|
Thanks to Patric Hafner for some last moment 2.7-RC1 testing:
Dear List members,
during some tests on data security with GeoServer 2.7-rc1 I discovered a
strange behaviour that I could not understand:
(All steps performed on a fresh installation)
Test case 1
I created a new role and user and finally configured this single rule
for data security (no other rule does exist!)
“topp.*.r testrole”
-> Behaves like expected: The user with role “testrole” can now access
all layers of Workspace “topp” for example via WMS and all layers are
shown in his Layer preview.
-> Behaves like expected: Unauthorized access via WMS to layers of
workspace “topp” gets HTTP response with status code 404
but if I try to narrow the data security rule:
Test case 2
I created a new role and user and finally configured this single rule
for data security (no other rule does exist!)
“topp.states.r testrole”
-> Unexpected behaviour: The user with role “testrole” can now access
all layers of Workspace “topp” for example via WMS and all layers are
shown in his Layer preview! I expected only layer states.
-> Unexpected behaviour: Access via WMS to all layers of workspace
“topp” is also possible without any authorization! This data security
rule does not seem to have any effect at all.
Does somebody could explain this behaviour or is this a bug? I was not
able to find a issue on this bug yet.
- Check 1: Deletion of default data security rules
..r *
..w *
GeoServer 2.6.2: Not possible, they are getting re-created automatically
GeoServer 2.7-rc1: Not possible, they are getting re-created automatically
- Check 2: Limitation of layer access
Adding:
topp.states.r testrole
GeoServer 2.6.2: OK: Layer “states” only readable for role “testrole”
GeoServer 2.7-rc1: OK: Layer “states” only readable for role “testrole”
after adding the new rule, I am able to remove both default rules on both versions. As expected, this has no effect on security
And this is where the differences occurs:
GeoServer 2.6.2: All layers except layer “topp.states” are shown in layer preview and are accessible via WMS for unauthorized users
(Like I expected)
GeoServer 2.7-rc1: All layers except all layers of workspace topp are shown in layer preview. This is not what I have expected.
To summarize:
- I was confused by the fact, that deletion of both default security rules does not has any effect. The still remain active but are invisible.
I expected the deletion to make them inactive. Maybe it should be really be impossible to remove them from the GUI or the removal should have an effect
- Maybe a minor issue: Contents shown in layer preview for unprivileged users differ between GeoServer 2.6.2 and 2.7-rc1 in my testcase
Best regards,
Patric
?
web www.geops.de
rss www.geops.de/blog/feed
follow www.twitter.com/geops
Further clarification from Torbien:
Detailed test procedure and results follows. Results where 2.7-RC1 and 2.6.2 differ are marked with a star  . Ultimately, I got the same results as Patric:
Initial setup:
--------------
Security > Users, Groups, and Roles > Roles
- Create Role "testrole"
Security > Users, Groups, and Roles > Users
- Create User/Pass test/test with role testrole
Test case 1
------------
Security > Data
- Add new rule "topp.*.r"
- Assigned to role "testrole"
- Deleted default "*.*.r" and "*.*.w" rules. (Only have the one rule)
Results
-------
GeoServer-2.7-RC1
-----------------
When logged in as test:
> All layers listed in layer preview
> All layers accessible from layer preview
When logged out:
> All layers not in topp listed in layer preview
> All layers not in topp accessible from layer preview. topp layers give 404.
GeoServer-2.6.2
---------------
When logged in as test:
> All layers listed in layer preview
> All layers accessible from layer preview
When logged out:
> All layers not in topp listed in layer preview
> All layers not in topp accessible from layer preview. topp layers give 404.
Test case 2
--------------
Security > Data
- Add new rule "topp.states.r".
- Assigned to role "testrole"
- Deleted default "*.*.r" and "*.*.w" rules. (Only have the one rule)
Results
-------
GeoServer-2.7-RC1
-----------------
When logged in as test:
> All layers listed in layer preview
> All layers accessible from layer preview
When logged out:
* All layers not in topp listed in layer preview
* All layers not in topp accessible from layer preview. topp layers give 404.
GeoServer-2.6.2
---------------
When logged in as test:
> All layers listed in layer preview
> All layers accessible from layer preview
When logged out:
* All layers except topp.states listed in layer preview
* All layers except topp.states accessible from layer preview. topp.states gives WMS error: Could not find layer topp:states
|
Blocker
