[Geoserver-devel] security work committed to trunk

Hi all,

The security work has been committed. The settings on the build server (256M of heap for tests) have brought out a memory leak. I run with 512m locally (the default defined in the root pom) so I didn’t see this before. I spent a while looking for the leak tonight but haven’t come up with anything yet. I will have to pick this back up tomorrow, it will be my top priority.

For now i have upped the test heap on the server to 512m as a temporary measure to try and get the build back. Hopefully that fixes it.

Again I will pick this back up first thing tomorrow. I apologize for the inconvenience.

-Justin


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

OK… good news i found the leak. Was a matter of making sure the wicket tester instance is destroyed in test tear down. Bad news is the build is still failing because of some issues in the jdbc security module. Those tests arent actually supposed to be running, i put them in a profile to explicitly be run. Again… will have to pick this up tomorrow. And again… apologies for inconvenience.

On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira <jdeolive@anonymised.com> wrote:

Hi all,

The security work has been committed. The settings on the build server (256M of heap for tests) have brought out a memory leak. I run with 512m locally (the default defined in the root pom) so I didn’t see this before. I spent a while looking for the leak tonight but haven’t come up with anything yet. I will have to pick this back up tomorrow, it will be my top priority.

For now i have upped the test heap on the server to 512m as a temporary measure to try and get the build back. Hopefully that fixes it.

Again I will pick this back up first thing tomorrow. I apologize for the inconvenience.

-Justin


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

Ok, build should be back to normal now. Thanks for the patience everyone.

On Wed, Apr 4, 2012 at 2:51 AM, Justin Deoliveira <jdeolive@anonymised.com> wrote:

OK… good news i found the leak. Was a matter of making sure the wicket tester instance is destroyed in test tear down. Bad news is the build is still failing because of some issues in the jdbc security module. Those tests arent actually supposed to be running, i put them in a profile to explicitly be run. Again… will have to pick this up tomorrow. And again… apologies for inconvenience.

On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira <jdeolive@anonymised.com> wrote:

Hi all,

The security work has been committed. The settings on the build server (256M of heap for tests) have brought out a memory leak. I run with 512m locally (the default defined in the root pom) so I didn’t see this before. I spent a while looking for the leak tonight but haven’t come up with anything yet. I will have to pick this back up tomorrow, it will be my top priority.

For now i have upped the test heap on the server to 512m as a temporary measure to try and get the build back. Hopefully that fixes it.

Again I will pick this back up first thing tomorrow. I apologize for the inconvenience.

-Justin


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

Hi Justing,

i see your work, very impressed.

I try to configure an ldap provider but i have always :

javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]

my configuration parameter:

name: ldap-geosdi
url: ldap://150.145.133.83/
user lookup pattern: dc=geoserver,dc=geosdi,dc=org

user: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org
pass: myPass

the stack trace:

org.apache.wicket.util.io.SerializableChecker$WicketNotSerializableException:
Unable to serialize class: com.sun.jndi.ldap.LdapCtx
Field hierarchy is:
  3 [class=org.geoserver.security.web.SecurityNamedServiceNewPage, path=3]
    private java.lang.Object
org.apache.wicket.MarkupContainer.children [class=[Ljava.lang.Object;]
      protected org.apache.wicket.util.collections.MiniMap
org.apache.wicket.markup.html.link.BookmarkablePageLink.parameters[8]
[class=org.apache.wicket.markup.html.panel.FeedbackPanel,
path=3:feedback]
        private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$1,
path=3:feedback:feedbackul]
          private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView,
path=3:feedback:feedbackul:messages]
            private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.list.ListItem,
path=3:feedback:feedbackul:messages:0]
              java.lang.Object org.apache.wicket.Component.data
[class=[Ljava.lang.Object;]
                java.lang.Object
org.apache.wicket.Component.data[0][1]
[class=org.apache.wicket.AttributeModifier]
                  private final org.apache.wicket.model.IModel
org.apache.wicket.AttributeModifier.replaceModel
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1]
                    final org.apache.wicket.feedback.FeedbackMessage
org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1.val$message
[class=org.apache.wicket.feedback.FeedbackMessage]
                      private final java.io.Serializable
org.apache.wicket.feedback.FeedbackMessage.message
[class=javax.naming.InvalidNameException]
                        protected java.lang.Object
javax.naming.NamingException.resolvedObj
[class=com.sun.jndi.ldap.LdapCtx] <----- field that is not
serializable
  at org.apache.wicket.util.io.SerializableChecker.check(SerializableChecker.java:346)

Suggestion?

Regard,

2012/4/4 Justin Deoliveira <jdeolive@anonymised.com>:

Ok, build should be back to normal now. Thanks for the patience everyone.

On Wed, Apr 4, 2012 at 2:51 AM, Justin Deoliveira <jdeolive@anonymised.com>
wrote:

OK... good news i found the leak. Was a matter of making sure the wicket
tester instance is destroyed in test tear down. Bad news is the build is
still failing because of some issues in the jdbc security module. Those
tests arent actually supposed to be running, i put them in a profile to
explicitly be run. Again... will have to pick this up tomorrow. And again...
apologies for inconvenience.

On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira <jdeolive@anonymised.com>
wrote:

Hi all,

The security work has been committed. The settings on the build server
(256M of heap for tests) have brought out a memory leak. I run with 512m
locally (the default defined in the root pom) so I didn't see this before. I
spent a while looking for the leak tonight but haven't come up with anything
yet. I will have to pick this back up tomorrow, it will be my top priority.

For now i have upped the test heap on the server to 512m as a temporary
measure to try and get the build back. Hopefully that fixes it.

Again I will pick this back up first thing tomorrow. I apologize for
the inconvenience.

-Justin

--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org

Hi Francesco,

It is a bit weird but the root domain components are actually specified as part of the server url… so try the following instead:

url: ldap://150.145.133.83/dc=geoserver,dc=geosdi,dc=org

Also, the user lookup is a template for a lookup, and generally not a fixed user… but i guess it could be. The idea is to specify this:

user: uid={0},ou=people,dc=geoserver,dc=geosdi,dc=org

Where {0} is replaced with the username being logged in. The abobe would ignore the username specified and always log in as admin… perhaps that is intended.

Also, there is a tutorial here that might be worth going through.

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html

Hope that helps, let me know how it goes.

-Justin

On Thu, Apr 5, 2012 at 7:02 AM, Francesco Izzi <francesco.izzi@anonymised.com2344…> wrote:

Hi Justing,

i see your work, very impressed.

I try to configure an ldap provider but i have always :

javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]

my configuration parameter:

name: ldap-geosdi
url: ldap://150.145.133.83/
user lookup pattern: dc=geoserver,dc=geosdi,dc=org

user: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org
pass: myPass

the stack trace:

org.apache.wicket.util.io.SerializableChecker$WicketNotSerializableException:
Unable to serialize class: com.sun.jndi.ldap.LdapCtx
Field hierarchy is:
3 [class=org.geoserver.security.web.SecurityNamedServiceNewPage, path=3]
private java.lang.Object
org.apache.wicket.MarkupContainer.children [class=[Ljava.lang.Object;]
protected org.apache.wicket.util.collections.MiniMap
org.apache.wicket.markup.html.link.BookmarkablePageLink.parameters[8]
[class=org.apache.wicket.markup.html.panel.FeedbackPanel,
path=3:feedback]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$1,
path=3:feedback:feedbackul]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView,
path=3:feedback:feedbackul:messages]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.list.ListItem,
path=3:feedback:feedbackul:messages:0]
java.lang.Object org.apache.wicket.Component.data
[class=[Ljava.lang.Object;]
java.lang.Object
org.apache.wicket.Component.data[0][1]
[class=org.apache.wicket.AttributeModifier]
private final org.apache.wicket.model.IModel
org.apache.wicket.AttributeModifier.replaceModel
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1]
final org.apache.wicket.feedback.FeedbackMessage
org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1.val$message
[class=org.apache.wicket.feedback.FeedbackMessage]
private final java.io.Serializable
org.apache.wicket.feedback.FeedbackMessage.message
[class=javax.naming.InvalidNameException]
protected java.lang.Object
javax.naming.NamingException.resolvedObj
[class=com.sun.jndi.ldap.LdapCtx] <----- field that is not
serializable
at org.apache.wicket.util.io.SerializableChecker.check(SerializableChecker.java:346)

Suggestion?

Regard,

2012/4/4 Justin Deoliveira <jdeolive@anonymised.com>:

Ok, build should be back to normal now. Thanks for the patience everyone.

On Wed, Apr 4, 2012 at 2:51 AM, Justin Deoliveira <jdeolive@anonymised.com>
wrote:

OK… good news i found the leak. Was a matter of making sure the wicket
tester instance is destroyed in test tear down. Bad news is the build is
still failing because of some issues in the jdbc security module. Those
tests arent actually supposed to be running, i put them in a profile to
explicitly be run. Again… will have to pick this up tomorrow. And again…
apologies for inconvenience.

On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira <jdeolive@anonymised.com>
wrote:

Hi all,

The security work has been committed. The settings on the build server
(256M of heap for tests) have brought out a memory leak. I run with 512m
locally (the default defined in the root pom) so I didn’t see this before. I
spent a while looking for the leak tonight but haven’t come up with anything
yet. I will have to pick this back up tomorrow, it will be my top priority.

For now i have upped the test heap on the server to 512m as a temporary
measure to try and get the build back. Hopefully that fixes it.

Again I will pick this back up first thing tomorrow. I apologize for
the inconvenience.

-Justin


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

Yep Justin,

works !!!

Thanks,

2012/4/5 Justin Deoliveira <jdeolive@anonymised.com>:

Hi Francesco,

It is a bit weird but the root domain components are actually specified as
part of the server url... so try the following instead:

url: ldap://150.145.133.83/dc=geoserver,dc=geosdi,dc=org

Also, the user lookup is a template for a lookup, and generally not a fixed
user... but i guess it could be. The idea is to specify this:

user: uid={0},ou=people,dc=geoserver,dc=geosdi,dc=org

Where {0} is replaced with the username being logged in. The abobe would
ignore the username specified and always log in as admin... perhaps that is
intended.

Also, there is a tutorial here that might be worth going through.

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html

Hope that helps, let me know how it goes.

-Justin

On Thu, Apr 5, 2012 at 7:02 AM, Francesco Izzi <francesco.izzi@anonymised.com>
wrote:

Hi Justing,

i see your work, very impressed.

I try to configure an ldap provider but i have always :

javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]

my configuration parameter:

name: ldap-geosdi
url: ldap://150.145.133.83/
user lookup pattern: dc=geoserver,dc=geosdi,dc=org

user: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org
pass: myPass

the stack trace:

org.apache.wicket.util.io.SerializableChecker$WicketNotSerializableException:
Unable to serialize class: com.sun.jndi.ldap.LdapCtx
Field hierarchy is:
3 [class=org.geoserver.security.web.SecurityNamedServiceNewPage, path=3]
private java.lang.Object
org.apache.wicket.MarkupContainer.children [class=[Ljava.lang.Object;]
protected org.apache.wicket.util.collections.MiniMap
org.apache.wicket.markup.html.link.BookmarkablePageLink.parameters[8]
[class=org.apache.wicket.markup.html.panel.FeedbackPanel,
path=3:feedback]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$1,
path=3:feedback:feedbackul]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView,
path=3:feedback:feedbackul:messages]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.list.ListItem,
path=3:feedback:feedbackul:messages:0]
java.lang.Object org.apache.wicket.Component.data
[class=[Ljava.lang.Object;]
java.lang.Object
org.apache.wicket.Component.data[0][1]
[class=org.apache.wicket.AttributeModifier]
private final org.apache.wicket.model.IModel
org.apache.wicket.AttributeModifier.replaceModel

[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1]
final org.apache.wicket.feedback.FeedbackMessage

org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1.val$message
[class=org.apache.wicket.feedback.FeedbackMessage]
private final java.io.Serializable
org.apache.wicket.feedback.FeedbackMessage.message
[class=javax.naming.InvalidNameException]
protected java.lang.Object
javax.naming.NamingException.resolvedObj
[class=com.sun.jndi.ldap.LdapCtx] <----- field that is not
serializable
at
org.apache.wicket.util.io.SerializableChecker.check(SerializableChecker.java:346)

Suggestion?

Regard,

2012/4/4 Justin Deoliveira <jdeolive@anonymised.com>:
> Ok, build should be back to normal now. Thanks for the patience
> everyone.
>
> On Wed, Apr 4, 2012 at 2:51 AM, Justin Deoliveira <jdeolive@anonymised.com>
> wrote:
>>
>> OK... good news i found the leak. Was a matter of making sure the
>> wicket
>> tester instance is destroyed in test tear down. Bad news is the build
>> is
>> still failing because of some issues in the jdbc security module. Those
>> tests arent actually supposed to be running, i put them in a profile to
>> explicitly be run. Again... will have to pick this up tomorrow. And
>> again...
>> apologies for inconvenience.
>>
>> On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira
>> <jdeolive@anonymised.com>
>> wrote:
>>>
>>> Hi all,
>>>
>>>
>>> The security work has been committed. The settings on the build server
>>> (256M of heap for tests) have brought out a memory leak. I run with
>>> 512m
>>> locally (the default defined in the root pom) so I didn't see this
>>> before. I
>>> spent a while looking for the leak tonight but haven't come up with
>>> anything
>>> yet. I will have to pick this back up tomorrow, it will be my top
>>> priority.
>>>
>>> For now i have upped the test heap on the server to 512m as a
>>> temporary
>>> measure to try and get the build back. Hopefully that fixes it.
>>>
>>> Again I will pick this back up first thing tomorrow. I apologize for
>>> the inconvenience.
>>>
>>> -Justin
>>>
>>> --
>>> Justin Deoliveira
>>> OpenGeo - http://opengeo.org
>>> Enterprise support for open source geospatial.
>>>
>>
>>
>>
>> --
>> Justin Deoliveira
>> OpenGeo - http://opengeo.org
>> Enterprise support for open source geospatial.
>>
>
>
>
> --
> Justin Deoliveira
> OpenGeo - http://opengeo.org
> Enterprise support for open source geospatial.
>
>
>
> ------------------------------------------------------------------------------
> Better than sec? Nothing is better than sec when it comes to
> monitoring Big Data applications. Try Boundary one-second
> resolution app monitoring today. Free.
> http://p.sf.net/sfu/Boundary-dev2dev
> _______________________________________________
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>

--
Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org

--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

--
Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org

Hi Justin,

i try to manage also ldap group.

I set this for group binding:

Group search base
ou=groups

Group search filter
memberUid={0}

The login working but the ldap user logged without any role.

I see in the log:

06 apr 11:54:20 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty String
as Principal
06 apr 11:54:20 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty String
as Credentials

2012/4/5 Francesco Izzi <francesco.izzi@anonymised.com>:

Yep Justin,

works !!!

Thanks,

2012/4/5 Justin Deoliveira <jdeolive@anonymised.com>:

Hi Francesco,

It is a bit weird but the root domain components are actually specified as
part of the server url... so try the following instead:

url: ldap://150.145.133.83/dc=geoserver,dc=geosdi,dc=org

Also, the user lookup is a template for a lookup, and generally not a fixed
user... but i guess it could be. The idea is to specify this:

user: uid={0},ou=people,dc=geoserver,dc=geosdi,dc=org

Where {0} is replaced with the username being logged in. The abobe would
ignore the username specified and always log in as admin... perhaps that is
intended.

Also, there is a tutorial here that might be worth going through.

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html

Hope that helps, let me know how it goes.

-Justin

On Thu, Apr 5, 2012 at 7:02 AM, Francesco Izzi <francesco.izzi@anonymised.com.>
wrote:

Hi Justing,

i see your work, very impressed.

I try to configure an ldap provider but i have always :

javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]

my configuration parameter:

name: ldap-geosdi
url: ldap://150.145.133.83/
user lookup pattern: dc=geoserver,dc=geosdi,dc=org

user: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org
pass: myPass

the stack trace:

org.apache.wicket.util.io.SerializableChecker$WicketNotSerializableException:
Unable to serialize class: com.sun.jndi.ldap.LdapCtx
Field hierarchy is:
3 [class=org.geoserver.security.web.SecurityNamedServiceNewPage, path=3]
private java.lang.Object
org.apache.wicket.MarkupContainer.children [class=[Ljava.lang.Object;]
protected org.apache.wicket.util.collections.MiniMap
org.apache.wicket.markup.html.link.BookmarkablePageLink.parameters[8]
[class=org.apache.wicket.markup.html.panel.FeedbackPanel,
path=3:feedback]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$1,
path=3:feedback:feedbackul]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView,
path=3:feedback:feedbackul:messages]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.list.ListItem,
path=3:feedback:feedbackul:messages:0]
java.lang.Object org.apache.wicket.Component.data
[class=[Ljava.lang.Object;]
java.lang.Object
org.apache.wicket.Component.data[0][1]
[class=org.apache.wicket.AttributeModifier]
private final org.apache.wicket.model.IModel
org.apache.wicket.AttributeModifier.replaceModel

[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1]
final org.apache.wicket.feedback.FeedbackMessage

org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1.val$message
[class=org.apache.wicket.feedback.FeedbackMessage]
private final java.io.Serializable
org.apache.wicket.feedback.FeedbackMessage.message
[class=javax.naming.InvalidNameException]
protected java.lang.Object
javax.naming.NamingException.resolvedObj
[class=com.sun.jndi.ldap.LdapCtx] <----- field that is not
serializable
at
org.apache.wicket.util.io.SerializableChecker.check(SerializableChecker.java:346)

Suggestion?

Regard,

2012/4/4 Justin Deoliveira <jdeolive@anonymised.com>:
> Ok, build should be back to normal now. Thanks for the patience
> everyone.
>
> On Wed, Apr 4, 2012 at 2:51 AM, Justin Deoliveira <jdeolive@anonymised.com.>
> wrote:
>>
>> OK... good news i found the leak. Was a matter of making sure the
>> wicket
>> tester instance is destroyed in test tear down. Bad news is the build
>> is
>> still failing because of some issues in the jdbc security module. Those
>> tests arent actually supposed to be running, i put them in a profile to
>> explicitly be run. Again... will have to pick this up tomorrow. And
>> again...
>> apologies for inconvenience.
>>
>> On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira
>> <jdeolive@anonymised.com>
>> wrote:
>>>
>>> Hi all,
>>>
>>>
>>> The security work has been committed. The settings on the build server
>>> (256M of heap for tests) have brought out a memory leak. I run with
>>> 512m
>>> locally (the default defined in the root pom) so I didn't see this
>>> before. I
>>> spent a while looking for the leak tonight but haven't come up with
>>> anything
>>> yet. I will have to pick this back up tomorrow, it will be my top
>>> priority.
>>>
>>> For now i have upped the test heap on the server to 512m as a
>>> temporary
>>> measure to try and get the build back. Hopefully that fixes it.
>>>
>>> Again I will pick this back up first thing tomorrow. I apologize for
>>> the inconvenience.
>>>
>>> -Justin
>>>
>>> --
>>> Justin Deoliveira
>>> OpenGeo - http://opengeo.org
>>> Enterprise support for open source geospatial.
>>>
>>
>>
>>
>> --
>> Justin Deoliveira
>> OpenGeo - http://opengeo.org
>> Enterprise support for open source geospatial.
>>
>
>
>
> --
> Justin Deoliveira
> OpenGeo - http://opengeo.org
> Enterprise support for open source geospatial.
>
>
>
> ------------------------------------------------------------------------------
> Better than sec? Nothing is better than sec when it comes to
> monitoring Big Data applications. Try Boundary one-second
> resolution app monitoring today. Free.
> http://p.sf.net/sfu/Boundary-dev2dev
> _______________________________________________
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>

--
Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org

--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

--
Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org

--
Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org

Hi Francesco,

Role assignment with the ldap provider is explained here:

http://docs.geoserver.org/latest/en/user/security/auth/providers.html#role-assignment

Basically, for those groups in ldap your user is a part of will have to present in the role service. So say you are part of an ldap group named “foo”. That is mapped to the role “ROLE_FOO” when you are authenticated. So “ROLE_FOO” needs to be defined in the role service as an administrator role if you want to have full ui admin privileges. Explained here:

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#map-ldap-groups-to-geoserver-roles

The alternative is to ignore ldap groups and use a user group service. But this means having to redefine users in your user group service that are in your ldap server. But it gives you full control over the role assignment.

On Fri, Apr 6, 2012 at 3:58 AM, Francesco Izzi <francesco.izzi@anonymised.com> wrote:

Hi Justin,

i try to manage also ldap group.

I set this for group binding:

Group search base
ou=groups

Group search filter
memberUid={0}

The login working but the ldap user logged without any role.

I see in the log:

06 apr 11:54:20 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty String
as Principal
06 apr 11:54:20 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty String
as Credentials

2012/4/5 Francesco Izzi <francesco.izzi@anonymised.com>:

Yep Justin,

works !!!

Thanks,

2012/4/5 Justin Deoliveira <jdeolive@anonymised.com>:

Hi Francesco,

It is a bit weird but the root domain components are actually specified as
part of the server url… so try the following instead:

url: ldap://150.145.133.83/dc=geoserver,dc=geosdi,dc=org

Also, the user lookup is a template for a lookup, and generally not a fixed
user… but i guess it could be. The idea is to specify this:

user: uid={0},ou=people,dc=geoserver,dc=geosdi,dc=org

Where {0} is replaced with the username being logged in. The abobe would
ignore the username specified and always log in as admin… perhaps that is
intended.

Also, there is a tutorial here that might be worth going through.

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html

Hope that helps, let me know how it goes.

-Justin

On Thu, Apr 5, 2012 at 7:02 AM, Francesco Izzi <francesco.izzi@anonymised.com>
wrote:

Hi Justing,

i see your work, very impressed.

I try to configure an ldap provider but i have always :

javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]

my configuration parameter:

name: ldap-geosdi
url: ldap://150.145.133.83/
user lookup pattern: dc=geoserver,dc=geosdi,dc=org

user: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org
pass: myPass

the stack trace:

org.apache.wicket.util.io.SerializableChecker$WicketNotSerializableException:
Unable to serialize class: com.sun.jndi.ldap.LdapCtx
Field hierarchy is:
3 [class=org.geoserver.security.web.SecurityNamedServiceNewPage, path=3]
private java.lang.Object
org.apache.wicket.MarkupContainer.children [class=[Ljava.lang.Object;]
protected org.apache.wicket.util.collections.MiniMap
org.apache.wicket.markup.html.link.BookmarkablePageLink.parameters[8]
[class=org.apache.wicket.markup.html.panel.FeedbackPanel,
path=3:feedback]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$1,
path=3:feedback:feedbackul]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView,
path=3:feedback:feedbackul:messages]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.list.ListItem,
path=3:feedback:feedbackul:messages:0]
java.lang.Object org.apache.wicket.Component.data
[class=[Ljava.lang.Object;]
java.lang.Object
org.apache.wicket.Component.data[0][1]
[class=org.apache.wicket.AttributeModifier]
private final org.apache.wicket.model.IModel
org.apache.wicket.AttributeModifier.replaceModel

[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1]
final org.apache.wicket.feedback.FeedbackMessage

org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1.val$message
[class=org.apache.wicket.feedback.FeedbackMessage]
private final java.io.Serializable
org.apache.wicket.feedback.FeedbackMessage.message
[class=javax.naming.InvalidNameException]
protected java.lang.Object
javax.naming.NamingException.resolvedObj
[class=com.sun.jndi.ldap.LdapCtx] <----- field that is not
serializable
at
org.apache.wicket.util.io.SerializableChecker.check(SerializableChecker.java:346)

Suggestion?

Regard,

2012/4/4 Justin Deoliveira <jdeolive@anonymised.com>:

Ok, build should be back to normal now. Thanks for the patience
everyone.

On Wed, Apr 4, 2012 at 2:51 AM, Justin Deoliveira <jdeolive@anonymised.com>
wrote:

OK… good news i found the leak. Was a matter of making sure the
wicket
tester instance is destroyed in test tear down. Bad news is the build
is
still failing because of some issues in the jdbc security module. Those
tests arent actually supposed to be running, i put them in a profile to
explicitly be run. Again… will have to pick this up tomorrow. And
again…
apologies for inconvenience.

On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira
<jdeolive@anonymised.com…1501…>
wrote:

Hi all,

The security work has been committed. The settings on the build server
(256M of heap for tests) have brought out a memory leak. I run with
512m
locally (the default defined in the root pom) so I didn’t see this
before. I
spent a while looking for the leak tonight but haven’t come up with
anything
yet. I will have to pick this back up tomorrow, it will be my top
priority.

For now i have upped the test heap on the server to 512m as a
temporary
measure to try and get the build back. Hopefully that fixes it.

Again I will pick this back up first thing tomorrow. I apologize for
the inconvenience.

-Justin


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

Hi Justin,

I'm still testing with ldap,

I noticed that if in my ldap tree there is a group called
"ROLE_GP_ADMIN" the Granted Authorities of Auth User: is
ROLE_ROLE_GP_ADMIN.

I try to create a role in my ldap named GP_ADMIN and all works.

Any opinion ?

2012/4/6 Justin Deoliveira <jdeolive@anonymised.com>:

Hi Francesco,

Role assignment with the ldap provider is explained here:

http://docs.geoserver.org/latest/en/user/security/auth/providers.html#role-assignment

Basically, for those groups in ldap your user is a part of will have to
present in the role service. So say you are part of an ldap group named
"foo". That is mapped to the role "ROLE_FOO" when you are authenticated. So
"ROLE_FOO" needs to be defined in the role service as an administrator role
if you want to have full ui admin privileges. Explained here:

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#map-ldap-groups-to-geoserver-roles

The alternative is to ignore ldap groups and use a user group service. But
this means having to redefine users in your user group service that are in
your ldap server. But it gives you full control over the role assignment.

On Fri, Apr 6, 2012 at 3:58 AM, Francesco Izzi <francesco.izzi@anonymised.com>
wrote:

Hi Justin,

i try to manage also ldap group.

I set this for group binding:

Group search base
ou=groups

Group search filter
memberUid={0}

The login working but the ldap user logged without any role.

I see in the log:

06 apr 11:54:20 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty String
as Principal
06 apr 11:54:20 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty String
as Credentials

2012/4/5 Francesco Izzi <francesco.izzi@anonymised.com>:
> Yep Justin,
>
> works !!!
>
>
> Thanks,
>
> 2012/4/5 Justin Deoliveira <jdeolive@anonymised.com>:
>> Hi Francesco,
>>
>> It is a bit weird but the root domain components are actually specified
>> as
>> part of the server url... so try the following instead:
>>
>> url: ldap://150.145.133.83/dc=geoserver,dc=geosdi,dc=org
>>
>> Also, the user lookup is a template for a lookup, and generally not a
>> fixed
>> user... but i guess it could be. The idea is to specify this:
>>
>> user: uid={0},ou=people,dc=geoserver,dc=geosdi,dc=org
>>
>> Where {0} is replaced with the username being logged in. The abobe
>> would
>> ignore the username specified and always log in as admin... perhaps
>> that is
>> intended.
>>
>> Also, there is a tutorial here that might be worth going through.
>>
>>
>> http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html
>>
>> Hope that helps, let me know how it goes.
>>
>> -Justin
>>
>>
>> On Thu, Apr 5, 2012 at 7:02 AM, Francesco Izzi
>> <francesco.izzi@anonymised.com>
>> wrote:
>>>
>>> Hi Justing,
>>>
>>> i see your work, very impressed.
>>>
>>> I try to configure an ldap provider but i have always :
>>>
>>> javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]
>>>
>>> my configuration parameter:
>>>
>>> name: ldap-geosdi
>>> url: ldap://150.145.133.83/
>>> user lookup pattern: dc=geoserver,dc=geosdi,dc=org
>>>
>>> user: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org
>>> pass: myPass
>>>
>>> the stack trace:
>>>
>>>
>>>
>>> org.apache.wicket.util.io.SerializableChecker$WicketNotSerializableException:
>>> Unable to serialize class: com.sun.jndi.ldap.LdapCtx
>>> Field hierarchy is:
>>> 3 [class=org.geoserver.security.web.SecurityNamedServiceNewPage,
>>> path=3]
>>> private java.lang.Object
>>> org.apache.wicket.MarkupContainer.children [class=[Ljava.lang.Object;]
>>> protected org.apache.wicket.util.collections.MiniMap
>>> org.apache.wicket.markup.html.link.BookmarkablePageLink.parameters[8]
>>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel,
>>> path=3:feedback]
>>> private java.lang.Object
>>> org.apache.wicket.MarkupContainer.children
>>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel$1,
>>> path=3:feedback:feedbackul]
>>> private java.lang.Object
>>> org.apache.wicket.MarkupContainer.children
>>>
>>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView,
>>> path=3:feedback:feedbackul:messages]
>>> private java.lang.Object
>>> org.apache.wicket.MarkupContainer.children
>>> [class=org.apache.wicket.markup.html.list.ListItem,
>>> path=3:feedback:feedbackul:messages:0]
>>> java.lang.Object org.apache.wicket.Component.data
>>> [class=[Ljava.lang.Object;]
>>> java.lang.Object
>>> org.apache.wicket.Component.data[0][1]
>>> [class=org.apache.wicket.AttributeModifier]
>>> private final org.apache.wicket.model.IModel
>>> org.apache.wicket.AttributeModifier.replaceModel
>>>
>>>
>>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1]
>>> final org.apache.wicket.feedback.FeedbackMessage
>>>
>>>
>>> org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1.val$message
>>> [class=org.apache.wicket.feedback.FeedbackMessage]
>>> private final java.io.Serializable
>>> org.apache.wicket.feedback.FeedbackMessage.message
>>> [class=javax.naming.InvalidNameException]
>>> protected java.lang.Object
>>> javax.naming.NamingException.resolvedObj
>>> [class=com.sun.jndi.ldap.LdapCtx] <----- field that is not
>>> serializable
>>> at
>>>
>>> org.apache.wicket.util.io.SerializableChecker.check(SerializableChecker.java:346)
>>>
>>> Suggestion?
>>>
>>>
>>> Regard,
>>>
>>> 2012/4/4 Justin Deoliveira <jdeolive@anonymised.com>:
>>> > Ok, build should be back to normal now. Thanks for the patience
>>> > everyone.
>>> >
>>> > On Wed, Apr 4, 2012 at 2:51 AM, Justin Deoliveira
>>> > <jdeolive@anonymised.com>
>>> > wrote:
>>> >>
>>> >> OK... good news i found the leak. Was a matter of making sure the
>>> >> wicket
>>> >> tester instance is destroyed in test tear down. Bad news is the
>>> >> build
>>> >> is
>>> >> still failing because of some issues in the jdbc security module.
>>> >> Those
>>> >> tests arent actually supposed to be running, i put them in a
>>> >> profile to
>>> >> explicitly be run. Again... will have to pick this up tomorrow. And
>>> >> again...
>>> >> apologies for inconvenience.
>>> >>
>>> >> On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira
>>> >> <jdeolive@anonymised.com>
>>> >> wrote:
>>> >>>
>>> >>> Hi all,
>>> >>>
>>> >>>
>>> >>> The security work has been committed. The settings on the build
>>> >>> server
>>> >>> (256M of heap for tests) have brought out a memory leak. I run
>>> >>> with
>>> >>> 512m
>>> >>> locally (the default defined in the root pom) so I didn't see this
>>> >>> before. I
>>> >>> spent a while looking for the leak tonight but haven't come up
>>> >>> with
>>> >>> anything
>>> >>> yet. I will have to pick this back up tomorrow, it will be my top
>>> >>> priority.
>>> >>>
>>> >>> For now i have upped the test heap on the server to 512m as a
>>> >>> temporary
>>> >>> measure to try and get the build back. Hopefully that fixes it.
>>> >>>
>>> >>> Again I will pick this back up first thing tomorrow. I apologize
>>> >>> for
>>> >>> the inconvenience.
>>> >>>
>>> >>> -Justin
>>> >>>
>>> >>> --
>>> >>> Justin Deoliveira
>>> >>> OpenGeo - http://opengeo.org
>>> >>> Enterprise support for open source geospatial.
>>> >>>
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Justin Deoliveira
>>> >> OpenGeo - http://opengeo.org
>>> >> Enterprise support for open source geospatial.
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > Justin Deoliveira
>>> > OpenGeo - http://opengeo.org
>>> > Enterprise support for open source geospatial.
>>> >
>>> >
>>> >
>>> >
>>> > ------------------------------------------------------------------------------
>>> > Better than sec? Nothing is better than sec when it comes to
>>> > monitoring Big Data applications. Try Boundary one-second
>>> > resolution app monitoring today. Free.
>>> > http://p.sf.net/sfu/Boundary-dev2dev
>>> > _______________________________________________
>>> > Geoserver-devel mailing list
>>> > Geoserver-devel@lists.sourceforge.net
>>> > https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>> >
>>>
>>>
>>>
>>> --
>>> Francesco Izzi
>>> CNR - IMAA
>>> geoSDI
>>> Direzione Tecnologie e Sviluppo
>>>
>>> C.da S. Loja
>>> 85050 Tito Scalo - POTENZA (PZ)
>>> Italia
>>>
>>> phone: +39 0971427305
>>> fax: +39 0971 427271
>>> mob: +39 3203126609
>>> mail: francesco.izzi@anonymised.com
>>> skype: neofx8080
>>>
>>> web: http://www.geosdi.org
>>
>>
>>
>>
>> --
>> Justin Deoliveira
>> OpenGeo - http://opengeo.org
>> Enterprise support for open source geospatial.
>>
>
>
>
> --
> Francesco Izzi
> CNR - IMAA
> geoSDI
> Direzione Tecnologie e Sviluppo
>
> C.da S. Loja
> 85050 Tito Scalo - POTENZA (PZ)
> Italia
>
> phone: +39 0971427305
> fax: +39 0971 427271
> mob: +39 3203126609
> mail: francesco.izzi@anonymised.com
> skype: neofx8080
>
> web: http://www.geosdi.org

--
Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org

--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

--
Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org

Hi, Francesco and Justin

I assume the problem is in the Spring DefaultLdapAuthoritiesPopulator class, the implementation uses a role prefix “ROLE_”. I had the same problem with the J2EE proxy authenticator, a J2EE role “admin” was mapped to “ROLE_admin”.
I disabled this prefix logic behind the scenes for the J2EE proxy authenticator and do not modify the roles.

Would be good to have a common strategy for all authentication providers, I would prefer not modifying role names provided by an external party.

Christian

2012/4/10 Francesco Izzi <francesco.izzi@anonymised.com>

Hi Justin,

I’m still testing with ldap,

I noticed that if in my ldap tree there is a group called
“ROLE_GP_ADMIN” the Granted Authorities of Auth User: is
ROLE_ROLE_GP_ADMIN.

I try to create a role in my ldap named GP_ADMIN and all works.

Any opinion ?

2012/4/6 Justin Deoliveira <jdeolive@anonymised.com>:

Hi Francesco,

Role assignment with the ldap provider is explained here:

http://docs.geoserver.org/latest/en/user/security/auth/providers.html#role-assignment

Basically, for those groups in ldap your user is a part of will have to
present in the role service. So say you are part of an ldap group named
“foo”. That is mapped to the role “ROLE_FOO” when you are authenticated. So
“ROLE_FOO” needs to be defined in the role service as an administrator role
if you want to have full ui admin privileges. Explained here:

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#map-ldap-groups-to-geoserver-roles

The alternative is to ignore ldap groups and use a user group service. But
this means having to redefine users in your user group service that are in
your ldap server. But it gives you full control over the role assignment.

On Fri, Apr 6, 2012 at 3:58 AM, Francesco Izzi <francesco.izzi@anonymised.com>
wrote:

Hi Justin,

i try to manage also ldap group.

I set this for group binding:

Group search base
ou=groups

Group search filter
memberUid={0}

The login working but the ldap user logged without any role.

I see in the log:

06 apr 11:54:20 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty String
as Principal
06 apr 11:54:20 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty String
as Credentials

2012/4/5 Francesco Izzi <francesco.izzi@anonymised.com>:

Yep Justin,

works !!!

Thanks,

2012/4/5 Justin Deoliveira <jdeolive@anonymised.com>:

Hi Francesco,

It is a bit weird but the root domain components are actually specified
as
part of the server url… so try the following instead:

url: ldap://150.145.133.83/dc=geoserver,dc=geosdi,dc=org

Also, the user lookup is a template for a lookup, and generally not a
fixed
user… but i guess it could be. The idea is to specify this:

user: uid={0},ou=people,dc=geoserver,dc=geosdi,dc=org

Where {0} is replaced with the username being logged in. The abobe
would
ignore the username specified and always log in as admin… perhaps
that is
intended.

Also, there is a tutorial here that might be worth going through.

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html

Hope that helps, let me know how it goes.

-Justin

On Thu, Apr 5, 2012 at 7:02 AM, Francesco Izzi
<francesco.izzi@anonymised.com>
wrote:

Hi Justing,

i see your work, very impressed.

I try to configure an ldap provider but i have always :

javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]

my configuration parameter:

name: ldap-geosdi
url: ldap://150.145.133.83/
user lookup pattern: dc=geoserver,dc=geosdi,dc=org

user: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org
pass: myPass

the stack trace:

org.apache.wicket.util.io.SerializableChecker$WicketNotSerializableException:
Unable to serialize class: com.sun.jndi.ldap.LdapCtx
Field hierarchy is:
3 [class=org.geoserver.security.web.SecurityNamedServiceNewPage,
path=3]
private java.lang.Object
org.apache.wicket.MarkupContainer.children [class=[Ljava.lang.Object;]
protected org.apache.wicket.util.collections.MiniMap
org.apache.wicket.markup.html.link.BookmarkablePageLink.parameters[8]
[class=org.apache.wicket.markup.html.panel.FeedbackPanel,
path=3:feedback]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$1,
path=3:feedback:feedbackul]
private java.lang.Object
org.apache.wicket.MarkupContainer.children

[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView,
path=3:feedback:feedbackul:messages]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.list.ListItem,
path=3:feedback:feedbackul:messages:0]
java.lang.Object org.apache.wicket.Component.data
[class=[Ljava.lang.Object;]
java.lang.Object
org.apache.wicket.Component.data[0][1]
[class=org.apache.wicket.AttributeModifier]
private final org.apache.wicket.model.IModel
org.apache.wicket.AttributeModifier.replaceModel

[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1]
final org.apache.wicket.feedback.FeedbackMessage

org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1.val$message
[class=org.apache.wicket.feedback.FeedbackMessage]
private final java.io.Serializable
org.apache.wicket.feedback.FeedbackMessage.message
[class=javax.naming.InvalidNameException]
protected java.lang.Object
javax.naming.NamingException.resolvedObj
[class=com.sun.jndi.ldap.LdapCtx] <----- field that is not
serializable
at

org.apache.wicket.util.io.SerializableChecker.check(SerializableChecker.java:346)

Suggestion?

Regard,

2012/4/4 Justin Deoliveira <jdeolive@anonymised.com>:

Ok, build should be back to normal now. Thanks for the patience
everyone.

On Wed, Apr 4, 2012 at 2:51 AM, Justin Deoliveira
<jdeolive@anonymised.com>
wrote:

OK… good news i found the leak. Was a matter of making sure the
wicket
tester instance is destroyed in test tear down. Bad news is the
build
is
still failing because of some issues in the jdbc security module.
Those
tests arent actually supposed to be running, i put them in a
profile to
explicitly be run. Again… will have to pick this up tomorrow. And
again…
apologies for inconvenience.

On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira
<jdeolive@anonymised.com>
wrote:

Hi all,

The security work has been committed. The settings on the build
server
(256M of heap for tests) have brought out a memory leak. I run
with
512m
locally (the default defined in the root pom) so I didn’t see this
before. I
spent a while looking for the leak tonight but haven’t come up
with
anything
yet. I will have to pick this back up tomorrow, it will be my top
priority.

For now i have upped the test heap on the server to 512m as a
temporary
measure to try and get the build back. Hopefully that fixes it.

Again I will pick this back up first thing tomorrow. I apologize
for
the inconvenience.

-Justin


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Yeah, we should definitely expose the ability to set the role prefix on the ldap auth provider. Or perhaps to drop it all together.

Francesco, can you open a jira issue for this? Thanks.

-Justin

On Tue, Apr 10, 2012 at 9:51 AM, Christian Mueller <mcrmcr21@anonymised.com> wrote:

Hi, Francesco and Justin

I assume the problem is in the Spring DefaultLdapAuthoritiesPopulator class, the implementation uses a role prefix “ROLE_”. I had the same problem with the J2EE proxy authenticator, a J2EE role “admin” was mapped to “ROLE_admin”.
I disabled this prefix logic behind the scenes for the J2EE proxy authenticator and do not modify the roles.

Would be good to have a common strategy for all authentication providers, I would prefer not modifying role names provided by an external party.

Christian

2012/4/10 Francesco Izzi <francesco.izzi@anonymised.com>

Hi Justin,

I’m still testing with ldap,

I noticed that if in my ldap tree there is a group called
“ROLE_GP_ADMIN” the Granted Authorities of Auth User: is
ROLE_ROLE_GP_ADMIN.

I try to create a role in my ldap named GP_ADMIN and all works.

Any opinion ?

2012/4/6 Justin Deoliveira <jdeolive@anonymised.com>:

Hi Francesco,

Role assignment with the ldap provider is explained here:

http://docs.geoserver.org/latest/en/user/security/auth/providers.html#role-assignment

Basically, for those groups in ldap your user is a part of will have to
present in the role service. So say you are part of an ldap group named
“foo”. That is mapped to the role “ROLE_FOO” when you are authenticated. So
“ROLE_FOO” needs to be defined in the role service as an administrator role
if you want to have full ui admin privileges. Explained here:

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#map-ldap-groups-to-geoserver-roles

The alternative is to ignore ldap groups and use a user group service. But
this means having to redefine users in your user group service that are in
your ldap server. But it gives you full control over the role assignment.

On Fri, Apr 6, 2012 at 3:58 AM, Francesco Izzi <francesco.izzi@anonymised.com>
wrote:

Hi Justin,

i try to manage also ldap group.

I set this for group binding:

Group search base
ou=groups

Group search filter
memberUid={0}

The login working but the ldap user logged without any role.

