[Geoserver-devel] Point of extention for password encryption?

Hello folks.

Quick question, here is the setup:

We are using 2.2 beta2 with the new security framework to integrate Geoserver and our users database, using the JDBC connector. The goal is to have Geoserver access our user info, wich is already in place.

Initially I thought about “spring-extending” the sec-jdbc package so I could change how it access the databases, however, digging in the code it became clear that I can accomplish it by simply giving it my own ddl.xml (+10 cool points for that). But that still leaves me the problem of how the password is encrypted. The point is that Geoserver will have absolutely no write access to that database, as all the users are managed by our own application.

However, in my tests the Geoserver encoded pass does not match the password created by our product (as was the expectation), so my guess is Geoserver wont be able to match what authentication pass the user provides with the one in the database. In our user management we use a digest SHA-512 to encrypt the users password.

Now, I am having a spot of trouble locating where in the code the user supplied password is encrypted and matched against the one in the database.

Could anyone point me at the right direction as to how to accomplish that and extend (doing a pluggable jar would be ideal) to provide another option on how the encryption is done, therefore adding to the Weak PBE, Strong PBE, etc, options of the security settings.

Any info is hugely appreciated!
Cheers!

Rodrigo

Hi Rodrigo.

First, you have to adapt ddl.xml AND dml.xml to get things working.

About password encoding. The idea is to give you the possibility to implement your own password encoding. Your encoder must implement

org.geoserver.security.password.GeoServerPasswordEncoder

As an example for a digesting encoder, look at

org.geoserver.security.password.GeoServerDigestPasswordEncoder

Create your spring xml file and inject the encoder, sample in

applicationSecurityContext.xml

To see a text on the GUI, create a file GeoserverApplication.properties and add line

myencoderspringbeanname= “Name I want to see at the GUI”.

Hope that helps.

2012/6/1 Rodrigo Del C. Andrade <rodrigo.andrade@anonymised.com>

Hello folks.

Quick question, here is the setup:

We are using 2.2 beta2 with the new security framework to integrate Geoserver and our users database, using the JDBC connector. The goal is to have Geoserver access our user info, wich is already in place.

Initially I thought about “spring-extending” the sec-jdbc package so I could change how it access the databases, however, digging in the code it became clear that I can accomplish it by simply giving it my own ddl.xml (+10 cool points for that). But that still leaves me the problem of how the password is encrypted. The point is that Geoserver will have absolutely no write access to that database, as all the users are managed by our own application.

However, in my tests the Geoserver encoded pass does not match the password created by our product (as was the expectation), so my guess is Geoserver wont be able to match what authentication pass the user provides with the one in the database. In our user management we use a digest SHA-512 to encrypt the users password.

Now, I am having a spot of trouble locating where in the code the user supplied password is encrypted and matched against the one in the database.

Could anyone point me at the right direction as to how to accomplish that and extend (doing a pluggable jar would be ideal) to provide another option on how the encryption is done, therefore adding to the Weak PBE, Strong PBE, etc, options of the security settings.

Any info is hugely appreciated!
Cheers!

Rodrigo


Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Hello Christian,

It helps immensely, thanks a lot.
I will get to work and will let you know when it is working.

Thanks!


Rodrigo Del C. Andrade

Analista de Sistemas
SIC - SSE - Soluções Segurança Pública
DÍGITRO TECNOLOGIA
E-mail: rodrigo.andrade@anonymised.com
Fone: +55 48 3281-7000 Ramal: 7537
Fax: +55 48 3281-7299

Esta mensagem, incluindo seus anexos, é reservada somente à Dígitro e ao destinatário da mensagem. Caso você tenha recebido esta mensagem por engano, Who is John Galt?

Em Sat, 02 Jun 2012 07:53:09 -0300, Christian Mueller mcrmcr21@anonymised.com escreveu:

Hi Rodrigo.

First, you have to adapt ddl.xml AND dml.xml to get things working.

About password encoding. The idea is to give you the possibility to implement your own password encoding. Your encoder must implement

org.geoserver.security.password.GeoServerPasswordEncoder

As an example for a digesting encoder, look at

org.geoserver.security.password.GeoServerDigestPasswordEncoder

Create your spring xml file and inject the encoder, sample in

applicationSecurityContext.xml

To see a text on the GUI, create a file GeoserverApplication.properties and add line

myencoderspringbeanname= “Name I want to see at the GUI”.

Hope that helps.

2012/6/1 Rodrigo Del C. Andrade <rodrigo.andrade@anonymised.com>

Hello folks.

Quick question, here is the setup:

We are using 2.2 beta2 with the new security framework to integrate Geoserver and our users database, using the JDBC connector. The goal is to have Geoserver access our user info, wich is already in place.

Initially I thought about “spring-extending” the sec-jdbc package so I could change how it access the databases, however, digging in the code it became clear that I can accomplish it by simply giving it my own ddl.xml (+10 cool points for that). But that still leaves me the problem of how the password is encrypted. The point is that Geoserver will have absolutely no write access to that database, as all the users are managed by our own application.

However, in my tests the Geoserver encoded pass does not match the password created by our product (as was the expectation), so my guess is Geoserver wont be able to match what authentication pass the user provides with the one in the database. In our user management we use a digest SHA-512 to encrypt the users password.

Now, I am having a spot of trouble locating where in the code the user supplied password is encrypted and matched against the one in the database.

Could anyone point me at the right direction as to how to accomplish that and extend (doing a pluggable jar would be ideal) to provide another option on how the encryption is done, therefore adding to the Weak PBE, Strong PBE, etc, options of the security settings.

Any info is hugely appreciated!
Cheers!

Rodrigo


Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Hi Christian,

Just to close the thread and give the feedback I promised but negleted, but was reminded by the security patch chat on the other thread.

I created a plugin that inherits directly from sec-jdbc (more flexibility to change small behaviors) as per the manual and added the classes extending the password encryption interfaces you suggested on the other mail and so far, so good. The thing works like a boss.

Many many thanks for the great work of all the Geoserver team. This whole new security system is a godsend and really pushes the whole project even further into corporate pro usage land.

Cheers!


Rodrigo Del C. Andrade

Analista de Sistemas
SIC - SSE - Soluções Segurança Pública
DÍGITRO TECNOLOGIA
E-mail: rodrigo.andrade@anonymised.com
Fone: +55 48 3281-7000 Ramal: 7537
Fax: +55 48 3281-7299

Esta mensagem, incluindo seus anexos, é reservada somente à Dígitro e ao destinatário da mensagem. Caso você tenha recebido esta mensagem por engano, Who is John Galt?

Em Sat, 02 Jun 2012 07:53:09 -0300, Christian Mueller mcrmcr21@anonymised.com escreveu:

Hi Rodrigo.

First, you have to adapt ddl.xml AND dml.xml to get things working.

About password encoding. The idea is to give you the possibility to implement your own password encoding. Your encoder must implement

org.geoserver.security.password.GeoServerPasswordEncoder

As an example for a digesting encoder, look at

org.geoserver.security.password.GeoServerDigestPasswordEncoder

Create your spring xml file and inject the encoder, sample in

applicationSecurityContext.xml

To see a text on the GUI, create a file GeoserverApplication.properties and add line

myencoderspringbeanname= “Name I want to see at the GUI”.

Hope that helps.

2012/6/1 Rodrigo Del C. Andrade <rodrigo.andrade@anonymised.com>

Hello folks.

Quick question, here is the setup:

We are using 2.2 beta2 with the new security framework to integrate Geoserver and our users database, using the JDBC connector. The goal is to have Geoserver access our user info, wich is already in place.

Initially I thought about “spring-extending” the sec-jdbc package so I could change how it access the databases, however, digging in the code it became clear that I can accomplish it by simply giving it my own ddl.xml (+10 cool points for that). But that still leaves me the problem of how the password is encrypted. The point is that Geoserver will have absolutely no write access to that database, as all the users are managed by our own application.

However, in my tests the Geoserver encoded pass does not match the password created by our product (as was the expectation), so my guess is Geoserver wont be able to match what authentication pass the user provides with the one in the database. In our user management we use a digest SHA-512 to encrypt the users password.

Now, I am having a spot of trouble locating where in the code the user supplied password is encrypted and matched against the one in the database.

Could anyone point me at the right direction as to how to accomplish that and extend (doing a pluggable jar would be ideal) to provide another option on how the encryption is done, therefore adding to the Weak PBE, Strong PBE, etc, options of the security settings.

Any info is hugely appreciated!
Cheers!

Rodrigo


Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Hi Rodrigo

Happy to hear that the concept developed by Justin and me seems to work :slight_smile:

Another question, is it possible to send me a zip file containing your extension. We will have to document how to write extensions in the user guide and perhaps your work would be a great example.

Christian

2012/6/16 Rodrigo Del C. Andrade <rodrigo.andrade@anonymised.com>

Hi Christian,

Just to close the thread and give the feedback I promised but negleted, but was reminded by the security patch chat on the other thread.

I created a plugin that inherits directly from sec-jdbc (more flexibility to change small behaviors) as per the manual and added the classes extending the password encryption interfaces you suggested on the other mail and so far, so good. The thing works like a boss.

Many many thanks for the great work of all the Geoserver team. This whole new security system is a godsend and really pushes the whole project even further into corporate pro usage land.

Cheers!


Rodrigo Del C. Andrade

Analista de Sistemas
SIC - SSE - Soluções Segurança Pública
DÍGITRO TECNOLOGIA
E-mail: rodrigo.andrade@anonymised.com
Fone: +55 48 3281-7000 Ramal: 7537
Fax: +55 48 3281-7299

Esta mensagem, incluindo seus anexos, é reservada somente à Dígitro e ao destinatário da mensagem. Caso você tenha recebido esta mensagem por engano, Who is John Galt?

Em Sat, 02 Jun 2012 07:53:09 -0300, Christian Mueller <mcrmcr21@anonymised.com> escreveu:

Hi Rodrigo.

First, you have to adapt ddl.xml AND dml.xml to get things working.

About password encoding. The idea is to give you the possibility to implement your own password encoding. Your encoder must implement

org.geoserver.security.password.GeoServerPasswordEncoder

As an example for a digesting encoder, look at

org.geoserver.security.password.GeoServerDigestPasswordEncoder

Create your spring xml file and inject the encoder, sample in

applicationSecurityContext.xml

To see a text on the GUI, create a file GeoserverApplication.properties and add line

myencoderspringbeanname= “Name I want to see at the GUI”.

Hope that helps.

2012/6/1 Rodrigo Del C. Andrade <rodrigo.andrade@anonymised.com>

Hello folks.

Quick question, here is the setup:

We are using 2.2 beta2 with the new security framework to integrate Geoserver and our users database, using the JDBC connector. The goal is to have Geoserver access our user info, wich is already in place.

Initially I thought about “spring-extending” the sec-jdbc package so I could change how it access the databases, however, digging in the code it became clear that I can accomplish it by simply giving it my own ddl.xml (+10 cool points for that). But that still leaves me the problem of how the password is encrypted. The point is that Geoserver will have absolutely no write access to that database, as all the users are managed by our own application.

However, in my tests the Geoserver encoded pass does not match the password created by our product (as was the expectation), so my guess is Geoserver wont be able to match what authentication pass the user provides with the one in the database. In our user management we use a digest SHA-512 to encrypt the users password.

Now, I am having a spot of trouble locating where in the code the user supplied password is encrypted and matched against the one in the database.

Could anyone point me at the right direction as to how to accomplish that and extend (doing a pluggable jar would be ideal) to provide another option on how the encryption is done, therefore adding to the Weak PBE, Strong PBE, etc, options of the security settings.

Any info is hugely appreciated!
Cheers!

Rodrigo


Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel