Hi,
the AbstractResourceAccessManager implements the security filter method is
a most unusual way:
@Override
public Filter getSecurityFilter(final Authentication user,
final Class<? extends CatalogInfo> clazz) {
org.opengis.filter.expression.Function visible = new InternalVolatileFunction() {
@Override
public Boolean evaluate(Object object) {
CatalogInfo info = (CatalogInfo) object;
if(info instanceof NamespaceInfo) {
info = getCatalog().getWorkspaceByName(((NamespaceInfo) info).getPrefix());
}
String name = (String) OwsUtils.property(info, “name”, String.class);
WrapperPolicy policy = getSecurityWrapper()
.buildWrapperPolicy(AbstractResourceAccessManager.this, user, info);
AccessLevel accessLevel = policy.getAccessLevel();
boolean visible = !AccessLevel.HIDDEN.equals(accessLevel);
return Boolean.valueOf(visible);
}
};
FilterFactory factory = Predicates.factory;
// create a filter combined with the security credentials check
Filter filter = factory.equals(factory.literal(Boolean.TRUE), visible);
return filter;
}
This filter is forcing JDBCConfig to a full scan, because it’s not supported encoding wise.
Which kind of defeats the purpose of the getSecurityFilter method, which was to
do a first pass and quickly remove everything that the security manage knows
is not needed, to then have the secure catalog check one by one the object
returned in memory later.
Instead this function is basically breaking the relationship between the access
manager and resource catalog making this function call back to the secure
catalog for each and every item in the configuration.
Why was it done this way? Are we sure this is really necessary?
This work was part of Kevin’s commit here:
https://github.com/geoserver/geoserver/commit/887027a07aab01ef12fd9b0f7fe699c3d1bd46e8
Cheers
Andrea
···
==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.
==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.