Hi Andrea,
On Thu, Jul 8, 2021 at 4:10 PM Andrea Aime <andrea.aime@anonymised.com> wrote:
On Wed, Jun 23, 2021 at 11:22 AM Björn Höfling <bjoern.hoefling@anonymised.com> wrote:
Hi,
I stumbled upon this problem and I would like to know if this is a bug
or a feature.
Who knows... mixed mode is the "weird one" that does not get used all that often
I'm guessing it's just emergent behavior, rather than something planned (but I'm not sure, it's been a long while).
That said, in mixed mode, layers a user is not supposed to see are removed from
the capabilities document, but trigger a 403 in case they are accessed directly.
I'm starting on a GS 2.19.1 with fresh DATA_DIR. Setting
Security->CatalogMode to "MIXED". Then setting the LayerGroup tiger-ny
to OPAQUE.
When now hitting the layer "tiger:poi" (contained in tiger-ny) as user
"admin", I get a 403:
curl -u "admin:geoserver" -vv
"http://localhost:8088/geoserver/tiger/wms?service=WMS&version=1.1.0&request=GetMap&layers=tiger%3Apoi&bbox=-74.0118315772888%2C40.70754683896324%2C-74.00153046439813%2C40.719885123828675&width=641&height=768&srs=EPSG%3A4326&styles=&format=image%2Fpng"
> tiger-poi.png
< HTTP/1.1 403
Though as admin, shouldn't I access everything?
But, as admin, you set the group as an opaque container, so the layers should not be accessible, not even to the admin.
An opaque container is not really a security config, even if implementation wise some bits might have ended up there...
and this may be the origin of the issue you're seeing.
It burns down to DefaultResourceAccessManager:
https://github.com/geoserver/geoserver/blob/78c3fa4bf1094be6b9b54bfe8ccf33b222d64d07/src/main/src/main/java/org/geoserver/security/impl/DefaultResourceAccessManager.java#L237
if (directAccess && sg.getMode() == Mode.OPAQUE_CONTAINER) {
return false;
}
Is this intended? I would have expected a OWS LayerNotFoundException.
The above check seems ok, the layer should not be accessible when in opaque mode. The exception you get, a 403, does not instead,
you are right, I would have expected a LayerNotFound too. The implementation likely needs fixing... off the top of my head, the fix
does not sound trivial, and the applicability of it, limited. Personally, I either use HIDE or CHALLENGE.
The practical solution here for us was to use HIDE mode.
Good to know you also find it non-trivial to solve it.
Thanks,
Björn
--
*camptocamp*
INNOVATIVE SOLUTIONS
BY OPEN SOURCE EXPERTS
*Björn Höfling*
GIS engineer
+49 89 26 20 89 9922
*bjoern.hoefling@anonymised.com <bjoern.hoefling@anonymised.com>*
GPG Key: 9E6D57C03ACED804DA5973DBBC5CE91F611B147B
*Camptocamp Germany GmbH*
Gustav-Heinemann-Ring 123
81739 München
Deutschland
https://careers.camptocamp.com/de <http://www.camptocamp.com/de>