[Geoserver-devel] Extracting authentication credentials from headers

Hi,
recently we worked on a custom AuthenticationFilter that uses request headers in a more sophisticated way than the standard request authentication filter does.

The main differences are:

  • the credentials (password) is extracted from request headers in addition to the username, so the filter is not preauthenticated, but uses the authentication providers chain to do the authentication
  • username and password can be extracted from a complex header value using a regular expression (one for each)

Our use case is to use the ability of frontends like Apache to forward credentials to the underlying Tomcat in a session header. This header is usually encrypted in browser to Apache communication, but sent in clear to the underlying Tomcat, so it can be easily parsed and used by Geoserver to fetch authentication data from Apache itself.

We would like to contribute the work done.

I was thinking of two possibile options:

  • a new community module
  • adding some configuration flags to the existing request header authentication filter to allow for:
  • optionally extracting the password and using the authentication providers chain to authenticate
  • specify regular expressions to extract the username (and optionally the password) from the header(s)

Any thoughts?

Regards,
Mauro Bartolomeoli

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

Ciao Mauro,
please, see my commens inline below...

Regards,
Simone Giannecchini

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Simone Giannecchini
@simogeo
Founder/Director

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 333 8128928

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate.
Il loro utilizzo è consentito esclusivamente al destinatario del
messaggio, per le finalità indicate nel messaggio stesso. Qualora
riceviate questo messaggio senza esserne il destinatario, Vi preghiamo
cortesemente di darcene notizia via e-mail e di procedere alla
distruzione del messaggio stesso, cancellandolo dal Vostro sistema.
Conservare il messaggio stesso, divulgarlo anche in parte,
distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità
diverse, costituisce comportamento contrario ai principi dettati dal
D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely
for the attention and use of the named addressee(s) and may be
confidential or proprietary in nature or covered by the provisions of
privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New
Data Protection Code).Any use not in accord with its purpose, any
disclosure, reproduction, copying, distribution, or either
dissemination, either whole or partial, is strictly forbidden except
previous formal approval of the named addressee(s). If you are not the
intended recipient, please contact immediately the sender by
telephone, fax or e-mail and delete the information in this message
that has been received in error. The sender does not give any warranty
or accept liability as the content, accuracy or completeness of sent
messages and accepts no responsibility for changes made after they
were sent or for other risks which arise as a result of e-mail
transmission, viruses, etc.

On Thu, Oct 9, 2014 at 10:47 AM, Mauro Bartolomeoli
<mauro.bartolomeoli@anonymised.com> wrote:

Hi,
recently we worked on a custom AuthenticationFilter that uses request
headers in a more sophisticated way than the standard request authentication
filter does.

The main differences are:
- the credentials (password) is extracted from request headers in addition
to the username, so the filter is not preauthenticated, but uses the
authentication providers chain to do the authentication
- username and password can be extracted from a complex header value using
a regular expression (one for each)

Our use case is to use the ability of frontends like Apache to forward
credentials to the underlying Tomcat in a session header. This header is
usually encrypted in browser to Apache communication, but sent in clear to
the underlying Tomcat, so it can be easily parsed and used by Geoserver to
fetch authentication data from Apache itself.

We would like to contribute the work done.

I was thinking of two possibile options:
- a new community module
- adding some configuration flags to the existing request header
authentication filter to allow for:
   * optionally extracting the password and using the authentication
providers chain to authenticate
   * specify regular expressions to extract the username (and optionally the
password) from the header(s)

Any thoughts?

I am keen on the secondo option as I am always under the impression
that we have way too many extension modules and I would suggest to
avoid adding new one when needed/possible.

Regards,
Mauro Bartolomeoli

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i
file/s allegato/i sono da considerarsi strettamente riservate. Il loro
utilizzo è consentito esclusivamente al destinatario del messaggio, per le
finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio
senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia
via e-mail e di procedere alla distruzione del messaggio stesso,
cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo
anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per
finalità diverse, costituisce comportamento contrario ai principi dettati
dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender does
not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Hi Mauro

If I got it right, you want a filter to act as an end point for a pass through authentication. If this is the case, please create a new filter class or class hierarchy, your filter should be named “GeoServerPassThroughAuthEndPointFilter” or similar.

This class or class hierarchy should not be part of the hierarchy of preauthenticated filters, this would be confusing.

I am against a new community module, I would vote for adding this filter in the core code.

