[Geoserver-devel] Security Decorator Issue

Hi,

I had problems using app-schema plugin with a security authorization module
I have written (using ResourceAccessManager).
I did some debugging and came to code that did some strange casting using
/org.geotools.data.DataStore/.

Author of code is Andrea Aime and I am wondering if someone can review that
part of code.

*org.geoserver.security.decorators.SecuredDataStoreInfo*

method: DataStore getDataStore(ProgressListener listener)

this method does return with following cast:

/return (DataStore) SecuredObjects.secure(ds, policy);/

But there are situations when secure() returns DataAccess that can not be
cast to DataStore.

What I did is I changed return type of getDataStore to DataAccess. That
solved my problem.
/DataAccess /is also return type of super /DecoratingStoreStoreInfo/ class
that /SecureDataStoreInfo /extends.

Configuration that I am using:
GeoServer 2.5.2 with app-schema extension.

Code is somehow complex (casting and generics), so suggestions are highly
appreciated.

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/Security-Decorator-Issue-tp5185447.html
Sent from the GeoServer - Dev mailing list archive at Nabble.com.

On Wed, Feb 4, 2015 at 1:00 PM, uros <uros.mesaric-kunst@anonymised.com>
wrote:

Hi,

I had problems using app-schema plugin with a security authorization module
I have written (using ResourceAccessManager).
I did some debugging and came to code that did some strange casting using
/org.geotools.data.DataStore/.

Author of code is Andrea Aime and I am wondering if someone can review that
part of code.

*org.geoserver.security.decorators.SecuredDataStoreInfo*

method: DataStore getDataStore(ProgressListener listener)

this method does return with following cast:

/return (DataStore) SecuredObjects.secure(ds, policy);/

But there are situations when secure() returns DataAccess that can not be
cast to DataStore.

What I did is I changed return type of getDataStore to DataAccess. That
solved my problem.
/DataAccess /is also return type of super /DecoratingStoreStoreInfo/ class
that /SecureDataStoreInfo /extends.

I believe you're the first one to use app-schema and the security subsystem
at the same time...
congratulations :slight_smile:

The change you're proposing seems reasonable, can you make a pull request,
on GitHub and
for the master branch, for it?

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

Thank you for your answer.

I hoped that I am doing something wrong :slight_smile:
I found another issue with ModificationProxy that doesn't work with security
wrapped objects (e.g. SecuredLayerInfo for LayerInfo). I found this causing
problems with group layer creation (probably not just there).

I will try to replicate issues in unit tests and than do a fix.
I also have to check process of committing changes to VCS.

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/Security-Decorator-Issue-tp5185447p5185653.html
Sent from the GeoServer - Dev mailing list archive at Nabble.com.

On Thu, Feb 5, 2015 at 9:23 AM, uros <uros.mesaric-kunst@anonymised.com>
wrote:

Thank you for your answer.

I hoped that I am doing something wrong :slight_smile:
I found another issue with ModificationProxy that doesn't work with
security
wrapped objects (e.g. SecuredLayerInfo for LayerInfo). I found this causing
problems with group layer creation (probably not just there).

I will try to replicate issues in unit tests and than do a fix.
I also have to check process of committing changes to VCS.

We have a small guide here:
https://github.com/geoserver/geoserver/blob/master/CONTRIBUTING.md

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------