The related issue is here
https://jira.codehaus.org/browse/GEOS-5820
The user guide information
http://docs.geoserver.org/stable/en/user/security/disable.html
The git commit for review is on my githup repo
https://github.com/mcrmcr/geoserver-1/commit/eaf2de921028dc1e8dcb66d4547b835868b5cac0
Summary:
I have no idea about the point in time when the information in the user guide became wrong. As an example I had to patch WorkSpaceAccessLimits, a class I never touched before.
The idea is to set an HttpServletRequest attribute indicating if a request has passed a security filter chain. Disabling security on a chain results in an empty filter list, enabling security adds a mandatory persistence context filter (and others) . This mandatory filter flags the request. I added a public static method
GeoServerSecurityFilterChainProxy.isSecurityEnabledForCurrentRequest()
This method can be called from anywhere. Additionally I had to do a refactoring removing all these individual checks for “ROLE_ADMINISTRATOR”. This logic is moved to the GeoserverSecurityManager.
Enabling & Disabling for individual chains now works on the fly.
mvn clean install -Prelease runs successfully .
I would like a core developer for a review since I had to patch some classes new to me. And last not least, I need an opinion about a backport to 2.3.x.
Thanks in advance
Christian
–
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH