[Geoserver-devel] [jira] (GEOS-5714) Layer preview & catalog mode MiXED cause AccessDeniedException on the GUI

Christian Mueller created BugGEOS-5714
Layer preview & catalog mode MiXED cause AccessDeniedException on the GUI

Issue Type:

BugBug

Affects Versions:

2.3-RC1

Assignee:

Andrea Aime

Created:

16/Mar/13 5:35 AM

Description:

If layers are protected and the catalog mode is mixed, a layer preview with an unauthorized user causes an access denied exception.

This happens in SecureCatalogImpl, method

public WrapperPolicy buildWrapperPolicy(Authentication user,
CatalogInfo info, String resourceName) { …

line 855

Code Snippet:

if (!canRead) {
// if in hide mode, we just hide the resource
if (mode == CatalogMode.HIDE)

{ return WrapperPolicy.hide(limits); }

else if (mode == CatalogMode.MIXED)

{ // if request is a get capabilities and mixed, we hide again Request request = Dispatcher.REQUEST.get(); if(request != null && “GetCapabilities”.equalsIgnoreCase(request.getRequest())) return WrapperPolicy.hide(limits); // otherwise challenge the user for credentials else throw unauthorizedAccess(resourceName); }

else

{ // for challenge mode we agree to show freely only the metadata, every // other access will trigger a security exception return WrapperPolicy.metadata(limits); }

============================================

Not sure how to fix this. In this scenario we should decide for a behavior like mode HIDE or CHALLENGE, not sure what is the best.

AFAIK, Dispatcher.REQUEST is set only for OGC services, maybe it is possible to check if this thread local is null, but I am not sure about side effects.

Project:

GeoServer

Priority:

MajorMajor

Reporter:

Christian Mueller

This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: [http://www.atlassian.com/software/jira](http://www.atlassian.com/software/jira)