[Geoserver-devel] Question on GeoServer Security APIs and help understaing how filters work

Dear dev, dear Christian,

I’m struggling trying to create a prototype of an OAuth2 GeoServer Security Provider and Filter and would like to ask you some questions in order to better understand how the Security APIs work.

The Problem:

···

Best Regards,
Alessio Fabiani.

==
GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information.

Ing. Alessio Fabiani
@alfa7691
Founder/Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 331 6233686

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


Hi Alessio

I think a look at the CAS module would help. CAS also handles callbacks from the CAS Server

question 1)

The CAS filter handles handles all different requests (from clients and the CAS server). If this is not possible a would try to create a composite filter.

question 2)

The CAS module registers a special endpoint for incoming CAS Server reqeusts during geoserver startup.

Hope this helps.

Cheers
Christian

···

On Wed, Aug 3, 2016 at 10:32 AM, Alessio Fabiani <alessio.fabiani@anonymised.com> wrote:

Dear dev, dear Christian,

I’m struggling trying to create a prototype of an OAuth2 GeoServer Security Provider and Filter and would like to ask you some questions in order to better understand how the Security APIs work.

The Problem:

The OAuth2 protocol needs several steps to fully perform the authentication process.

Once we have created a “client_id” and “client_secret” on the OAuth2 Provider, in order to authenticate we need to:

  1. Obtain a valid “code” from the provider
  2. Use the “code” in order to get the final “access_token” which is used by the filter to get the Principal

Now, the issue is the following: The order in which these filters execute is very important.

we need two filters like this

<sec:custom-filter ref=“oauth2ClientContextFilter” after=“EXCEPTION_TRANSLATION_FILTER”/>
<sec:custom-filter ref=“oAuth2AuthenticationProcessingFilter” before=“FILTER_SECURITY_INTERCEPTOR”/>

  • oauth2ClientContextFilter must be invoked before oAuth2AuthenticationProcessingFilter, that’s because when a redirect to the OAuth2 Provider is required, oAuth2AuthenticationProcessingFilter throws a UserRedirectException which the oauth2ClientContextFilter handles and generates a redirect request to the Provider.
  • Subsequently the response from the OAuth2 Provider is handled by the oAuth2AuthenticationProcessingFilter to populate the Authentication object and stored in the SecurityContext

My Question Are:

  1. Which is the best approach to let the EXCEPTION_TRANSLATION_FILTER being intercepted before the FILTER_SECURITY_INTERCEPTOR? Is it sufficient to let our GeoServerOAuth2SecurityProvider make use of a custom ExceptionTransactionFilterProvider? Or maybe we need to create a custom composite Filter somehow?
  2. How can I create a GeoServer end-point to intercept the response of the redirect from the OAuth2 Provider allowing the oAuth2AuthenticationProcessingFilter handling the request? I tried to modify programmatically the filter-chain and (more-or-less) it seems working, but then GeoServer keeps saying that the dispatcher cannot handle the endpoint.

Any help/feedbak/hint is much appreciated and would be very very helpful.

Best Regards,
Alessio Fabiani.

==
GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information.

Ing. Alessio Fabiani
@alfa7691
Founder/Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 331 6233686

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH