···
On Mon, Feb 26, 2018 at 9:57 AM, Alessio Fabiani <alessio.fabiani@anonymised.com> wrote:
So,
further investigation on this highlighted that the issue was due to a configuration issue (let’s say so).
Basically with the GeoFence plugin installed and applying a “DENY” all rule if no other matches, instead of the default “ALLOW” all, makes this feature not working correctly.
The main problem is that the OWS Disapatcher either does not recognize the WMS service or invokes the “getAccessLimits” on the requested Feature too early.
In both cases the result is that GeofenceAccessManager is invoked by passing the ResourceInfo only in order to check if the current user has access to it
https://github.com/geoserver/geoserver/blob/master/src/community/geofence/src/main/java/org/geoserver/geofence/GeofenceAccessManager.java#L295
The problem is that the GeoFence Rules Filters are usually much more complex than this, requiring also the OWS Service type and the Request type.
Curiously GeoFence tried somehow to retrieve such missing info from the ThreadLocal
https://github.com/geoserver/geoserver/blob/master/src/community/geofence/src/main/java/org/geoserver/geofence/GeofenceAccessManager.java#L315
but with no success since, at this time, the OWSRequest seems to be not yet stored on it ( Dispatcher.REQUEST.get() returns null ).
The feeling is that maybe the GeoFence plugin is missing some passage here, but on the other side it is hard to figure out how to retrieve missing infos from GeoServer without somehow modifying the core workflow.
For the time being I just make sure that on GeoFence, for resources the user/group has read access, it is present also a rule matching the “DEFAULT” service (which means no-service specified).
–
Regards,
Alessio Fabiani
==
GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.
Ing. Alessio Fabiani
@alfa7691
Founder/Technical Lead
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 331 6233686
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.
2018-02-24 14:39 GMT+01:00 Andrea Aime <andrea.aime@anonymised.com>:
On Sat, Feb 24, 2018 at 9:49 AM, Alessio Fabiani <alessio.fabiani@anonymised.com.it> wrote:
Dear all,
I noticed that on recents GS 2.12+ updates the GetCapabilities for single layers work a bit differently from the past:
- the fully qualified layer name is no more recognized, so it is not possible anymore to write something like
http://localhost:8080/geoserver/geosolutions/geosolutions:flares_noaa/wms?request=GetCapabilities
I never knew this was possible, it’s sort of “doubly qualified” that way. Don’t think it made sense, probably worked
by accident.
- the operation now works only if authenticated. It is no more possible to fetch layer capabilities as anonymous
This sounds like a bug, but it’s likely something specific to your installation, these works for example (without authentication):
http://cloudsdi.geo-solutions.it/geoserver/eumetsat/MET10_RGBAirmass_PlateCarree/ows?service=wms&version=1.3.0&request=GetCapabilities
http://cloudsdi.geo-solutions.it/geoserver/eumetsat/MET10_RGBAirmass_PlateCarree/wms?request=GetCapabilities
Cheers
Andrea
==
GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.
Regards,
Andrea Aime
==
GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.