I see in the log:

06 apr 11:54:20 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty String
as Principal
06 apr 11:54:20 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty String
as Credentials

2012/4/5 Francesco Izzi <francesco.izzi@anonymised.com>:

Yep Justin,

works !!!

Thanks,

2012/4/5 Justin Deoliveira <jdeolive@anonymised.com>:

Hi Francesco,

It is a bit weird but the root domain components are actually specified
as
part of the server url… so try the following instead:

url: ldap://150.145.133.83/dc=geoserver,dc=geosdi,dc=org

Also, the user lookup is a template for a lookup, and generally not a
fixed
user… but i guess it could be. The idea is to specify this:

user: uid={0},ou=people,dc=geoserver,dc=geosdi,dc=org

Where {0} is replaced with the username being logged in. The abobe
would
ignore the username specified and always log in as admin… perhaps
that is
intended.

Also, there is a tutorial here that might be worth going through.

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html

Hope that helps, let me know how it goes.

-Justin

On Thu, Apr 5, 2012 at 7:02 AM, Francesco Izzi
<francesco.izzi@anonymised.com>
wrote:

Hi Justing,

i see your work, very impressed.

I try to configure an ldap provider but i have always :

javax.naming.InvalidNameException: [LDAP: error code 34 - invalid DN]

my configuration parameter:

name: ldap-geosdi
url: ldap://150.145.133.83/
user lookup pattern: dc=geoserver,dc=geosdi,dc=org

user: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org
pass: myPass

the stack trace:

org.apache.wicket.util.io.SerializableChecker$WicketNotSerializableException:
Unable to serialize class: com.sun.jndi.ldap.LdapCtx
Field hierarchy is:
3 [class=org.geoserver.security.web.SecurityNamedServiceNewPage,
path=3]
private java.lang.Object
org.apache.wicket.MarkupContainer.children [class=[Ljava.lang.Object;]
protected org.apache.wicket.util.collections.MiniMap
org.apache.wicket.markup.html.link.BookmarkablePageLink.parameters[8]
[class=org.apache.wicket.markup.html.panel.FeedbackPanel,
path=3:feedback]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$1,
path=3:feedback:feedbackul]
private java.lang.Object
org.apache.wicket.MarkupContainer.children

[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView,
path=3:feedback:feedbackul:messages]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.list.ListItem,
path=3:feedback:feedbackul:messages:0]
java.lang.Object org.apache.wicket.Component.data
[class=[Ljava.lang.Object;]
java.lang.Object
org.apache.wicket.Component.data[0][1]
[class=org.apache.wicket.AttributeModifier]
private final org.apache.wicket.model.IModel
org.apache.wicket.AttributeModifier.replaceModel

[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1]
final org.apache.wicket.feedback.FeedbackMessage

org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1.val$message
[class=org.apache.wicket.feedback.FeedbackMessage]
private final java.io.Serializable
org.apache.wicket.feedback.FeedbackMessage.message
[class=javax.naming.InvalidNameException]
protected java.lang.Object
javax.naming.NamingException.resolvedObj
[class=com.sun.jndi.ldap.LdapCtx] <----- field that is not
serializable
at

org.apache.wicket.util.io.SerializableChecker.check(SerializableChecker.java:346)

Suggestion?

Regard,

2012/4/4 Justin Deoliveira <jdeolive@anonymised.com>:

Ok, build should be back to normal now. Thanks for the patience
everyone.

On Wed, Apr 4, 2012 at 2:51 AM, Justin Deoliveira
<jdeolive@anonymised.com>
wrote:

OK… good news i found the leak. Was a matter of making sure the
wicket
tester instance is destroyed in test tear down. Bad news is the
build
is
still failing because of some issues in the jdbc security module.
Those
tests arent actually supposed to be running, i put them in a
profile to
explicitly be run. Again… will have to pick this up tomorrow. And
again…
apologies for inconvenience.

On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira
<jdeolive@anonymised.com>
wrote:

Hi all,

The security work has been committed. The settings on the build
server
(256M of heap for tests) have brought out a memory leak. I run
with
512m
locally (the default defined in the root pom) so I didn’t see this
before. I
spent a while looking for the leak tonight but haven’t come up
with
anything
yet. I will have to pick this back up tomorrow, it will be my top
priority.

For now i have upped the test heap on the server to 512m as a
temporary
measure to try and get the build back. Hopefully that fixes it.

Again I will pick this back up first thing tomorrow. I apologize
for
the inconvenience.

-Justin


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

Hi Justin,

another issue.

I have 2 user in my ldap.

admin with no role
and fizzi with GP_ADMIN role.

I logged in with fizzi and all works.

if i try to login with admin user the effective user logged is fizzi.

I log this...

LOGIN WITH ADMIN

10 apr 17:42:59 INFO [geoserver.security] -
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@anonymised.com:
Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@anonymised.com:
Dn: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org; Username:
admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
CredentialsNonExpired: true; AccountNonLocked: true; Granted
Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details:
org.geoserver.security.filter.GeoServerWebAuthenticationDetails@anonymised.com:
RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: qfsj4ceu9ffd; Not
granted any authorities
10 apr 17:42:59 INFO [geoserver.security] -
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@anonymised.com:
Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@anonymised.com:
Dn: uid=fizzi,ou=people,dc=geoserver,dc=geosdi,dc=org; Username:
fizzi; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
CredentialsNonExpired: true; AccountNonLocked: true; Granted
Authorities: ROLE_GP_ADMIN; Credentials: [PROTECTED]; Authenticated:
true; Details: org.geoserver.security.filter.GeoServerWebAuthenticationDetails@anonymised.com:
RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: qfsj4ceu9ffd; Granted
Authorities: ROLE_GP_ADMIN

Opinion?

2012/4/10 Justin Deoliveira <jdeolive@anonymised.com>:

Yeah, we should definitely expose the ability to set the role prefix on the
ldap auth provider. Or perhaps to drop it all together.

Francesco, can you open a jira issue for this? Thanks.

-Justin

On Tue, Apr 10, 2012 at 9:51 AM, Christian Mueller <mcrmcr21@anonymised.com>
wrote:

Hi, Francesco and Justin

I assume the problem is in the Spring DefaultLdapAuthoritiesPopulator
class, the implementation uses a role prefix "ROLE_". I had the same problem
with the J2EE proxy authenticator, a J2EE role "admin" was mapped to
"ROLE_admin".
I disabled this prefix logic behind the scenes for the J2EE proxy
authenticator and do not modify the roles.

Would be good to have a common strategy for all authentication providers,
I would prefer not modifying role names provided by an external party.

Christian

2012/4/10 Francesco Izzi <francesco.izzi@anonymised.com>

Hi Justin,

I'm still testing with ldap,

I noticed that if in my ldap tree there is a group called
"ROLE_GP_ADMIN" the Granted Authorities of Auth User: is
ROLE_ROLE_GP_ADMIN.

I try to create a role in my ldap named GP_ADMIN and all works.

Any opinion ?

