[Geoserver-devel] HTTP Basic Authentication for per-layer security

Tyler Erickson ha scritto:

Andrea,

I was thinking more about the tests that I ran on the per-layer security, and I think that I overlooked a potential issue. When an anonymous user tries to make a WMS request against a secured service using a browser, they currently receive a ServiceExceptionReport with code="LayerNotDefined" response. I would have expected that the browser would have presented the user with a dialog box for entering the HTTP Basic Authentication information. How would such a user go about authenticating?

Tyler,
you're bringing up a very good point, I wonderered about this too
when implementing the code.
Basically when dealing with data that the current user cannot even
read there are two approaches:
a) don't show the data at all, if the user did not authenticate, the
    data is not there
b) list the data the user cannot access in the capabilities documents,
but throw a security error prompting the user to authenticate himself.

In the code I implemented approach a) because it was somewhat simpler,
and because it implements a stronger security than b). With a) you
cannot even infer that data is there, whilst with b) you gain access
to the fact the data is there, and there is some way to get to it
(think brute force attack).

On the other side, client software such as uDig does not let you
authenticate during the connection setup, but expects a http 401
code in order to prompt the user for a username/password request.

Hard question: blue pill or red pill? Or maybe a configurable pill,
with blue and red buttons? :wink:

Cheers
Andrea

Tyler Erickson ha scritto:

Andrea,

Sorry for the delayed reply... I just returned to the office.

How about the following (purple pill) approach:
c) prompt the user to authenticate (or reply with a 401 error) if a user tries to read a protected data layer; and list the data in the capabilities document only when the user is authenticated and authorized

That way, an outside user would not be able to determine the name of the layer for a brute force attack.

Well, with a brute force attack they'll eventually be able to, but given
we have no limits to the number of chars in the layer name, it's actually quite hard to spot.

Seems a reasonable compromise to me. What do other people think?
Cheers
Andrea