[Geoserver-devel] J2EEAuthenticationFilter

Hi everybody,
to implement authentication in Geoserver for a customer I would need to use the J2EEAuthenticationFilter to inherit the user from an Apache frontend, but also to assign roles to that user using a GeoServerRoleService (in particular a new one fetching roles from LDAP).

Currently the J2EEAuthenticationFilter uses the GeoServerRoleService to get a list of all roles and then filters them using request.isUserInRole(), but in my use case no roles are assigned by the frontend, so I would need to use service.getRolesForUser(username) instead, to let the GeoServerRoleService assign roles to recognized users.

For this to be implemented I would need to change J2EEAuthenticationFilter a bit. I was thinking to add a configuration option to decide whether roles are taken from the container (as they are now, this could be the default), the GeoServerRoleService or both.

What do you think?
Can I proceed? Is there any other way to get this behaviour using the existing filters?

Regards,
Mauro

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


Nice improvement. Go ahead modifying the filter and dont forget to add two check boxes on the configuration panel.

Please ping me for a review of the patch.

Christian

···

On Wed, Oct 2, 2013 at 3:59 PM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi everybody,
to implement authentication in Geoserver for a customer I would need to use the J2EEAuthenticationFilter to inherit the user from an Apache frontend, but also to assign roles to that user using a GeoServerRoleService (in particular a new one fetching roles from LDAP).

Currently the J2EEAuthenticationFilter uses the GeoServerRoleService to get a list of all roles and then filters them using request.isUserInRole(), but in my use case no roles are assigned by the frontend, so I would need to use service.getRolesForUser(username) instead, to let the GeoServerRoleService assign roles to recognized users.

For this to be implemented I would need to change J2EEAuthenticationFilter a bit. I was thinking to add a configuration option to decide whether roles are taken from the container (as they are now, this could be the default), the GeoServerRoleService or both.

What do you think?
Can I proceed? Is there any other way to get this behaviour using the existing filters?

Regards,
Mauro

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it



October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Hi Mauro

Another hint. You have to change the configuration object of this filter, please have a look at GeoServerSecurityManager, method migrateIfNecessary. If you add some boolean flags and a flag has a default value of true, you have to

  1. add migration code
  2. Due to 1), it is not possible to backport to 2.4.x series.

Christian

···

On Wed, Oct 2, 2013 at 4:30 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Nice improvement. Go ahead modifying the filter and dont forget to add two check boxes on the configuration panel.

Please ping me for a review of the patch.

Christian

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Wed, Oct 2, 2013 at 3:59 PM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi everybody,
to implement authentication in Geoserver for a customer I would need to use the J2EEAuthenticationFilter to inherit the user from an Apache frontend, but also to assign roles to that user using a GeoServerRoleService (in particular a new one fetching roles from LDAP).

Currently the J2EEAuthenticationFilter uses the GeoServerRoleService to get a list of all roles and then filters them using request.isUserInRole(), but in my use case no roles are assigned by the frontend, so I would need to use service.getRolesForUser(username) instead, to let the GeoServerRoleService assign roles to recognized users.

For this to be implemented I would need to change J2EEAuthenticationFilter a bit. I was thinking to add a configuration option to decide whether roles are taken from the container (as they are now, this could be the default), the GeoServerRoleService or both.

What do you think?
Can I proceed? Is there any other way to get this behaviour using the existing filters?

Regards,
Mauro

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it



October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Thu, Oct 3, 2013 at 10:11 AM, Christian Mueller <
christian.mueller@anonymised.com> wrote:

Hi Mauro

Another hint. You have to change the configuration object of this filter,
please have a look at GeoServerSecurityManager, method migrateIfNecessary.
If you add some boolean flags and a flag has a default value of true, you
have to

1) add migration code
2) Due to 1), it is not possible to backport to 2.4.x series.

The security subsystem could really use some extra flexibility here, like
the metadata map that we have in
all catalog objects, that allows new configuration to be added in the
stable series too

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

So, if the flag has a default value of false can be backported instead?

And what if I need to add an enum or string or something?

Thanks.

Mauro

···

On Wed, Oct 2, 2013 at 4:30 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Nice improvement. Go ahead modifying the filter and dont forget to add two check boxes on the configuration panel.

Please ping me for a review of the patch.

Christian

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Wed, Oct 2, 2013 at 3:59 PM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi everybody,
to implement authentication in Geoserver for a customer I would need to use the J2EEAuthenticationFilter to inherit the user from an Apache frontend, but also to assign roles to that user using a GeoServerRoleService (in particular a new one fetching roles from LDAP).

Currently the J2EEAuthenticationFilter uses the GeoServerRoleService to get a list of all roles and then filters them using request.isUserInRole(), but in my use case no roles are assigned by the frontend, so I would need to use service.getRolesForUser(username) instead, to let the GeoServerRoleService assign roles to recognized users.

For this to be implemented I would need to change J2EEAuthenticationFilter a bit. I was thinking to add a configuration option to decide whether roles are taken from the container (as they are now, this could be the default), the GeoServerRoleService or both.

What do you think?
Can I proceed? Is there any other way to get this behaviour using the existing filters?

Regards,
Mauro

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it



October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Hi Mauro

Sorry, my information was not correct. If you add instance vars to a config object, you cannot backport.

Adding instance vars having the Java default value as the GeoServer default value does not require migration code. (boolean → false, int → 0, String → null,…).
I think you will have to add instance vars and you will have to write a small piece of migration code.

If your customers is using 2.4, I would make the minimum of required changes in J2EEauthenticationfilter and replace the class file in the main.jar (a little bit dirty, but it should work).

Christian

···

On Thu, Oct 3, 2013 at 2:24 PM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

So, if the flag has a default value of false can be backported instead?

And what if I need to add an enum or string or something?

Thanks.

Mauro

Il 03/ott/2013 10:11 “Christian Mueller” <christian.mueller@anonymised.com> ha scritto:

Hi Mauro

Another hint. You have to change the configuration object of this filter, please have a look at GeoServerSecurityManager, method migrateIfNecessary. If you add some boolean flags and a flag has a default value of true, you have to

  1. add migration code
  2. Due to 1), it is not possible to backport to 2.4.x series.

Christian

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Wed, Oct 2, 2013 at 4:30 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Nice improvement. Go ahead modifying the filter and dont forget to add two check boxes on the configuration panel.

Please ping me for a review of the patch.

Christian

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Wed, Oct 2, 2013 at 3:59 PM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi everybody,
to implement authentication in Geoserver for a customer I would need to use the J2EEAuthenticationFilter to inherit the user from an Apache frontend, but also to assign roles to that user using a GeoServerRoleService (in particular a new one fetching roles from LDAP).

Currently the J2EEAuthenticationFilter uses the GeoServerRoleService to get a list of all roles and then filters them using request.isUserInRole(), but in my use case no roles are assigned by the frontend, so I would need to use service.getRolesForUser(username) instead, to let the GeoServerRoleService assign roles to recognized users.

For this to be implemented I would need to change J2EEAuthenticationFilter a bit. I was thinking to add a configuration option to decide whether roles are taken from the container (as they are now, this could be the default), the GeoServerRoleService or both.

What do you think?
Can I proceed? Is there any other way to get this behaviour using the existing filters?

Regards,
Mauro

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it



October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Hi Mauro

No, you cannot backport. Lets assume you add a boolean “useRolesFromRoleService” with a default value of false. This is nice because you do not have to add migration code. Lets assume you add “useRolesFromRoleService” in 2.4.1.

An admin using 2.4.1 changes something in the configuration and saves the configuration. The XStream persister saves the xml file including “useRolesFromRoleService”. Afterwards, the admin decides to switch back to 2.4.0. Upon start, you will see a XStream exception because “useRolesFromRoleService” is in the xml config file but not in the class of the configuration object.

As far as I understand the developer guidelines, it must be possible to switch between bug fix versions without migration of the data directory.

Personally, I would like to see your enhancements in the original J2EEAuthenticationFilter on trunk.

Possible solutions for 2.4.x

  1. As I already mentioned, hack the J2EEAuthenticationFilter directly and replace the class file in the jar file
  2. Develop you own extension. The security system is designed to allow extensions, the CAS extension is an example. This solutions is more time consuming and it should not be an “official” extension.

Summary:

The problem occurs if

  1. An admin adds a J2EEAuthenticationFilter on 2.4.x having x > 0
  2. The admin swtiches back to 2.4.0

The probability of this situations tends to zero but according to Murphys law, it will happen.

Sorry for the bad news

Christian

···

On Fri, Oct 4, 2013 at 8:44 AM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2013/10/3 Christian Mueller <christian.mueller@anonymised.com>

Hi Mauro

Sorry, my information was not correct. If you add instance vars to a config object, you cannot backport.

Adding instance vars having the Java default value as the GeoServer default value does not require migration code. (boolean → false, int → 0, String → null,…).

Hi Christian, it’s not clear to me if there is any way to add a new flag and allow backporting. My idea was to add a flag (get roles from roleservice) with a default value of false or an int (0=actual behaviour, 1=use only roleservice to get roles, 2= use both). With both options I would have a default value of false or 0, that does not require migration code. Can I backport this changes if I go this way?

Just to be clear, I think my customer would prefer that this enhancement could be included in official 2.4.x versions, and we are too far away from a 2.5.0, so I’m just trying to understand if there is any option to have a backport. Another option coming to my mind is having a completely independent filter very similar to J2EEAuthenticationFilter, maybe even extending it, with this alternative behaviour for fetching roles, but in my opinion it would be preferrable to directly change the original J2EEAuthenticationFilter.

What do you think?

Regards,

Mauro Bartolomeoli

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


Hi Christian,
I prepared a pull request for this: https://github.com/geoserver/geoserver/pull/354

Please, review it if you can.

Regards,
Mauro Bartolomeoli

···

2013/10/4 Christian Mueller <christian.mueller@anonymised.com>

Hi Mauro

No, you cannot backport. Lets assume you add a boolean “useRolesFromRoleService” with a default value of false. This is nice because you do not have to add migration code. Lets assume you add “useRolesFromRoleService” in 2.4.1.

An admin using 2.4.1 changes something in the configuration and saves the configuration. The XStream persister saves the xml file including “useRolesFromRoleService”. Afterwards, the admin decides to switch back to 2.4.0. Upon start, you will see a XStream exception because “useRolesFromRoleService” is in the xml config file but not in the class of the configuration object.

As far as I understand the developer guidelines, it must be possible to switch between bug fix versions without migration of the data directory.

Personally, I would like to see your enhancements in the original J2EEAuthenticationFilter on trunk.

Possible solutions for 2.4.x

  1. As I already mentioned, hack the J2EEAuthenticationFilter directly and replace the class file in the jar file
  2. Develop you own extension. The security system is designed to allow extensions, the CAS extension is an example. This solutions is more time consuming and it should not be an “official” extension.

Summary:

The problem occurs if

  1. An admin adds a J2EEAuthenticationFilter on 2.4.x having x > 0
  2. The admin swtiches back to 2.4.0

The probability of this situations tends to zero but according to Murphys law, it will happen.

Sorry for the bad news

Christian

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


On Fri, Oct 4, 2013 at 8:44 AM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2013/10/3 Christian Mueller <christian.mueller@anonymised.com3674…>

Hi Mauro

Sorry, my information was not correct. If you add instance vars to a config object, you cannot backport.

Adding instance vars having the Java default value as the GeoServer default value does not require migration code. (boolean → false, int → 0, String → null,…).

Hi Christian, it’s not clear to me if there is any way to add a new flag and allow backporting. My idea was to add a flag (get roles from roleservice) with a default value of false or an int (0=actual behaviour, 1=use only roleservice to get roles, 2= use both). With both options I would have a default value of false or 0, that does not require migration code. Can I backport this changes if I go this way?

Just to be clear, I think my customer would prefer that this enhancement could be included in official 2.4.x versions, and we are too far away from a 2.5.0, so I’m just trying to understand if there is any option to have a backport. Another option coming to my mind is having a completely independent filter very similar to J2EEAuthenticationFilter, maybe even extending it, with this alternative behaviour for fetching roles, but in my opinion it would be preferrable to directly change the original J2EEAuthenticationFilter.

What do you think?

Regards,

Mauro Bartolomeoli

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


Hi Mauro

I had a look at your pull request, nice work !

I am missing some code in FilterConfigValidator and a proper test case. (As an example, a role service of type GeoServerJ2eeRoleService can only be used with RolesTakenFrom.J2EE)

I am feeling uncomfortable with RolesTakenFrom.Both. The problem is that you can have role name clashes. All authentication mechanisms use exactly one role service to avoid this. The solution would be to invent qualified role names, but this is a lot of work.

Personally, I would go a slightly different way. All proxy authentication filters except the J2EE filter allow roles to be fetched from

  1. a role service
  2. a user/group service
  3. an HTTP header attribute

If we want to open the J2EE filter for 1) we should also allow 2) and 3).

I would try to change the superclass of GeoServerJ2eeAuthenticationFilter to GeoServerPreAuthenticatedUserNameFilter.

The J2EE filter would inherited possibilities 1),2) and 3) and add the J2EE Container as possibility number 4.

Btw, the GeoServerX509CertificateAuthenticationFilter misses possibility 4), a common base class for those 2 filters may be a solution.

What do you think ?

···

On Tue, Oct 8, 2013 at 7:53 PM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi Christian,
I prepared a pull request for this: https://github.com/geoserver/geoserver/pull/354

Please, review it if you can.

Regards,
Mauro Bartolomeoli

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2013/10/4 Christian Mueller <christian.mueller@anonymised.com>

Hi Mauro

No, you cannot backport. Lets assume you add a boolean “useRolesFromRoleService” with a default value of false. This is nice because you do not have to add migration code. Lets assume you add “useRolesFromRoleService” in 2.4.1.

An admin using 2.4.1 changes something in the configuration and saves the configuration. The XStream persister saves the xml file including “useRolesFromRoleService”. Afterwards, the admin decides to switch back to 2.4.0. Upon start, you will see a XStream exception because “useRolesFromRoleService” is in the xml config file but not in the class of the configuration object.

As far as I understand the developer guidelines, it must be possible to switch between bug fix versions without migration of the data directory.

Personally, I would like to see your enhancements in the original J2EEAuthenticationFilter on trunk.

Possible solutions for 2.4.x

  1. As I already mentioned, hack the J2EEAuthenticationFilter directly and replace the class file in the jar file
  2. Develop you own extension. The security system is designed to allow extensions, the CAS extension is an example. This solutions is more time consuming and it should not be an “official” extension.

Summary:

The problem occurs if

  1. An admin adds a J2EEAuthenticationFilter on 2.4.x having x > 0
  2. The admin swtiches back to 2.4.0

The probability of this situations tends to zero but according to Murphys law, it will happen.

Sorry for the bad news

Christian

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


On Fri, Oct 4, 2013 at 8:44 AM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2013/10/3 Christian Mueller <christian.mueller@anonymised.com3674…>

Hi Mauro

Sorry, my information was not correct. If you add instance vars to a config object, you cannot backport.

Adding instance vars having the Java default value as the GeoServer default value does not require migration code. (boolean → false, int → 0, String → null,…).

Hi Christian, it’s not clear to me if there is any way to add a new flag and allow backporting. My idea was to add a flag (get roles from roleservice) with a default value of false or an int (0=actual behaviour, 1=use only roleservice to get roles, 2= use both). With both options I would have a default value of false or 0, that does not require migration code. Can I backport this changes if I go this way?

