On 16 March 2015 at 10:01, Patric Hafner | geOps <patric.hafner@anonymised.com> wrote:

Dear List members,

during some tests on data security with GeoServer 2.7-rc1 I discovered a
strange behaviour that I could not understand:

(All steps performed on a fresh installation)

Test case 1

I created a new role and user and finally configured this single rule
for data security (no other rule does exist!)

“topp.*.r testrole”

→ Behaves like expected: The user with role “testrole” can now access
all layers of Workspace “topp” for example via WMS and all layers are
shown in his Layer preview.

→ Behaves like expected: Unauthorized access via WMS to layers of
workspace “topp” gets HTTP response with status code 404

but if I try to narrow the data security rule:

Test case 2

I created a new role and user and finally configured this single rule
for data security (no other rule does exist!)

“topp.states.r testrole”

→ Unexpected behaviour: The user with role “testrole” can now access
all layers of Workspace “topp” for example via WMS and all layers are
shown in his Layer preview! I expected only layer states.

→ Unexpected behaviour: Access via WMS to all layers of workspace
“topp” is also possible without any authorization! This data security
rule does not seem to have any effect at all.

Does somebody could explain this behaviour or is this a bug? I was not
able to find a issue on this bug yet.

Best regards,
Patric Hafner

–
web www.geops.de
rss www.geops.de/blog/feed
follow www.twitter.com/geops

---

Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/

---

Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

–
Jody Garnett

On Tue, Mar 17, 2015 at 9:27 AM, Patric Hafner | geOps <patric.hafner@anonymised.com> wrote:

After some testing, I found a small difference between 2.6.2 and
2.7-rc1. But I think there is no bug, just misunderstanding by me.

As the documentation says " (…) If a permission at the global level is
not specified, global permissions are assumed to allow read/write
access. If a permission for a workspace is not specified, it inherits
permissions from the global specification. If a permission for a layer
is not specified, it inherits permissions from its workspace
specification. (…)"
I thought I have to deny all access in first place in order to be able
to follow a “white-list” approach.

• Check 1: Deletion of default data security rules

..r *
..w *

GeoServer 2.6.2: Not possible, they are getting re-created automatically

GeoServer 2.7-rc1: Not possible, they are getting re-created
automatically

• Check 2: Limitation of layer access

Adding:

topp.states.r testrole

GeoServer 2.6.2: OK: Layer “states” only readable for role “testrole”

GeoServer 2.7-rc1: OK: Layer “states” only readable for role “testrole”

after adding the new rule, I am able to remove both default rules on
both versions. As expected, this has no effect on security

And this is where the differences occurs:

GeoServer 2.6.2: All layers except layer “topp.states” are shown in
layer preview and are accessible via WMS for unauthorized users
(Like I expected)

GeoServer 2.7-rc1: All layers except all layers of workspace topp are
shown in layer preview. This is not what I have expected.

To summarize:

• I was confused by the fact, that deletion of both default security
  rules does not has any effect. The still remain active but are invisible.
  I expected the deletion to make them inactive. Maybe it should be really
  be impossible to remove them from the GUI or the removal should have an
  effect

• Maybe a minor issue: Contents shown in layer preview for unprivileged
  users differ between GeoServer 2.6.2 and 2.7-rc1 in my testcase

Best regards,
Patric

–
web www.geops.de
rss www.geops.de/blog/feed
follow www.twitter.com/geops

On 03/17/2015 04:36 PM, Andrea Aime wrote:

On Mon, Mar 16, 2015 at 9:00 PM, Jody Garnett <jody.garnett@anonymised.com

mailto:[jody.garnett@anonymised.com](mailto:jody.garnett@anonymised.com)> wrote:

First up thanks for testing, I am not aware of any security changes
in 2.7 (it did not make the short list of features we asked for help
testing).

We had some changes as part of the jdbcconfig scalability work,
https://github.com/geoserver/geoserver/pull/836

If this is confirmed to be a problem, I’d call it a relase blocker.
I won’t be able to have a look before late tonight (mountain time) though

Cheers
Andrea

–

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio
stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti,
copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento
contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely
for the attention and use of the named addressee(s) and may be
confidential or proprietary in nature or covered by the provisions of
privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data
Protection Code).Any use not in accord with its purpose, any disclosure,
reproduction, copying, distribution, or either dissemination, either
whole or partial, is strictly forbidden except previous formal approval
of the named addressee(s). If you are not the intended recipient, please
contact immediately the sender by telephone, fax or e-mail and delete
the information in this message that has been received in error. The
sender does not give any warranty or accept liability as the content,
accuracy or completeness of sent messages and accepts no responsibility
for changes made after they were sent or for other risks which arise as
a result of e-mail transmission, viruses, etc.

