Hi,
recently I was thinking about what the following sentence should mean: “OGC services are supposed to be stateless”.
In my opinion, from the security point of view, it means that OGC services should completely ignore an eventual security context saved into the user session by other Geoserver requests (for example those created by logging into the web UI).
Currently this is not true, due to the fact that we always have a GeoServerSecurityContextPersistenceFilter in the filter chains, also for the OGC services (default) chain.
The only difference is that the default chain does not create a new session, if it does not exist yet, but it uses an existing one. When I say it uses the session I do not only mean that it reads security info from the session, but it also saves a new one if specified on the request.
I think we should add one more option to the chains to configure the possibility to completely ignore the session for OGC services, in addition to the existing “do not create HTTPSession” option.
Any opinion? Does this make any sense?
Thanks
Mauro
–
==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.
Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
On Fri, Jul 25, 2014 at 11:37 AM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:
Hi,
recently I was thinking about what the following sentence should mean:
"OGC services are supposed to be stateless".
In my opinion, from the security point of view, it means that OGC services
should completely ignore an eventual security context saved into the user
session by other Geoserver requests (for example those created by logging
into the web UI).
Personally I find it rather handy to have the web gui login work for
subsequent OGC requests from the same browser too.
But I agree there should be a way to avoid that in case the admin wants to
Cheers
Andrea
--
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
On Fri, Jul 25, 2014 at 3:37 AM, Mauro Bartolomeoli <
mauro.bartolomeoli@anonymised.com> wrote:
Hi,
recently I was thinking about what the following sentence should mean:
"OGC services are supposed to be stateless".
In my opinion, from the security point of view, it means that OGC services
should completely ignore an eventual security context saved into the user
session by other Geoserver requests (for example those created by logging
into the web UI).
Currently this is not true, due to the fact that we always have
a GeoServerSecurityContextPersistenceFilter in the filter chains, also for
the OGC services (default) chain.
The only difference is that the default chain does not create a new
session, if it does not exist yet, but it uses an existing one. When I say
it uses the session I do not only mean that it reads security info from the
session, but it also saves a new one if specified on the request.
Not sure I understand you here. My understanding was that for the default
chain the session integration will never create a new session, only
integrate with an existing one. Am I wrong about that?
I think we should add one more option to the chains to configure the
possibility to completely ignore the session for OGC services, in addition
to the existing "do not create HTTPSession" option.
Agreed. But I would call the option "Session Integration", as it is
referred to by spring security.
Any opinion? Does this make any sense?
Thanks
Mauro
--
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.
Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
--
Justin Deoliveira
VP Engineering | Boundless <http://boundlessgeo.com/>
jdeolive@anonymised.com
@boundlessgeo <http://twitter.com/boundlessgeo/>