Just to be clear, I think my customer would prefer that this enhancement could be included in official 2.4.x versions, and we are too far away from a 2.5.0, so I’m just trying to understand if there is any option to have a backport. Another option coming to my mind is having a completely independent filter very similar to J2EEAuthenticationFilter, maybe even extending it, with this alternative behaviour for fetching roles, but in my opinion it would be preferrable to directly change the original J2EEAuthenticationFilter.

What do you think?

Regards,

Mauro Bartolomeoli

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


2013/10/9 Christian Mueller <christian.mueller@anonymised.com>

Hi Mauro

I had a look at your pull request, nice work !

Thanks :slight_smile:

I am missing some code in FilterConfigValidator and a proper test case.
(As an example, a role service of type GeoServerJ2eeRoleService can only
be used with RolesTakenFrom.J2EE)

Ok, I wasn't aware of the Validator, taking a look at it.

I am feeling uncomfortable with RolesTakenFrom.Both. The problem is that
you can have role name clashes. All authentication mechanisms use exactly
one role service to avoid this. The solution would be to invent qualified
role names, but this is a lot of work.

Personally, I would go a slightly different way. All proxy authentication
filters except the J2EE filter allow roles to be fetched from

1) a role service
2) a user/group service
3) an HTTP header attribute

If we want to open the J2EE filter for 1) we should also allow 2) and 3).

Yes, it seems a good generalization for authentication filters.

I would try to change the superclass of GeoServerJ2eeAuthenticationFilter
to GeoServerPreAuthenticatedUserNameFilter.

The J2EE filter would inherited possibilities 1),2) and 3) and add the
J2EE Container as possibility number 4.

So, what you would do is add a new value to the RoleSource enum (J2EE) and
implement the role binding of the j2ee option inside
GeoServerPreAuthenticatedUserNameFilter is it correct?
Sounds fine to me. This way we can get rid of RolesTakenFrom and
let GeoServerJ2eeAuthenticationFilter only
implement getPreAuthenticatedPrincipalName.
With this refactor the J2eeAuthenticationFilterConfig would
extend PreAuthenticatedUserNameFilterConfig: it would be pratically empty,
but we could not get rid of it completely since
PreAuthenticatedUserNameFilterConfig is abstract.

Let me know if this approach is correct for you, and I will proceed with
the changes.

Regards,
Mauro

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Hi Mauro

The current hierarchy is

GeoServerPreAuthenticationFilter

GeoServerJ2eeAuthenticationFilter

···

On Wed, Oct 9, 2013 at 2:48 PM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2013/10/9 Christian Mueller <christian.mueller@anonymised.com>

Hi Mauro

I had a look at your pull request, nice work !

Thanks :slight_smile:

I am missing some code in FilterConfigValidator and a proper test case. (As an example, a role service of type GeoServerJ2eeRoleService can only be used with RolesTakenFrom.J2EE)

Ok, I wasn’t aware of the Validator, taking a look at it.

I am feeling uncomfortable with RolesTakenFrom.Both. The problem is that you can have role name clashes. All authentication mechanisms use exactly one role service to avoid this. The solution would be to invent qualified role names, but this is a lot of work.

Personally, I would go a slightly different way. All proxy authentication filters except the J2EE filter allow roles to be fetched from

  1. a role service
  2. a user/group service
  3. an HTTP header attribute

If we want to open the J2EE filter for 1) we should also allow 2) and 3).

Yes, it seems a good generalization for authentication filters.

I would try to change the superclass of GeoServerJ2eeAuthenticationFilter to GeoServerPreAuthenticatedUserNameFilter.

The J2EE filter would inherited possibilities 1),2) and 3) and add the J2EE Container as possibility number 4.

So, what you would do is add a new value to the RoleSource enum (J2EE) and implement the role binding of the j2ee option inside GeoServerPreAuthenticatedUserNameFilter is it correct?
Sounds fine to me. This way we can get rid of RolesTakenFrom and let GeoServerJ2eeAuthenticationFilter only implement getPreAuthenticatedPrincipalName.
With this refactor the J2eeAuthenticationFilterConfig would extend PreAuthenticatedUserNameFilterConfig: it would be pratically empty, but we could not get rid of it completely since PreAuthenticatedUserNameFilterConfig is abstract.

Let me know if this approach is correct for you, and I will proceed with the changes.

Regards,
Mauro

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


Hi Mauro, the above message is not complete, it was sent by accident.

The current hierarchy is

GeoServerPreAuthenticationFilter

  • GeoServerJ2eeAuthenticationFilter- GeoServerPreAuthenticatedUserNameFilter
    ---- GeoServerCasAuthenticationFilter
    ---- GeoServerRequestHeaderAuthenticationFilter
    ---- GeoServerX509CertificateAuthenticationFilter

I thought about the following

GeoServerPreAuthenticationFilter

  • GeoServerPreAuthenticatedUserNameFilter
    ---- GeoServerCasAuthenticationFilter
    ---- GeoServerRequestHeaderAuthenticationFilter
    ---- GeoServerJ2eeBaseAuthenticationFilter

----------- GeoServerX509CertificateAuthenticationFilter

----------- GeoServerJ2eeAuthenticationFilter

There is a new abstract class GeoServerJ2eeBaseAuthenticationFilter adding the J2EE “isUserInRole” stuff and adding a new J2EE RoleSource. I assume the same behavior concerning roles independent of how you authenticate against the J2EE Container.

I think you have to mirror this hierarchy for the config classes and the GUI classes.

I hope this is understandable to you, otherwise please ask :slight_smile:
Chrilstian

···

On Wed, Oct 9, 2013 at 4:48 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi Mauro

The current hierarchy is

GeoServerPreAuthenticationFilter

GeoServerJ2eeAuthenticationFilter

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Wed, Oct 9, 2013 at 2:48 PM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2013/10/9 Christian Mueller <christian.mueller@anonymised.com>

Hi Mauro

I had a look at your pull request, nice work !

Thanks :slight_smile:

I am missing some code in FilterConfigValidator and a proper test case. (As an example, a role service of type GeoServerJ2eeRoleService can only be used with RolesTakenFrom.J2EE)

Ok, I wasn’t aware of the Validator, taking a look at it.

I am feeling uncomfortable with RolesTakenFrom.Both. The problem is that you can have role name clashes. All authentication mechanisms use exactly one role service to avoid this. The solution would be to invent qualified role names, but this is a lot of work.

Personally, I would go a slightly different way. All proxy authentication filters except the J2EE filter allow roles to be fetched from

  1. a role service
  2. a user/group service
  3. an HTTP header attribute

If we want to open the J2EE filter for 1) we should also allow 2) and 3).

Yes, it seems a good generalization for authentication filters.

I would try to change the superclass of GeoServerJ2eeAuthenticationFilter to GeoServerPreAuthenticatedUserNameFilter.

The J2EE filter would inherited possibilities 1),2) and 3) and add the J2EE Container as possibility number 4.

So, what you would do is add a new value to the RoleSource enum (J2EE) and implement the role binding of the j2ee option inside GeoServerPreAuthenticatedUserNameFilter is it correct?
Sounds fine to me. This way we can get rid of RolesTakenFrom and let GeoServerJ2eeAuthenticationFilter only implement getPreAuthenticatedPrincipalName.
With this refactor the J2eeAuthenticationFilterConfig would extend PreAuthenticatedUserNameFilterConfig: it would be pratically empty, but we could not get rid of it completely since PreAuthenticatedUserNameFilterConfig is abstract.

Let me know if this approach is correct for you, and I will proceed with the changes.

Regards,
Mauro

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


Hi Christian, see my answers below.

···

2013/10/9 Christian Mueller <christian.mueller@anonymised.com>

GeoServerPreAuthenticationFilter

  • GeoServerPreAuthenticatedUserNameFilter
    ---- GeoServerCasAuthenticationFilter
    ---- GeoServerRequestHeaderAuthenticationFilter
    ---- GeoServerJ2eeBaseAuthenticationFilter

----------- GeoServerX509CertificateAuthenticationFilter

----------- GeoServerJ2eeAuthenticationFilter

There is a new abstract class GeoServerJ2eeBaseAuthenticationFilter adding the J2EE “isUserInRole” stuff and adding a new J2EE RoleSource. I assume the same behavior concerning roles independent of how you authenticate against the J2EE Container.

My only concern with this approach is that since RoleSource is an enum defined inside PreAuthenticatedUserNameFilterConfig to have some coherence, if I add a new value into it (J2EE) it would make sense to support it directly inside GeoServerPreAuthenticatedUserNameFilter as we do with the other RoleSource values adding a new getRolesFromJ2EE method and using it in the getRoles method. This way also GeoServerCasAuthenticationFilter, GeoServerRequestHeaderAuthenticationFilter and so on would get roles from J2EE fetching support.

Obviously with this approach the GeoServerJ2eeBaseAuthenticationFilter abstract class would be needed anymore.

What do you think?

Regards,
Mauro

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


Hi Mauro

Sorry for the late reply, I was out yesterday.

I think the usage of J2EE isUserInRole() does only make sense if the user is authenticated in the J2EE Container. If the user is not authenticated in the container, isUserInRole() will always return false.

There is no j2ee authentication for CAS and any other kinds of proxy authentication. Unfortunately, this requires a J2eeBaseAuthenticationConfig with a new enum.

What do you think ?

···

On Thu, Oct 10, 2013 at 9:58 AM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi Christian, see my answers below.

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2013/10/9 Christian Mueller <christian.mueller@anonymised.com>

GeoServerPreAuthenticationFilter

  • GeoServerPreAuthenticatedUserNameFilter
    ---- GeoServerCasAuthenticationFilter
    ---- GeoServerRequestHeaderAuthenticationFilter
    ---- GeoServerJ2eeBaseAuthenticationFilter

----------- GeoServerX509CertificateAuthenticationFilter

----------- GeoServerJ2eeAuthenticationFilter

There is a new abstract class GeoServerJ2eeBaseAuthenticationFilter adding the J2EE “isUserInRole” stuff and adding a new J2EE RoleSource. I assume the same behavior concerning roles independent of how you authenticate against the J2EE Container.

My only concern with this approach is that since RoleSource is an enum defined inside PreAuthenticatedUserNameFilterConfig to have some coherence, if I add a new value into it (J2EE) it would make sense to support it directly inside GeoServerPreAuthenticatedUserNameFilter as we do with the other RoleSource values adding a new getRolesFromJ2EE method and using it in the getRoles method. This way also GeoServerCasAuthenticationFilter, GeoServerRequestHeaderAuthenticationFilter and so on would get roles from J2EE fetching support.

Obviously with this approach the GeoServerJ2eeBaseAuthenticationFilter abstract class would be needed anymore.

What do you think?

Regards,
Mauro

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


2013/10/11 Christian Mueller <christian.mueller@anonymised.com>

Hi Mauro

Sorry for the late reply, I was out yesterday.

I think the usage of J2EE isUserInRole() does only make sense if the user
is authenticated in the J2EE Container. If the user is not authenticated in
the container, isUserInRole() will always return false.

There is no j2ee authentication for CAS and any other kinds of proxy
authentication. Unfortunately, this requires a J2eeBaseAuthenticationConfig with
a new enum.

Ok, sounds reasonable, I will proceed this way.

Mauro

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Hi Christian, I prepared a new pull request for this (https://github.com/geoserver/geoserver/pull/366).
I think that it should work as you suggested now. Please, review it if you have time.

Regards,
Mauro Bartolomeoli

···

2013/10/11 Christian Mueller <christian.mueller@anonymised.com>

Hi Mauro

Sorry for the late reply, I was out yesterday.

I think the usage of J2EE isUserInRole() does only make sense if the user is authenticated in the J2EE Container. If the user is not authenticated in the container, isUserInRole() will always return false.

There is no j2ee authentication for CAS and any other kinds of proxy authentication. Unfortunately, this requires a J2eeBaseAuthenticationConfig with a new enum.

What do you think ?

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


On Thu, Oct 10, 2013 at 9:58 AM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi Christian, see my answers below.

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2013/10/9 Christian Mueller <christian.mueller@anonymised.com>

GeoServerPreAuthenticationFilter

  • GeoServerPreAuthenticatedUserNameFilter
    ---- GeoServerCasAuthenticationFilter
    ---- GeoServerRequestHeaderAuthenticationFilter
    ---- GeoServerJ2eeBaseAuthenticationFilter

----------- GeoServerX509CertificateAuthenticationFilter

----------- GeoServerJ2eeAuthenticationFilter

There is a new abstract class GeoServerJ2eeBaseAuthenticationFilter adding the J2EE “isUserInRole” stuff and adding a new J2EE RoleSource. I assume the same behavior concerning roles independent of how you authenticate against the J2EE Container.

My only concern with this approach is that since RoleSource is an enum defined inside PreAuthenticatedUserNameFilterConfig to have some coherence, if I add a new value into it (J2EE) it would make sense to support it directly inside GeoServerPreAuthenticatedUserNameFilter as we do with the other RoleSource values adding a new getRolesFromJ2EE method and using it in the getRoles method. This way also GeoServerCasAuthenticationFilter, GeoServerRequestHeaderAuthenticationFilter and so on would get roles from J2EE fetching support.

Obviously with this approach the GeoServerJ2eeBaseAuthenticationFilter abstract class would be needed anymore.

What do you think?

Regards,
Mauro

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


Hi Mauro

I did a quick scan, looks good to me. The only thing I am unsure is the “migration helper” in GeoServerSecurityManager. I think Justin should have a look at this class.

···

On Fri, Oct 18, 2013 at 2:39 PM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi Christian, I prepared a new pull request for this (https://github.com/geoserver/geoserver/pull/366).
I think that it should work as you suggested now. Please, review it if you have time.

Regards,
Mauro Bartolomeoli

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2013/10/11 Christian Mueller <christian.mueller@anonymised.com>

Hi Mauro

Sorry for the late reply, I was out yesterday.

I think the usage of J2EE isUserInRole() does only make sense if the user is authenticated in the J2EE Container. If the user is not authenticated in the container, isUserInRole() will always return false.

There is no j2ee authentication for CAS and any other kinds of proxy authentication. Unfortunately, this requires a J2eeBaseAuthenticationConfig with a new enum.

What do you think ?

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


On Thu, Oct 10, 2013 at 9:58 AM, Mauro Bartolomeoli <mauro.bartolomeoli@anonymised.com> wrote:

Hi Christian, see my answers below.

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

2013/10/9 Christian Mueller <christian.mueller@anonymised.com>

GeoServerPreAuthenticationFilter

  • GeoServerPreAuthenticatedUserNameFilter
    ---- GeoServerCasAuthenticationFilter
    ---- GeoServerRequestHeaderAuthenticationFilter
    ---- GeoServerJ2eeBaseAuthenticationFilter

----------- GeoServerX509CertificateAuthenticationFilter

----------- GeoServerJ2eeAuthenticationFilter

There is a new abstract class GeoServerJ2eeBaseAuthenticationFilter adding the J2EE “isUserInRole” stuff and adding a new J2EE RoleSource. I assume the same behavior concerning roles independent of how you authenticate against the J2EE Container.

My only concern with this approach is that since RoleSource is an enum defined inside PreAuthenticatedUserNameFilterConfig to have some coherence, if I add a new value into it (J2EE) it would make sense to support it directly inside GeoServerPreAuthenticatedUserNameFilter as we do with the other RoleSource values adding a new getRolesFromJ2EE method and using it in the getRoles method. This way also GeoServerCasAuthenticationFilter, GeoServerRequestHeaderAuthenticationFilter and so on would get roles from J2EE fetching support.

Obviously with this approach the GeoServerJ2eeBaseAuthenticationFilter abstract class would be needed anymore.

What do you think?

Regards,
Mauro

==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it