---

---

Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/

---

Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

On Tue, Mar 17, 2015 at 12:59 PM, Torben Barsballe <tbarsballe@anonymised.com> wrote:

I’m going to see if I can reproduce this behaviour locally with a fresh download of 2.7-rc1.

Torben

On Tue, Mar 17, 2015 at 9:27 AM, Patric Hafner | geOps <patric.hafner@anonymised.com> wrote:

After some testing, I found a small difference between 2.6.2 and
2.7-rc1. But I think there is no bug, just misunderstanding by me.

As the documentation says " (…) If a permission at the global level is
not specified, global permissions are assumed to allow read/write
access. If a permission for a workspace is not specified, it inherits
permissions from the global specification. If a permission for a layer
is not specified, it inherits permissions from its workspace
specification. (…)"
I thought I have to deny all access in first place in order to be able
to follow a “white-list” approach.

• Check 1: Deletion of default data security rules

..r *
..w *

GeoServer 2.6.2: Not possible, they are getting re-created automatically

GeoServer 2.7-rc1: Not possible, they are getting re-created
automatically

• Check 2: Limitation of layer access

Adding:

topp.states.r testrole

GeoServer 2.6.2: OK: Layer “states” only readable for role “testrole”

GeoServer 2.7-rc1: OK: Layer “states” only readable for role “testrole”

after adding the new rule, I am able to remove both default rules on
both versions. As expected, this has no effect on security

And this is where the differences occurs:

GeoServer 2.6.2: All layers except layer “topp.states” are shown in
layer preview and are accessible via WMS for unauthorized users
(Like I expected)

GeoServer 2.7-rc1: All layers except all layers of workspace topp are
shown in layer preview. This is not what I have expected.

To summarize:

• I was confused by the fact, that deletion of both default security
  rules does not has any effect. The still remain active but are invisible.
  I expected the deletion to make them inactive. Maybe it should be really
  be impossible to remove them from the GUI or the removal should have an
  effect

• Maybe a minor issue: Contents shown in layer preview for unprivileged
  users differ between GeoServer 2.6.2 and 2.7-rc1 in my testcase

Best regards,
Patric

–
web www.geops.de
rss www.geops.de/blog/feed
follow www.twitter.com/geops

On 03/17/2015 04:36 PM, Andrea Aime wrote:

On Mon, Mar 16, 2015 at 9:00 PM, Jody Garnett <jody.garnett@anonymised.com

mailto:[jody.garnett@anonymised.com](mailto:jody.garnett@anonymised.com)> wrote:

First up thanks for testing, I am not aware of any security changes
in 2.7 (it did not make the short list of features we asked for help
testing).

We had some changes as part of the jdbcconfig scalability work,
https://github.com/geoserver/geoserver/pull/836

If this is confirmed to be a problem, I’d call it a relase blocker.
I won’t be able to have a look before late tonight (mountain time) though

Cheers
Andrea

–

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio
stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti,
copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento
contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely
for the attention and use of the named addressee(s) and may be
confidential or proprietary in nature or covered by the provisions of
privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data
Protection Code).Any use not in accord with its purpose, any disclosure,
reproduction, copying, distribution, or either dissemination, either
whole or partial, is strictly forbidden except previous formal approval
of the named addressee(s). If you are not the intended recipient, please
contact immediately the sender by telephone, fax or e-mail and delete
the information in this message that has been received in error. The
sender does not give any warranty or accept liability as the content,
accuracy or completeness of sent messages and accepts no responsibility
for changes made after they were sent or for other risks which arise as
a result of e-mail transmission, viruses, etc.

---

---

Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/

---

Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

On 17 March 2015 at 14:29, Torben Barsballe <tbarsballe@anonymised.com> wrote:

After testing this, on both GeoServer 2.7-RC1 and 2.6.2 I can confirm these results.

Detailed test procedure and results follows. Results where 2.7-RC1 and 2.6.2 differ are marked with a star (*). Ultimately, I got the same results as Patric:

Initial setup:

Security > Users, Groups, and Roles > Roles

• Create Role “testrole”

Security > Users, Groups, and Roles > Users

• Create User/Pass test/test with role testrole

Test case 1

Security > Data

• Add new rule “topp.*.r”
• Assigned to role “testrole”
• Deleted default “..r” and “..w” rules. (Only have the one rule)

Results

GeoServer-2.7-RC1

When logged in as test:

All layers listed in layer preview
All layers accessible from layer preview

When logged out:

All layers not in topp listed in layer preview
All layers not in topp accessible from layer preview. topp layers give 404.

GeoServer-2.6.2

When logged in as test:

All layers listed in layer preview
All layers accessible from layer preview

When logged out:

All layers not in topp listed in layer preview
All layers not in topp accessible from layer preview. topp layers give 404.

Test case 2

Security > Data

• Add new rule “topp.states.r”.
• Assigned to role “testrole”
• Deleted default “..r” and “..w” rules. (Only have the one rule)

Results

GeoServer-2.7-RC1

When logged in as test:

All layers listed in layer preview
All layers accessible from layer preview

When logged out:

• All layers not in topp listed in layer preview
• All layers not in topp accessible from layer preview. topp layers give 404.

GeoServer-2.6.2

When logged in as test:

All layers listed in layer preview
All layers accessible from layer preview

When logged out:

• All layers except topp.states listed in layer preview
• All layers except topp.states accessible from layer preview. topp.states gives WMS error: Could not find layer topp:states

–
Jody Garnett

On Tue, Mar 17, 2015 at 12:59 PM, Torben Barsballe <tbarsballe@anonymised.com> wrote:

I’m going to see if I can reproduce this behaviour locally with a fresh download of 2.7-rc1.

Torben

On Tue, Mar 17, 2015 at 9:27 AM, Patric Hafner | geOps <patric.hafner@anonymised.com34…> wrote:

After some testing, I found a small difference between 2.6.2 and
2.7-rc1. But I think there is no bug, just misunderstanding by me.

As the documentation says " (…) If a permission at the global level is
not specified, global permissions are assumed to allow read/write
access. If a permission for a workspace is not specified, it inherits
permissions from the global specification. If a permission for a layer
is not specified, it inherits permissions from its workspace
specification. (…)"
I thought I have to deny all access in first place in order to be able
to follow a “white-list” approach.

• Check 1: Deletion of default data security rules

..r *
..w *

GeoServer 2.6.2: Not possible, they are getting re-created automatically

GeoServer 2.7-rc1: Not possible, they are getting re-created
automatically

• Check 2: Limitation of layer access

Adding:

topp.states.r testrole

GeoServer 2.6.2: OK: Layer “states” only readable for role “testrole”

GeoServer 2.7-rc1: OK: Layer “states” only readable for role “testrole”

after adding the new rule, I am able to remove both default rules on
both versions. As expected, this has no effect on security

And this is where the differences occurs:

GeoServer 2.6.2: All layers except layer “topp.states” are shown in
layer preview and are accessible via WMS for unauthorized users
(Like I expected)

GeoServer 2.7-rc1: All layers except all layers of workspace topp are
shown in layer preview. This is not what I have expected.

To summarize:

• I was confused by the fact, that deletion of both default security
  rules does not has any effect. The still remain active but are invisible.
  I expected the deletion to make them inactive. Maybe it should be really
  be impossible to remove them from the GUI or the removal should have an
  effect

• Maybe a minor issue: Contents shown in layer preview for unprivileged
  users differ between GeoServer 2.6.2 and 2.7-rc1 in my testcase

Best regards,
Patric

–
web www.geops.de
rss www.geops.de/blog/feed
follow www.twitter.com/geops

On 03/17/2015 04:36 PM, Andrea Aime wrote:

On Mon, Mar 16, 2015 at 9:00 PM, Jody Garnett <jody.garnett@anonymised.com

mailto:[jody.garnett@anonymised.com](mailto:jody.garnett@anonymised.com)> wrote:

First up thanks for testing, I am not aware of any security changes
in 2.7 (it did not make the short list of features we asked for help
testing).

We had some changes as part of the jdbcconfig scalability work,
https://github.com/geoserver/geoserver/pull/836

If this is confirmed to be a problem, I’d call it a relase blocker.
I won’t be able to have a look before late tonight (mountain time) though

Cheers
Andrea

–

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio
stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti,
copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento
contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely
for the attention and use of the named addressee(s) and may be
confidential or proprietary in nature or covered by the provisions of
privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data
Protection Code).Any use not in accord with its purpose, any disclosure,
reproduction, copying, distribution, or either dissemination, either
whole or partial, is strictly forbidden except previous formal approval
of the named addressee(s). If you are not the intended recipient, please
contact immediately the sender by telephone, fax or e-mail and delete
the information in this message that has been received in error. The
sender does not give any warranty or accept liability as the content,
accuracy or completeness of sent messages and accepts no responsibility
for changes made after they were sent or for other risks which arise as
a result of e-mail transmission, viruses, etc.

---

---

Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/

---

Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel