[Geoserver-devel] GeoServer 2.3.0: create custom Auth Filter and a to existing chain or create new chain -- Not Working?

Hi Guyz,

I’m struggling with the creation of a Authentication Filter - based on the dev documentation I did find and the code I’m browsing for hours now ^^.

Actually, I already asked a rather complete question in the gis.exchange site (here) but I wanted to enter directly in contact with you guyz. Why? see below :-/

It turns out that it looks like a missing feature in the 2.3.0 release (I won’t called it a bug, because it could [should] be a mistake of mine).
Indeed, I’ve successfully created the component to see my filter shown in the Authentication Filter Panel (from the Authentication page of the web admin site) but when I’m trying to either save the default chain or even create a brand new chain using this filter it seems that the securityManager.getSecurityConfig().filterChain.requestChains will remain the same and so won’t change the default mapper nor add my new chain… That’s why I came to here in order to poke the right persons directly.

So, I’m sorry if not relevant.

Here is the chains I can see

  • [0] = {org.geoserver.security.HtmlLoginFilterChain@13515}“[/web/, /gwc/rest/web/]:[contextAsc, rememberme, anonymous, guiException, interceptor]”
  • [1] = {org.geoserver.security.ConstantFilterChain@13516}“[/j_spring_security_check, /j_spring_security_check/]:[contextAsc, form]”
  • [2] = {org.geoserver.security.LogoutFilterChain@13517}“[/j_spring_security_logout, /j_spring_security_logout/]:[contextAsc, formLogout]”
  • [3] = {org.geoserver.security.ServiceLoginFilterChain@13518}“[/rest/**]:[contextNoAsc, basic, anonymous, exception, restInterceptor]”
  • [4] = {org.geoserver.security.ServiceLoginFilterChain@13519}“[/gwc/rest/**]:[contextNoAsc, basic, exception, restInterceptor]”
  • [5] = {org.geoserver.security.ServiceLoginFilterChain@13520}“[/**]:[contextNoAsc, basic, anonymous, exception, interceptor]”

And here is the interface shown in my browser:
Inline image 1

So far so good, the chain is present in the list, and I saw adding it that the secMgrConfig field of SecurityFilterChainPage was updated with the new chain… however, the very next request I’ll do will loose the chain… And the web interface to hold it in memory for a while until disappearing again (due to some timeout or something I guess).

It’d probably due to the fact that the configuration wasn’t persisted in the config.xml file and won’t be reloaded on-the-fly (again, just guessing).

Does someone have an idea how to help me further, do I encountered a known limitation already fixed in 2.3.1 or in the master branch, or did I make a mistake or should I come up with a patch (-- help needed if so – ^^) ?

Thanks a lot for your help and work guyz…

Andy/Noootsab
(previously a Ionic Software devops :stuck_out_tongue: turned into an OSS addict)

Andy Petrella

Belgium (Liège)

********

IT Consultant for NextLab sprl (co-founder)
Engaged Citizen Coder for WAJUG (co-founder)
Author of Learning Play! Framework 2

********
Mobile: +32 495 99 11 04
Mails:

Hi Andy

Before I dig into the problem, some simple questions

  1. Do you use chrome as your browser. This will not work since the save button does not work.
  2. After you modified your chains, did you press the “Save” button. Seeing your modifications on the GUI is not enough.
  3. Looking at your screen shot I see that your chain is at last position. No request will reach your chain because the predecessor is /** matching all requests.

Cheers
Christian

(attachments)

Sans titre.PNG

···

2013/4/22 andy petrella <andy.petrella@anonymised.com>

Hi Guyz,

I’m struggling with the creation of a Authentication Filter - based on the dev documentation I did find and the code I’m browsing for hours now ^^.

Actually, I already asked a rather complete question in the gis.exchange site (here) but I wanted to enter directly in contact with you guyz. Why? see below :-/

It turns out that it looks like a missing feature in the 2.3.0 release (I won’t called it a bug, because it could [should] be a mistake of mine).
Indeed, I’ve successfully created the component to see my filter shown in the Authentication Filter Panel (from the Authentication page of the web admin site) but when I’m trying to either save the default chain or even create a brand new chain using this filter it seems that the securityManager.getSecurityConfig().filterChain.requestChains will remain the same and so won’t change the default mapper nor add my new chain… That’s why I came to here in order to poke the right persons directly.

So, I’m sorry if not relevant.

Here is the chains I can see

  • [0] = {org.geoserver.security.HtmlLoginFilterChain@13515}“[/web/, /gwc/rest/web/]:[contextAsc, rememberme, anonymous, guiException, interceptor]”
  • [1] = {org.geoserver.security.ConstantFilterChain@13516}“[/j_spring_security_check, /j_spring_security_check/]:[contextAsc, form]”
  • [2] = {org.geoserver.security.LogoutFilterChain@13517}“[/j_spring_security_logout, /j_spring_security_logout/]:[contextAsc, formLogout]”
  • [3] = {org.geoserver.security.ServiceLoginFilterChain@13518}“[/rest/**]:[contextNoAsc, basic, anonymous, exception, restInterceptor]”
  • [4] = {org.geoserver.security.ServiceLoginFilterChain@13519}“[/gwc/rest/**]:[contextNoAsc, basic, exception, restInterceptor]”
  • [5] = {org.geoserver.security.ServiceLoginFilterChain@13520}“[/**]:[contextNoAsc, basic, anonymous, exception, interceptor]”

And here is the interface shown in my browser:
Inline image 1

So far so good, the chain is present in the list, and I saw adding it that the secMgrConfig field of SecurityFilterChainPage was updated with the new chain… however, the very next request I’ll do will loose the chain… And the web interface to hold it in memory for a while until disappearing again (due to some timeout or something I guess).

It’d probably due to the fact that the configuration wasn’t persisted in the config.xml file and won’t be reloaded on-the-fly (again, just guessing).

Does someone have an idea how to help me further, do I encountered a known limitation already fixed in 2.3.1 or in the master branch, or did I make a mistake or should I come up with a patch (-- help needed if so – ^^) ?

Thanks a lot for your help and work guyz…

Andy/Noootsab
(previously a Ionic Software devops :stuck_out_tongue: turned into an OSS addict)

Andy Petrella

Belgium (Liège)

********

IT Consultant for NextLab sprl (co-founder)
Engaged Citizen Coder for WAJUG (co-founder)
Author of Learning Play! Framework 2

********
Mobile: +32 495 99 11 04
Mails:


Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Man… firefox did the trick :-/

Thanks for your help. I was at least at 2 parsec away from this kind of problems… I should have miss the documentation warning this fact.
If so, could you gently point me out where it is, please?

Thanks a lot!

andy

···

Andy Petrella

Belgium (Liège)

********

IT Consultant for NextLab sprl (co-founder)
Engaged Citizen Coder for WAJUG (co-founder)
Author of Learning Play! Framework 2

********
Mobile: +32 495 99 11 04
Mails:

On Tue, Apr 23, 2013 at 9:50 AM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi Andy

Before I dig into the problem, some simple questions

  1. Do you use chrome as your browser. This will not work since the save button does not work.
  2. After you modified your chains, did you press the “Save” button. Seeing your modifications on the GUI is not enough.
  3. Looking at your screen shot I see that your chain is at last position. No request will reach your chain because the predecessor is /** matching all requests.

Cheers
Christian

2013/4/22 andy petrella <andy.petrella@anonymised.com>

Hi Guyz,

I’m struggling with the creation of a Authentication Filter - based on the dev documentation I did find and the code I’m browsing for hours now ^^.

Actually, I already asked a rather complete question in the gis.exchange site (here) but I wanted to enter directly in contact with you guyz. Why? see below :-/

It turns out that it looks like a missing feature in the 2.3.0 release (I won’t called it a bug, because it could [should] be a mistake of mine).
Indeed, I’ve successfully created the component to see my filter shown in the Authentication Filter Panel (from the Authentication page of the web admin site) but when I’m trying to either save the default chain or even create a brand new chain using this filter it seems that the securityManager.getSecurityConfig().filterChain.requestChains will remain the same and so won’t change the default mapper nor add my new chain… That’s why I came to here in order to poke the right persons directly.

So, I’m sorry if not relevant.

Here is the chains I can see

  • [0] = {org.geoserver.security.HtmlLoginFilterChain@13515}“[/web/, /gwc/rest/web/]:[contextAsc, rememberme, anonymous, guiException, interceptor]”
  • [1] = {org.geoserver.security.ConstantFilterChain@13516}“[/j_spring_security_check, /j_spring_security_check/]:[contextAsc, form]”
  • [2] = {org.geoserver.security.LogoutFilterChain@13517}“[/j_spring_security_logout, /j_spring_security_logout/]:[contextAsc, formLogout]”
  • [3] = {org.geoserver.security.ServiceLoginFilterChain@13518}“[/rest/**]:[contextNoAsc, basic, anonymous, exception, restInterceptor]”
  • [4] = {org.geoserver.security.ServiceLoginFilterChain@13519}“[/gwc/rest/**]:[contextNoAsc, basic, exception, restInterceptor]”
  • [5] = {org.geoserver.security.ServiceLoginFilterChain@13520}“[/**]:[contextNoAsc, basic, anonymous, exception, interceptor]”

And here is the interface shown in my browser:

So far so good, the chain is present in the list, and I saw adding it that the secMgrConfig field of SecurityFilterChainPage was updated with the new chain… however, the very next request I’ll do will loose the chain… And the web interface to hold it in memory for a while until disappearing again (due to some timeout or something I guess).

It’d probably due to the fact that the configuration wasn’t persisted in the config.xml file and won’t be reloaded on-the-fly (again, just guessing).

Does someone have an idea how to help me further, do I encountered a known limitation already fixed in 2.3.1 or in the master branch, or did I make a mistake or should I come up with a patch (-- help needed if so – ^^) ?

Thanks a lot for your help and work guyz…

Andy/Noootsab
(previously a Ionic Software devops :stuck_out_tongue: turned into an OSS addict)

Andy Petrella

Belgium (Liège)

********

IT Consultant for NextLab sprl (co-founder)
Engaged Citizen Coder for WAJUG (co-founder)
Author of Learning Play! Framework 2

********
Mobile: +32 495 99 11 04
Mails:


Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Hi Andi

There is an issue in the issue tracker
http://osgeo-org.1560.x6.nabble.com/jira-GEOS-5754-Some-quot-Save-quot-buttons-do-not-work-with-Google-Chrome-td5045176.html

The whole security documentation is not up to date and many features are not described until now. It is a matter of time and money, paid work has to be done first.

Cheers
Christian

···

2013/4/23 andy petrella <andy.petrella@anonymised.com>

Man… firefox did the trick :-/

Thanks for your help. I was at least at 2 parsec away from this kind of problems… I should have miss the documentation warning this fact.
If so, could you gently point me out where it is, please?

Thanks a lot!

andy

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Andy Petrella

Belgium (Liège)

********

IT Consultant for NextLab sprl (co-founder)
Engaged Citizen Coder for WAJUG (co-founder)
Author of Learning Play! Framework 2

********
Mobile: +32 495 99 11 04
Mails:

On Tue, Apr 23, 2013 at 9:50 AM, Christian Mueller <christian.mueller@anonymised.com674…> wrote:

Hi Andy

Before I dig into the problem, some simple questions

  1. Do you use chrome as your browser. This will not work since the save button does not work.
  2. After you modified your chains, did you press the “Save” button. Seeing your modifications on the GUI is not enough.
  3. Looking at your screen shot I see that your chain is at last position. No request will reach your chain because the predecessor is /** matching all requests.

Cheers
Christian

2013/4/22 andy petrella <andy.petrella@anonymised.com>

Hi Guyz,

I’m struggling with the creation of a Authentication Filter - based on the dev documentation I did find and the code I’m browsing for hours now ^^.

Actually, I already asked a rather complete question in the gis.exchange site (here) but I wanted to enter directly in contact with you guyz. Why? see below :-/

It turns out that it looks like a missing feature in the 2.3.0 release (I won’t called it a bug, because it could [should] be a mistake of mine).
Indeed, I’ve successfully created the component to see my filter shown in the Authentication Filter Panel (from the Authentication page of the web admin site) but when I’m trying to either save the default chain or even create a brand new chain using this filter it seems that the securityManager.getSecurityConfig().filterChain.requestChains will remain the same and so won’t change the default mapper nor add my new chain… That’s why I came to here in order to poke the right persons directly.

So, I’m sorry if not relevant.

Here is the chains I can see

  • [0] = {org.geoserver.security.HtmlLoginFilterChain@13515}“[/web/, /gwc/rest/web/]:[contextAsc, rememberme, anonymous, guiException, interceptor]”
  • [1] = {org.geoserver.security.ConstantFilterChain@13516}“[/j_spring_security_check, /j_spring_security_check/]:[contextAsc, form]”
  • [2] = {org.geoserver.security.LogoutFilterChain@13517}“[/j_spring_security_logout, /j_spring_security_logout/]:[contextAsc, formLogout]”
  • [3] = {org.geoserver.security.ServiceLoginFilterChain@13518}“[/rest/**]:[contextNoAsc, basic, anonymous, exception, restInterceptor]”
  • [4] = {org.geoserver.security.ServiceLoginFilterChain@13519}“[/gwc/rest/**]:[contextNoAsc, basic, exception, restInterceptor]”
  • [5] = {org.geoserver.security.ServiceLoginFilterChain@13520}“[/**]:[contextNoAsc, basic, anonymous, exception, interceptor]”

And here is the interface shown in my browser:

So far so good, the chain is present in the list, and I saw adding it that the secMgrConfig field of SecurityFilterChainPage was updated with the new chain… however, the very next request I’ll do will loose the chain… And the web interface to hold it in memory for a while until disappearing again (due to some timeout or something I guess).

It’d probably due to the fact that the configuration wasn’t persisted in the config.xml file and won’t be reloaded on-the-fly (again, just guessing).

Does someone have an idea how to help me further, do I encountered a known limitation already fixed in 2.3.1 or in the master branch, or did I make a mistake or should I come up with a patch (-- help needed if so – ^^) ?

Thanks a lot for your help and work guyz…

Andy/Noootsab
(previously a Ionic Software devops :stuck_out_tongue: turned into an OSS addict)

Andy Petrella

Belgium (Liège)

********

IT Consultant for NextLab sprl (co-founder)
Engaged Citizen Coder for WAJUG (co-founder)
Author of Learning Play! Framework 2

********
Mobile: +32 495 99 11 04
Mails:


Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Tue, Apr 23, 2013 at 12:55 PM, Christian Mueller <
christian.mueller@anonymised.com> wrote:

The whole security documentation is not up to date and many features are
not described until now. It is a matter of time and money, paid work has to
be done first.

I'd like to remind the whole community that the documentation is something
that anybody can write, does
not require programming skills, though a bit of familiarity with the
command line is preferable to
write docs in Sphinx and be able to commit them using git.

There are over 2000 people subscribed to this mailing list, yet it seems
only developers are contributing to
the docs (and very few of this large audience care to answer other
subscribers questions).
Seems a pretty unique situation, other large projects have non programmers
contributing to the
docs.

If anybody is interested, the docs are here:
https://github.com/geoserver/geoserver/tree/master/doc/en

And some instructions can be found here:
http://docs.geoserver.org/latest/en/docguide/

and an introduction to git for non programmers:
http://www.sitepoint.com/version-control-git/

Cheers
Andrea

--

GeoServer training in Milan, 6th & 7th June 2013! Visit
http://geoserver.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Hi Andrea,
I wasn’t aware of this (I have a couple of “issues” open relating to the documentation) - it may be worth posting to the user-list too.

I suspect having the docs in git makes them significantly less accessible than a more conventional wiki, which may explain the lower participation from non-developers. Almost everyone can figure out how to use a wiki in a couple of minutes, but to do the GeoServer docs you need extraneous software (git, or gitextensions for a GUI), an understanding of version control, something that can transcribe “.rst” files (I’d never encountered them before) and the willingness/knowledge to actually update the documentation.
I’m not saying to convert the documents to a wiki (research* suggests that’d be a bad idea), but you can see how one of these has a much larger barrier to entry than the other.

    • the Research alluded to is a fascinating paper titled “Creating and evolving developer documentation: understanding the decisions of open source contributors” - http://cs.queensu.ca/~ahmed/home/teaching/CISC880/F11/papers/Documentation_FSE2010.pdf
      It does a comparison of documentation contribution issues for 19 documents for Open Source projects. I’d suggest giving it a read - there are probably lessons in there for how to increase community participation that could help GeoServer.

That said, at some point I’ll try and use this information to resolve my own documentation issues.

Just my 2pence. :slight_smile:

Jonathan

···

The whole security documentation is not up to date and many features are not described until now. It is a matter of time and money, paid work has to be done first.

I’d like to remind the whole community that the documentation is something that anybody can write, does
not require programming skills, though a bit of familiarity with the command line is preferable to
write docs in Sphinx and be able to commit them using git.

There are over 2000 people subscribed to this mailing list, yet it seems only developers are contributing to
the docs (and very few of this large audience care to answer other subscribers questions).
Seems a pretty unique situation, other large projects have non programmers contributing to the
docs.

If anybody is interested, the docs are here:
https://github.com/geoserver/geoserver/tree/master/doc/en

And some instructions can be found here:
http://docs.geoserver.org/latest/en/docguide/

and an introduction to git for non programmers:
http://www.sitepoint.com/version-control-git/

Cheers
Andrea

==
GeoServer training in Milan, 6th & 7th June 2013! Visit http://geoserver.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


On Wed, Apr 24, 2013 at 11:44 AM, Jonathan Moules <
jonathanmoules@anonymised.com> wrote:

Hi Andrea,
I wasn't aware of this (I have a couple of "issues" open relating to the
documentation) - it may be worth posting to the user-list too.

I suspect having the docs in git makes them significantly less accessible
than a more conventional wiki, which may explain the lower participation
from non-developers. Almost everyone can figure out how to use a wiki in a
couple of minutes, but to do the GeoServer docs you need extraneous
software (git, or gitextensions for a GUI), an understanding of version
control, something that can transcribe ".rst" files (I'd never encountered
them before) *and* the willingness/knowledge to actually update the
documentation.
I'm not saying to convert the documents to a wiki (research* suggests
that'd be a bad idea), but you can see how one of these has a much larger
barrier to entry than the other.

Actually the GeoServer documentation was originally in a wiki, we switched
away because of several issues:
* no one from the user base was contributing anyways
* the documentation would get spammed regularly
* we could not maintain a per version documentation, so new features
available only on trunk were documented on the only documentation we had,
and people got confused
* editing long documents in the wiki was a real issue, connection drops
resulted in good half hours of work getting lost

Other projects went through the same ordeal and eventually made the same
move and yet they do have non developers contributing to the docs (e.g.,
MapServer).

* - the Research alluded to is a fascinating paper titled "Creating and
evolving developer documentation: understanding the decisions of open
source contributors" -
http://cs.queensu.ca/~ahmed/home/teaching/CISC880/F11/papers/Documentation_FSE2010.pdf
It does a comparison of documentation contribution issues for 19 documents
for Open Source projects. I'd suggest giving it a read - there are probably
lessons in there for how to increase community participation that could
help GeoServer.

Nice, I'll have a look

Cheers
Andrea

--

GeoServer training in Milan, 6th & 7th June 2013! Visit
http://geoserver.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Yep, the linked paper says similar about other projects that used wiki’s initially, at least relating to the spamming point and a few other things. Also that they get deemed less “authorative” by the user. Wiki’s seem to be good for games though.

The percentage of contributors seems to vary a lot between projects. They show:
“… the number of revisions that were motivated by the community: Django: 48%, Hibernate: 10%, and Eclipse: 10%.”

One particular quote that stuck with me:

“As users and contributors mentioned, the community is less inclined to contribute documentation than it is to contribute code, so the barrier to contribute documentation must be lower than the barrier to contribute code.”

Unfortunately I can’t offer any solutions though.

Jonathan

···

Hi Andrea,
I wasn’t aware of this (I have a couple of “issues” open relating to the documentation) - it may be worth posting to the user-list too.

I suspect having the docs in git makes them significantly less accessible than a more conventional wiki, which may explain the lower participation from non-developers. Almost everyone can figure out how to use a wiki in a couple of minutes, but to do the GeoServer docs you need extraneous software (git, or gitextensions for a GUI), an understanding of version control, something that can transcribe “.rst” files (I’d never encountered them before) and the willingness/knowledge to actually update the documentation.
I’m not saying to convert the documents to a wiki (research* suggests that’d be a bad idea), but you can see how one of these has a much larger barrier to entry than the other.

Actually the GeoServer documentation was originally in a wiki, we switched away because of several issues:

  • no one from the user base was contributing anyways
  • the documentation would get spammed regularly
  • we could not maintain a per version documentation, so new features available only on trunk were documented on the only documentation we had, and people got confused
  • editing long documents in the wiki was a real issue, connection drops resulted in good half hours of work getting lost

Other projects went through the same ordeal and eventually made the same move and yet they do have non developers contributing to the docs (e.g., MapServer).

    • the Research alluded to is a fascinating paper titled “Creating and evolving developer documentation: understanding the decisions of open source contributors” - http://cs.queensu.ca/~ahmed/home/teaching/CISC880/F11/papers/Documentation_FSE2010.pdf
      It does a comparison of documentation contribution issues for 19 documents for Open Source projects. I’d suggest giving it a read - there are probably lessons in there for how to increase community participation that could help GeoServer.

Nice, I’ll have a look

Cheers

Andrea

==
GeoServer training in Milan, 6th & 7th June 2013! Visit http://geoserver.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it