an empty filter chain.

An incoming request is flagged with “security is off” using a servlet attribute. If a request travels through a disabled filter chain nothing happens. Traveling through an enabled filter chain requires that the request travels through a GeoServerPerstinceContextFilter . This filter flags the request “security on”.

Ok, i still don’t quite understand. So disabling security is a two step process?

  1. Disable the relevant filter chains
  2. Make the request with with the special flag disabled

?

The request itself is stored in a thread local variable and there is a static public method informing you if security is on/off for this particular request. All GeoServer code can query this information.

The code checking for admin access checks if security is off. If it is off, access is allowed in any case. (For the admin, the logic is centralized in GeoServerSecurityManager).

Concerning your questions

  1. Authentication and authorization is disabled for the concrete filter chain
  2. The http request parameter and GeoServerPersistenceContextFilter do the trick. If such a filter is on the chain → security on, if not → security off

Hope this helps

Christian


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

2013/6/10 Justin Deoliveira <jdeolive@anonymised.com.1501…>

Just looked over the patch. Code wise it looks ok, i made a few comments about documentation. It is not clear to me what exactly gets disabled? It is just the authentication system? Or authorization with data and service security?

And sorry if i am missing something obvious but what are the prerequisites for disabling security other than the http request parameter?

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Sun, Jun 9, 2013 at 11:31 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

The patch was triggered by the following thread on the mailing list

http://sourceforge.net/mailarchive/forum.php?thread_name=CA%2BnxMTvfXH2%3DD7Dt_roHbU76OMw3WAiWmLLvqY7wENDt8MKGUw%40mail.gmail.com&forum_name=geoserver-users

The user wants to protect the admin GUI with an ssh tunnel, no GoeServer security features are needed.

I am fine with 2.3.5 and I am hoping for vote of Justin because he was involved in the new security architecture.

Cheers

Christian


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

2013/6/10 Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>

-1 for backport to 2.3.x for inclusion in 2.3.4. We are too close, and in my view, living with this broken feature is better than a late change to stable.

+0 for backport to 2.3.x for inclusion in 2.3.5. I am not sure how important the ability to disable a feature is. You are right, these are a lot of changes, with a significant risk of unintended side-effects.

I am open to argument, particularly from our expert (you). :slight_smile:

Kind regards,
Ben.

On 09/06/13 16:54, Christian Mueller wrote:

Disabling security does not work for 2.3.x and 2.4.x.

The problem is described here

https://jira.codehaus.org/browse/GEOS-5820

The fix is committed to master and the changes are here

https://github.com/mcrmcr/geoserver-1/commit/eaf2de921028dc1e8dcb66d4547b835868b5cac0

This is not a trivial fix. We can stay with a broken feature on 2.3.x
or we can decide to backport.

Thanks for you votes in advance.


DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

Geoserver-devel mailing list
Geoserver-devel@anonymised.comsourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Ben Caradoc-Davies Ben.Caradoc-Davies@anonymised.com
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Ah ok I see, i misinterpreted “on-the fly”. I think this is a bit confusing to include in the user documentation which is what got me. All the user is concerned with is disabling the filter, how the system does it internally shouldn’t really matter.

Anyways, +1 on the change (it would be nice to tweak the docs) and agree with Ben’s assessment of not including the backport in the upcoming release, but waiting a month.

···

On Wed, Jun 12, 2013 at 1:11 AM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi Justin

No, its a one step process.

  1. Disable the relevant filter chains → finish

The special flag is handled internally. As an example, if you disable security on the web filter chain, http://…/geoserver/web will show you the full admin GUI, no need to log in.

Cheers

Christian


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

2013/6/10 Justin Deoliveira <jdeolive@anonymised.com>

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Mon, Jun 10, 2013 at 8:56 AM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi Justin

The idea is the following:

You can disable security for each filter chain individually. Any filter chain protecting resources has a GeoServerPersistenceContextFilter at first position. Disabling security for a filter chain results in an empty filter chain.

An incoming request is flagged with “security is off” using a servlet attribute. If a request travels through a disabled filter chain nothing happens. Traveling through an enabled filter chain requires that the request travels through a GeoServerPerstinceContextFilter . This filter flags the request “security on”.

Ok, i still don’t quite understand. So disabling security is a two step process?

  1. Disable the relevant filter chains
  2. Make the request with with the special flag disabled

?

The request itself is stored in a thread local variable and there is a static public method informing you if security is on/off for this particular request. All GeoServer code can query this information.

The code checking for admin access checks if security is off. If it is off, access is allowed in any case. (For the admin, the logic is centralized in GeoServerSecurityManager).

Concerning your questions

  1. Authentication and authorization is disabled for the concrete filter chain
  2. The http request parameter and GeoServerPersistenceContextFilter do the trick. If such a filter is on the chain → security on, if not → security off

Hope this helps

Christian


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

2013/6/10 Justin Deoliveira <jdeolive@anonymised.com.1501…>

Just looked over the patch. Code wise it looks ok, i made a few comments about documentation. It is not clear to me what exactly gets disabled? It is just the authentication system? Or authorization with data and service security?

And sorry if i am missing something obvious but what are the prerequisites for disabling security other than the http request parameter?

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Sun, Jun 9, 2013 at 11:31 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

The patch was triggered by the following thread on the mailing list

http://sourceforge.net/mailarchive/forum.php?thread_name=CA%2BnxMTvfXH2%3DD7Dt_roHbU76OMw3WAiWmLLvqY7wENDt8MKGUw%40mail.gmail.com&forum_name=geoserver-users

The user wants to protect the admin GUI with an ssh tunnel, no GoeServer security features are needed.

I am fine with 2.3.5 and I am hoping for vote of Justin because he was involved in the new security architecture.

Cheers

Christian


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

2013/6/10 Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>

-1 for backport to 2.3.x for inclusion in 2.3.4. We are too close, and in my view, living with this broken feature is better than a late change to stable.

+0 for backport to 2.3.x for inclusion in 2.3.5. I am not sure how important the ability to disable a feature is. You are right, these are a lot of changes, with a significant risk of unintended side-effects.

I am open to argument, particularly from our expert (you). :slight_smile:

Kind regards,
Ben.

On 09/06/13 16:54, Christian Mueller wrote:

Disabling security does not work for 2.3.x and 2.4.x.

The problem is described here

https://jira.codehaus.org/browse/GEOS-5820

The fix is committed to master and the changes are here

https://github.com/mcrmcr/geoserver-1/commit/eaf2de921028dc1e8dcb66d4547b835868b5cac0

This is not a trivial fix. We can stay with a broken feature on 2.3.x
or we can decide to backport.

Thanks for you votes in advance.


DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

Geoserver-devel mailing list
Geoserver-devel@anonymised.comsourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Ben Caradoc-Davies Ben.Caradoc-Davies@anonymised.com
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Ok, I will do some enhancement in the docs and wait for 2.3.4

Christian

···

2013/6/12 Justin Deoliveira <jdeolive@anonymised.com>

Ah ok I see, i misinterpreted “on-the fly”. I think this is a bit confusing to include in the user documentation which is what got me. All the user is concerned with is disabling the filter, how the system does it internally shouldn’t really matter.

Anyways, +1 on the change (it would be nice to tweak the docs) and agree with Ben’s assessment of not including the backport in the upcoming release, but waiting a month.

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Wed, Jun 12, 2013 at 1:11 AM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi Justin

No, its a one step process.

  1. Disable the relevant filter chains → finish

The special flag is handled internally. As an example, if you disable security on the web filter chain, http://…/geoserver/web will show you the full admin GUI, no need to log in.

Cheers

Christian


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

2013/6/10 Justin Deoliveira <jdeolive@anonymised.com>

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Mon, Jun 10, 2013 at 8:56 AM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi Justin

The idea is the following:

You can disable security for each filter chain individually. Any filter chain protecting resources has a GeoServerPersistenceContextFilter at first position. Disabling security for a filter chain results in an empty filter chain.

An incoming request is flagged with “security is off” using a servlet attribute. If a request travels through a disabled filter chain nothing happens. Traveling through an enabled filter chain requires that the request travels through a GeoServerPerstinceContextFilter . This filter flags the request “security on”.

Ok, i still don’t quite understand. So disabling security is a two step process?

  1. Disable the relevant filter chains
  2. Make the request with with the special flag disabled

?

The request itself is stored in a thread local variable and there is a static public method informing you if security is on/off for this particular request. All GeoServer code can query this information.

The code checking for admin access checks if security is off. If it is off, access is allowed in any case. (For the admin, the logic is centralized in GeoServerSecurityManager).

Concerning your questions

  1. Authentication and authorization is disabled for the concrete filter chain
  2. The http request parameter and GeoServerPersistenceContextFilter do the trick. If such a filter is on the chain → security on, if not → security off

Hope this helps

Christian


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

2013/6/10 Justin Deoliveira <jdeolive@anonymised.com.1501…>

Just looked over the patch. Code wise it looks ok, i made a few comments about documentation. It is not clear to me what exactly gets disabled? It is just the authentication system? Or authorization with data and service security?

And sorry if i am missing something obvious but what are the prerequisites for disabling security other than the http request parameter?

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Sun, Jun 9, 2013 at 11:31 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

The patch was triggered by the following thread on the mailing list

http://sourceforge.net/mailarchive/forum.php?thread_name=CA%2BnxMTvfXH2%3DD7Dt_roHbU76OMw3WAiWmLLvqY7wENDt8MKGUw%40mail.gmail.com&forum_name=geoserver-users

The user wants to protect the admin GUI with an ssh tunnel, no GoeServer security features are needed.

I am fine with 2.3.5 and I am hoping for vote of Justin because he was involved in the new security architecture.

Cheers

Christian


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

2013/6/10 Ben Caradoc-Davies <Ben.Caradoc-Davies@anonymised.com>

-1 for backport to 2.3.x for inclusion in 2.3.4. We are too close, and in my view, living with this broken feature is better than a late change to stable.

+0 for backport to 2.3.x for inclusion in 2.3.5. I am not sure how important the ability to disable a feature is. You are right, these are a lot of changes, with a significant risk of unintended side-effects.

I am open to argument, particularly from our expert (you). :slight_smile:

Kind regards,
Ben.

On 09/06/13 16:54, Christian Mueller wrote:

Disabling security does not work for 2.3.x and 2.4.x.

The problem is described here

https://jira.codehaus.org/browse/GEOS-5820

The fix is committed to master and the changes are here

https://github.com/mcrmcr/geoserver-1/commit/eaf2de921028dc1e8dcb66d4547b835868b5cac0

This is not a trivial fix. We can stay with a broken feature on 2.3.x
or we can decide to backport.

Thanks for you votes in advance.


DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH


How ServiceNow helps IT people transform IT departments:

  1. A cloud service to automate IT design, transition and operations
  2. Dashboards that offer high-level views of enterprise services
  3. A single system of record for all IT processes
    http://p.sf.net/sfu/servicenow-d2d-j

Geoserver-devel mailing list
Geoserver-devel@anonymised.comsourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Ben Caradoc-Davies Ben.Caradoc-Davies@anonymised.com
Software Engineer
CSIRO Earth Science and Resource Engineering
Australian Resources Research Centre

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH