[Geoserver-devel] GSIP 71: some feedback

Hi all,
been looking at GSIP 71. Wow, massive beast, the patch is 2.2MB!!!

First part of the feedback is based on the new security subsystem docs, which
I found easier to grok than the proposal itself:
http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/index.html

Overall what I've seen looks quite good, comments below.

http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/auth/web.html
The way things look in the drawing and in the description
it almost seems like form based authentication filter
does not let the remember me filter do its job, or else, it knows the
remember me filter is there and lets it do its job only if the remember me
flag is raised, otherwise it cuts the filter chain short.
It is really working like that?
Afaik Spring own filter chains were traversed like normal servlet filters.

Also, in the example titled
"User returns after session time out (with “Remember Me”)"
doesn't the session integration filter create a new session after the
remember me
one authenticated the request?

http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/auth/providers.html

The JDBC provider seems like a rather heavy approach, as it has to create a
new database connection each time.
Also, the documentation does not show how one switches from username/password
to LDAP to JDBC.
Finally, I'm not clear on one important bit: are we using Spring
Security providers directly,
wrap them in our own objects, or roll your own?
How easy/hard it is to plug in a new authentication provider, say for
CAS, Shibboleth,
OpenID (and so on?)

http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/passwd.html

Aren't the strong encryption algorithms somehow limited in availability, like
for examples people from certain states are not allowed to use them?
If so I'd suggest to point that out in the documentation, since everything else
in the core GeoServer can be used without restrictions (that I'm aware
of, at least).

How are password policies configured?

So far I've read the GSIP itself and the updated documentation Justin provided.
They both provide a nice introduction but left me wanting in terms of
configuration
and extensibility, as well as internal api (this thing introduces a
number of new
interfaces, they should be documented in the GSIP imho)...
is there going to be some documentation in this respect, or
the only way to get an overview is to actually ready 2.2MB of patch (or, put in
other terms, read a patch file weighting 58000 lines?)

Cheers
Andrea

--
-------------------------------------------------------
Ing. Andrea Aime
GeoSolutions S.A.S.
Tech lead

Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584 962313
fax: +39 0584 962313
mob: +39 339 8844549

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.youtube.com/user/GeoSolutionsIT
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf

-------------------------------------------------------

Hey Andrea,

Thanks again for the feedback, comments inline.

On Sun, Feb 26, 2012 at 10:09 AM, Andrea Aime <andrea.aime@anonymised.com> wrote:

Hi all,
been looking at GSIP 71. Wow, massive beast, the patch is 2.2MB!!!

First part of the feedback is based on the new security subsystem docs, which
I found easier to grok than the proposal itself:
http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/index.html

Overall what I’ve seen looks quite good, comments below.

http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/auth/web.html
The way things look in the drawing and in the description
it almost seems like form based authentication filter
does not let the remember me filter do its job, or else, it knows the
remember me filter is there and lets it do its job only if the remember me
flag is raised, otherwise it cuts the filter chain short.
It is really working like that?
Afaik Spring own filter chains were traversed like normal servlet filters.

You are correct, in an attempt to make it more understandable for regular users I simplified the concepts somewhat. Indeed it is as you mention and all the filters get a chance to execute, in that case the remember me filter recognizes the remember me flag and acts accordingly.

I tried to describe this in the following section.

http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/auth/web.html#user-logs-in-with-remember-me-flag-set

Probably a diagram there would be a good idea.

Also, in the example titled
“User returns after session time out (with “Remember Me”)”
doesn’t the session integration filter create a new session after the
remember me
one authenticated the request?

Indeed, again an over simplification of things that happen in the filters “on the way out”. Will add some text there explaining that happens.

http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/auth/providers.html

The JDBC provider seems like a rather heavy approach, as it has to create a
new database connection each time.

Also, the documentation does not show how one switches from username/password
to LDAP to JDBC.

There is some stuff in the docs about how to interact via the ui. Some stuff there about adding new auth providers.

http://echobase.opengeo.org/~jdeolive/geoserver_docs/webadmin/security/auth.html

But I agree… the current docs are pretty much a baseline and more of a reference. What i would like to see is some good tutorial style docs in order to tie things together and handle some of these common configuration use cases.

Finally, I’m not clear on one important bit: are we using Spring
Security providers directly,
wrap them in our own objects, or roll your own?

This is something Christian and i went back and forth on. In the end we decided to go with a geoserver specific interface, providing wrappers to make it easy to delegate fully to an existing spring security auth provider.

https://github.com/jdeolive/geoserver/blob/security/src/security/ldap/src/main/java/org/geoserver/security/ldap/LDAPAuthenticationProvider.java

It still kind of makes me think twice about the approach and not being able to plug in a straight spring security class directly… but at the same time the developer will still have to write an extension for new auth providers so adding a simple wrapping class like this didn’t seem too bad.

How easy/hard it is to plug in a new authentication provider, say for
CAS, Shibboleth,
OpenID (and so on?)

One that has an existing spring security auth provider is relatively simple, the ldap security module adds a good template for that. Writing our own from scratch is naturally potentially quite a bit more work, the jdbc module provides a template of that.

https://github.com/jdeolive/geoserver/tree/security/src/security/ldap
https://github.com/jdeolive/geoserver/tree/security/src/security/jdbc

http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/passwd.html

Aren’t the strong encryption algorithms somehow limited in availability, like
for examples people from certain states are not allowed to use them?
If so I’d suggest to point that out in the documentation, since everything else
in the core GeoServer can be used without restrictions (that I’m aware
of, at least).

Right, i am actually not sure, Christian will have a better idea. But I will dig into this to try and find a better answer and update the docs accordingly.

How are password policies configured?

Some limited stuff in the web ui section of the security docs.

http://echobase.opengeo.org/~jdeolive/geoserver_docs/webadmin/security/passwords.html#password-policies

So far I’ve read the GSIP itself and the updated documentation Justin provided.
They both provide a nice introduction but left me wanting in terms of
configuration
and extensibility, as well as internal api (this thing introduces a
number of new
interfaces, they should be documented in the GSIP imho)…
is there going to be some documentation in this respect, or
the only way to get an overview is to actually ready 2.2MB of patch (or, put in
other terms, read a patch file weighting 58000 lines?)

Haha, yeah. Certainly some developer docs are in order. I will throw it on the todo list to add some stuff to the developer docs providing a better walkthrough to the new security api.

Cheers
Andrea

Ing. Andrea Aime
GeoSolutions S.A.S.
Tech lead

Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584 962313
fax: +39 0584 962313
mob: +39 339 8844549

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.youtube.com/user/GeoSolutionsIT
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf



Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.