Cheers
Christian

···

On Thu, Oct 9, 2014 at 10:55 AM, Simone Giannecchini <simone.giannecchini@anonymised.com> wrote:

Ciao Mauro,
please, see my commens inline below…

Regards,
Simone Giannecchini

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Simone Giannecchini
@simogeo
Founder/Director

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 333 8128928

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate.
Il loro utilizzo è consentito esclusivamente al destinatario del
messaggio, per le finalità indicate nel messaggio stesso. Qualora
riceviate questo messaggio senza esserne il destinatario, Vi preghiamo
cortesemente di darcene notizia via e-mail e di procedere alla
distruzione del messaggio stesso, cancellandolo dal Vostro sistema.
Conservare il messaggio stesso, divulgarlo anche in parte,
distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità
diverse, costituisce comportamento contrario ai principi dettati dal
D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely
for the attention and use of the named addressee(s) and may be
confidential or proprietary in nature or covered by the provisions of
privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New
Data Protection Code).Any use not in accord with its purpose, any
disclosure, reproduction, copying, distribution, or either
dissemination, either whole or partial, is strictly forbidden except
previous formal approval of the named addressee(s). If you are not the
intended recipient, please contact immediately the sender by
telephone, fax or e-mail and delete the information in this message
that has been received in error. The sender does not give any warranty
or accept liability as the content, accuracy or completeness of sent
messages and accepts no responsibility for changes made after they
were sent or for other risks which arise as a result of e-mail
transmission, viruses, etc.

On Thu, Oct 9, 2014 at 10:47 AM, Mauro Bartolomeoli
<mauro.bartolomeoli@anonymised.com1268…> wrote:

Hi,
recently we worked on a custom AuthenticationFilter that uses request
headers in a more sophisticated way than the standard request authentication
filter does.

The main differences are:

  • the credentials (password) is extracted from request headers in addition
    to the username, so the filter is not preauthenticated, but uses the
    authentication providers chain to do the authentication
  • username and password can be extracted from a complex header value using
    a regular expression (one for each)

Our use case is to use the ability of frontends like Apache to forward
credentials to the underlying Tomcat in a session header. This header is
usually encrypted in browser to Apache communication, but sent in clear to
the underlying Tomcat, so it can be easily parsed and used by Geoserver to
fetch authentication data from Apache itself.

We would like to contribute the work done.

I was thinking of two possibile options:

  • a new community module
  • adding some configuration flags to the existing request header
    authentication filter to allow for:
  • optionally extracting the password and using the authentication
    providers chain to authenticate
  • specify regular expressions to extract the username (and optionally the
    password) from the header(s)

Any thoughts?

I am keen on the secondo option as I am always under the impression
that we have way too many extension modules and I would suggest to
avoid adding new one when needed/possible.

Regards,
Mauro Bartolomeoli

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i
file/s allegato/i sono da considerarsi strettamente riservate. Il loro
utilizzo è consentito esclusivamente al destinatario del messaggio, per le
finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio
senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia
via e-mail e di procedere alla distruzione del messaggio stesso,
cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo
anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per
finalità diverse, costituisce comportamento contrario ai principi dettati
dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender does
not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.


Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Hi Christian,

···

2014-10-09 13:18 GMT+02:00 Christian Mueller <christian.mueller@anonymised.com>:

Hi Mauro

If I got it right, you want a filter to act as an end point for a pass through authentication. If this is the case, please create a new filter class or class hierarchy, your filter should be named “GeoServerPassThroughAuthEndPointFilter” or similar.

Uhm… I am not sure we need another hierarchy. I agree that this filter is not preauthenticated, so probably it deserves a distinct implementation.
Basically what it does is very similar to what BasicAuthentication or other filters do: fetch credentials in “some way” and then let the authentication manager do the authentication (this is what I meant when I said " uses the authentication providers chain to do the authentication").

My only concern is that some functionality could be useful also in the existing RequestHeader filter (for example the possibility to extract the username using a regular expression). Maybe we can put some common functionality in utility classes and use it from both filters, or just duplicate the code and don’t bother too much :).

I am against a new community module, I would vote for adding this filter in the core code.

Agree, then we need a name to distinguish this filter from the existing “HTTP Header”, something like “Credentials from HTTP Headers”. Ideas are welcome.

Cheers,
Mauro

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

Hi Mauro

In any case we should avoid code duplication and utility classes. I am fine with a distinct implementation too. “CredentialsFromHTTPHeader” sounds fine :slight_smile:

Go on, I assume you will make a pull request for discussion.

Cheers
Christian

···

On Thu, Oct 9, 2014 at 2:57 PM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi Christian,

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2014-10-09 13:18 GMT+02:00 Christian Mueller <christian.mueller@anonymised.com>:

Hi Mauro

If I got it right, you want a filter to act as an end point for a pass through authentication. If this is the case, please create a new filter class or class hierarchy, your filter should be named “GeoServerPassThroughAuthEndPointFilter” or similar.

Uhm… I am not sure we need another hierarchy. I agree that this filter is not preauthenticated, so probably it deserves a distinct implementation.
Basically what it does is very similar to what BasicAuthentication or other filters do: fetch credentials in “some way” and then let the authentication manager do the authentication (this is what I meant when I said " uses the authentication providers chain to do the authentication").

My only concern is that some functionality could be useful also in the existing RequestHeader filter (for example the possibility to extract the username using a regular expression). Maybe we can put some common functionality in utility classes and use it from both filters, or just duplicate the code and don’t bother too much :).

I am against a new community module, I would vote for adding this filter in the core code.

Agree, then we need a name to distinguish this filter from the existing “HTTP Header”, something like “Credentials from HTTP Headers”. Ideas are welcome.

Cheers,
Mauro

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

Hi,
I have prepared a pull request for this.

I chose to create a new filter in the main module, independent from the existing Request Headers filter.

Please, review if you wish.

Mauro

···

2014-10-09 15:24 GMT+02:00 Christian Mueller <christian.mueller@anonymised.com>:

Hi Mauro

In any case we should avoid code duplication and utility classes. I am fine with a distinct implementation too. “CredentialsFromHTTPHeader” sounds fine :slight_smile:

Go on, I assume you will make a pull request for discussion.

Cheers

Christian

On Thu, Oct 9, 2014 at 2:57 PM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi Christian,

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2014-10-09 13:18 GMT+02:00 Christian Mueller <christian.mueller@anonymised.com>:

Hi Mauro

If I got it right, you want a filter to act as an end point for a pass through authentication. If this is the case, please create a new filter class or class hierarchy, your filter should be named “GeoServerPassThroughAuthEndPointFilter” or similar.

Uhm… I am not sure we need another hierarchy. I agree that this filter is not preauthenticated, so probably it deserves a distinct implementation.
Basically what it does is very similar to what BasicAuthentication or other filters do: fetch credentials in “some way” and then let the authentication manager do the authentication (this is what I meant when I said " uses the authentication providers chain to do the authentication").

My only concern is that some functionality could be useful also in the existing RequestHeader filter (for example the possibility to extract the username using a regular expression). Maybe we can put some common functionality in utility classes and use it from both filters, or just duplicate the code and don’t bother too much :).

I am against a new community module, I would vote for adding this filter in the core code.

Agree, then we need a name to distinguish this filter from the existing “HTTP Header”, something like “Credentials from HTTP Headers”. Ideas are welcome.

Cheers,
Mauro

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

Hi Mauro

I did a quick review, looks good.

Cheers
Christian

···

On Fri, Nov 7, 2014 at 4:40 PM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi,
I have prepared a pull request for this.

I chose to create a new filter in the main module, independent from the existing Request Headers filter.

Please, review if you wish.

Mauro

2014-10-09 15:24 GMT+02:00 Christian Mueller <christian.mueller@anonymised.com>:

Hi Mauro

In any case we should avoid code duplication and utility classes. I am fine with a distinct implementation too. “CredentialsFromHTTPHeader” sounds fine :slight_smile:

Go on, I assume you will make a pull request for discussion.

Cheers

Christian

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

On Thu, Oct 9, 2014 at 2:57 PM, Mauro Bartolomeoli <mauro.bartolomeoli@…1268…> wrote:

Hi Christian,

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2014-10-09 13:18 GMT+02:00 Christian Mueller <christian.mueller@anonymised.com>:

Hi Mauro

If I got it right, you want a filter to act as an end point for a pass through authentication. If this is the case, please create a new filter class or class hierarchy, your filter should be named “GeoServerPassThroughAuthEndPointFilter” or similar.

Uhm… I am not sure we need another hierarchy. I agree that this filter is not preauthenticated, so probably it deserves a distinct implementation.
Basically what it does is very similar to what BasicAuthentication or other filters do: fetch credentials in “some way” and then let the authentication manager do the authentication (this is what I meant when I said " uses the authentication providers chain to do the authentication").

My only concern is that some functionality could be useful also in the existing RequestHeader filter (for example the possibility to extract the username using a regular expression). Maybe we can put some common functionality in utility classes and use it from both filters, or just duplicate the code and don’t bother too much :).

I am against a new community module, I would vote for adding this filter in the core code.

Agree, then we need a name to distinguish this filter from the existing “HTTP Header”, something like “Credentials from HTTP Headers”. Ideas are welcome.

Cheers,
Mauro

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH