[Geoserver-devel] Non existing accessDenied.jsp

There is already an issue

https://jira.codehaus.org/browse/GEOS-4943

The file does not exist but is used by the GeoServerExceptionTranslationFilter.

The simplest solution is to kick out the accessDeniedErrorPage property. At the moment, it is not possible to configure such a page using the admin GUI and I think this functionality is not needed.

Opinions

Christian

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Hi all

Need some advice. I managed to fix this issue on master. Since this is a bug I tried to backport to 2.5.x and 2.4.x. The patch uses

GeoserverExtensions.file(…)

to check if the accessDeniedPage exists.

But the file(…) method does not exist in 2.5.x and 2.4.x.

Should I backport the file(…) method or should I omit the fix for 2.5.x and 2.4.x.

Cheers
Christian

···

On Sun, Jun 8, 2014 at 3:29 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

There is already an issue

https://jira.codehaus.org/browse/GEOS-4943

The file does not exist but is used by the GeoServerExceptionTranslationFilter.

The simplest solution is to kick out the accessDeniedErrorPage property. At the moment, it is not possible to configure such a page using the admin GUI and I think this functionality is not needed.

Opinions

Christian

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

You can use GeoServerResourceLoader to access webapp files in earlier GeoServer versions. It is a bit magic hence the simplification and explicit method.

jody

···

On Sun, Jun 8, 2014 at 3:29 PM, Christian Mueller christian.mueller@anonymised.com wrote:

There is already an issue

https://jira.codehaus.org/browse/GEOS-4943

The file does not exist but is used by the GeoServerExceptionTranslationFilter.

The simplest solution is to kick out the accessDeniedErrorPage property. At the moment, it is not possible to configure such a page using the admin GUI and I think this functionality is not needed.

Opinions

Christian

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Hi Jody

I think GeoServerResoureLoader does not help here. As far as I understand the code the resource loader is for retrieving resources from the data directory. I need

ServletContext.getRealPath(…)

to check if an optional access denied error page is reachable. (HTTP response code 403).

At the moment, I have no idea how to get a reference to the current servlet context object.

Another idea for 2.5.x and 2.4.x:

I could make an individual tiny bug fix for these 2 branches. I can check if the page attribute has the default value “/accessDenied.jsp” and if it has, ignore it. Ugly, but it would work.

Cheers
Christian

···

On Tue, Jun 10, 2014 at 2:12 AM, Jody Garnett <jody.garnett@anonymised.com> wrote:

You can use GeoServerResourceLoader to access webapp files in earlier GeoServer versions. It is a bit magic hence the simplification and explicit method.

jody

On Tuesday, June 10, 2014, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi all

Need some advice. I managed to fix this issue on master. Since this is a bug I tried to backport to 2.5.x and 2.4.x. The patch uses

GeoserverExtensions.file(…)

to check if the accessDeniedPage exists.

But the file(…) method does not exist in 2.5.x and 2.4.x.

Should I backport the file(…) method or should I omit the fix for 2.5.x and 2.4.x.

Cheers
Christian

Jody Garnett

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Sun, Jun 8, 2014 at 3:29 PM, Christian Mueller christian.mueller@anonymised.com wrote:

There is already an issue

https://jira.codehaus.org/browse/GEOS-4943

The file does not exist but is used by the GeoServerExceptionTranslationFilter.

The simplest solution is to kick out the accessDeniedErrorPage property. At the moment, it is not possible to configure such a page using the admin GUI and I think this functionality is not needed.

Opinions

Christian

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

In older version of GeoServer GeoServerResource loader was insane and would search in the servlet context as well! I moved this functionality to GeoServerExtensions since it had a copy of the servlet context.

Still if you don’t believe me here is it adding the location:

https://github.com/geoserver/geoserver/blob/2.5.x/src/platform/src/main/java/org/geoserver/platform/GeoServerResourceLoader.java#L113

···

Jody Garnett

On Sun, Jun 15, 2014 at 7:59 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi Jody

I think GeoServerResoureLoader does not help here. As far as I understand the code the resource loader is for retrieving resources from the data directory. I need

ServletContext.getRealPath(…)

to check if an optional access denied error page is reachable. (HTTP response code 403).

At the moment, I have no idea how to get a reference to the current servlet context object.

Another idea for 2.5.x and 2.4.x:

I could make an individual tiny bug fix for these 2 branches. I can check if the page attribute has the default value “/accessDenied.jsp” and if it has, ignore it. Ugly, but it would work.

Cheers

Christian

On Tue, Jun 10, 2014 at 2:12 AM, Jody Garnett <jody.garnett@anonymised.com> wrote:

You can use GeoServerResourceLoader to access webapp files in earlier GeoServer versions. It is a bit magic hence the simplification and explicit method.

jody

On Tuesday, June 10, 2014, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi all

Need some advice. I managed to fix this issue on master. Since this is a bug I tried to backport to 2.5.x and 2.4.x. The patch uses

GeoserverExtensions.file(…)

to check if the accessDeniedPage exists.

But the file(…) method does not exist in 2.5.x and 2.4.x.

Should I backport the file(…) method or should I omit the fix for 2.5.x and 2.4.x.

Cheers
Christian

Jody Garnett

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Sun, Jun 8, 2014 at 3:29 PM, Christian Mueller christian.mueller@anonymised.com wrote:

There is already an issue

https://jira.codehaus.org/browse/GEOS-4943

The file does not exist but is used by the GeoServerExceptionTranslationFilter.

The simplest solution is to kick out the accessDeniedErrorPage property. At the moment, it is not possible to configure such a page using the admin GUI and I think this functionality is not needed.

Opinions

Christian

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

Hi Jody

To summarize:

···

GeoServerResourceLoader resources = GeoServerExtensions.bean(GeoServerResourceLoader.class );

resources.find(“/accessDenied.jsp”)

would do the job ?

Thanks
Christian

Give it a shot! I am glad things are easier on master. Let me find a working example for you …

From https://github.com/geoserver/geoserver/wiki/Resource-API-Transition-Plan

GeoServerJ2eeRoleService GeoServer 2.5.x used:

File webXML = loader.find( “web.xml” );

Now it uses:

File webXML = GeoServerExtensions.file( “WEB_INF/web.xml” );

···

Jody Garnett

On Tue, Jun 17, 2014 at 10:14 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Hi Jody

To summarize:

GeoServerResourceLoader resources = GeoServerExtensions.bean(GeoServerResourceLoader.class );

resources.find(“/accessDenied.jsp”)

would do the job ?

Thanks

Christian