2012/4/6 Justin Deoliveira <jdeolive@anonymised.com>:
> Hi Francesco,
>
> Role assignment with the ldap provider is explained here:
>
>
> http://docs.geoserver.org/latest/en/user/security/auth/providers.html#role-assignment
>
> Basically, for those groups in ldap your user is a part of will have to
> present in the role service. So say you are part of an ldap group named
> "foo". That is mapped to the role "ROLE_FOO" when you are
> authenticated. So
> "ROLE_FOO" needs to be defined in the role service as an administrator
> role
> if you want to have full ui admin privileges. Explained here:
>
>
> http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#map-ldap-groups-to-geoserver-roles
>
> The alternative is to ignore ldap groups and use a user group service.
> But
> this means having to redefine users in your user group service that are
> in
> your ldap server. But it gives you full control over the role
> assignment.
>
> On Fri, Apr 6, 2012 at 3:58 AM, Francesco Izzi
> <francesco.izzi@anonymised.com>
> wrote:
>>
>> Hi Justin,
>>
>> i try to manage also ldap group.
>>
>> I set this for group binding:
>>
>> Group search base
>> ou=groups
>>
>> Group search filter
>> memberUid={0}
>>
>> The login working but the ldap user logged without any role.
>>
>> I see in the log:
>>
>> 06 apr 11:54:20 WARN
>> [authentication.SpringSecurityAuthenticationSource] - No
>> Authentication object set in SecurityContext - returning empty String
>> as Principal
>> 06 apr 11:54:20 WARN
>> [authentication.SpringSecurityAuthenticationSource] - No
>> Authentication object set in SecurityContext - returning empty String
>> as Credentials
>>
>>
>>
>> 2012/4/5 Francesco Izzi <francesco.izzi@anonymised.com>:
>> > Yep Justin,
>> >
>> > works !!!
>> >
>> >
>> > Thanks,
>> >
>> > 2012/4/5 Justin Deoliveira <jdeolive@anonymised.com>:
>> >> Hi Francesco,
>> >>
>> >> It is a bit weird but the root domain components are actually
>> >> specified
>> >> as
>> >> part of the server url... so try the following instead:
>> >>
>> >> url: ldap://150.145.133.83/dc=geoserver,dc=geosdi,dc=org
>> >>
>> >> Also, the user lookup is a template for a lookup, and generally not
>> >> a
>> >> fixed
>> >> user... but i guess it could be. The idea is to specify this:
>> >>
>> >> user: uid={0},ou=people,dc=geoserver,dc=geosdi,dc=org
>> >>
>> >> Where {0} is replaced with the username being logged in. The abobe
>> >> would
>> >> ignore the username specified and always log in as admin... perhaps
>> >> that is
>> >> intended.
>> >>
>> >> Also, there is a tutorial here that might be worth going through.
>> >>
>> >>
>> >>
>> >> http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html
>> >>
>> >> Hope that helps, let me know how it goes.
>> >>
>> >> -Justin
>> >>
>> >>
>> >> On Thu, Apr 5, 2012 at 7:02 AM, Francesco Izzi
>> >> <francesco.izzi@anonymised.com>
>> >> wrote:
>> >>>
>> >>> Hi Justing,
>> >>>
>> >>> i see your work, very impressed.
>> >>>
>> >>> I try to configure an ldap provider but i have always :
>> >>>
>> >>> javax.naming.InvalidNameException: [LDAP: error code 34 - invalid
>> >>> DN]
>> >>>
>> >>> my configuration parameter:
>> >>>
>> >>> name: ldap-geosdi
>> >>> url: ldap://150.145.133.83/
>> >>> user lookup pattern: dc=geoserver,dc=geosdi,dc=org
>> >>>
>> >>> user: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org
>> >>> pass: myPass
>> >>>
>> >>> the stack trace:
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> org.apache.wicket.util.io.SerializableChecker$WicketNotSerializableException:
>> >>> Unable to serialize class: com.sun.jndi.ldap.LdapCtx
>> >>> Field hierarchy is:
>> >>> 3 [class=org.geoserver.security.web.SecurityNamedServiceNewPage,
>> >>> path=3]
>> >>> private java.lang.Object
>> >>> org.apache.wicket.MarkupContainer.children
>> >>> [class=[Ljava.lang.Object;]
>> >>> protected org.apache.wicket.util.collections.MiniMap
>> >>>
>> >>> org.apache.wicket.markup.html.link.BookmarkablePageLink.parameters[8]
>> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel,
>> >>> path=3:feedback]
>> >>> private java.lang.Object
>> >>> org.apache.wicket.MarkupContainer.children
>> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel$1,
>> >>> path=3:feedback:feedbackul]
>> >>> private java.lang.Object
>> >>> org.apache.wicket.MarkupContainer.children
>> >>>
>> >>>
>> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView,
>> >>> path=3:feedback:feedbackul:messages]
>> >>> private java.lang.Object
>> >>> org.apache.wicket.MarkupContainer.children
>> >>> [class=org.apache.wicket.markup.html.list.ListItem,
>> >>> path=3:feedback:feedbackul:messages:0]
>> >>> java.lang.Object org.apache.wicket.Component.data
>> >>> [class=[Ljava.lang.Object;]
>> >>> java.lang.Object
>> >>> org.apache.wicket.Component.data[0][1]
>> >>> [class=org.apache.wicket.AttributeModifier]
>> >>> private final org.apache.wicket.model.IModel
>> >>> org.apache.wicket.AttributeModifier.replaceModel
>> >>>
>> >>>
>> >>>
>> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1]
>> >>> final
>> >>> org.apache.wicket.feedback.FeedbackMessage
>> >>>
>> >>>
>> >>>
>> >>> org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1.val$message
>> >>> [class=org.apache.wicket.feedback.FeedbackMessage]
>> >>> private final java.io.Serializable
>> >>> org.apache.wicket.feedback.FeedbackMessage.message
>> >>> [class=javax.naming.InvalidNameException]
>> >>> protected java.lang.Object
>> >>> javax.naming.NamingException.resolvedObj
>> >>> [class=com.sun.jndi.ldap.LdapCtx] <----- field that is not
>> >>> serializable
>> >>> at
>> >>>
>> >>>
>> >>> org.apache.wicket.util.io.SerializableChecker.check(SerializableChecker.java:346)
>> >>>
>> >>> Suggestion?
>> >>>
>> >>>
>> >>> Regard,
>> >>>
>> >>> 2012/4/4 Justin Deoliveira <jdeolive@anonymised.com>:
>> >>> > Ok, build should be back to normal now. Thanks for the patience
>> >>> > everyone.
>> >>> >
>> >>> > On Wed, Apr 4, 2012 at 2:51 AM, Justin Deoliveira
>> >>> > <jdeolive@anonymised.com>
>> >>> > wrote:
>> >>> >>
>> >>> >> OK... good news i found the leak. Was a matter of making sure
>> >>> >> the
>> >>> >> wicket
>> >>> >> tester instance is destroyed in test tear down. Bad news is the
>> >>> >> build
>> >>> >> is
>> >>> >> still failing because of some issues in the jdbc security
>> >>> >> module.
>> >>> >> Those
>> >>> >> tests arent actually supposed to be running, i put them in a
>> >>> >> profile to
>> >>> >> explicitly be run. Again... will have to pick this up tomorrow.
>> >>> >> And
>> >>> >> again...
>> >>> >> apologies for inconvenience.
>> >>> >>
>> >>> >> On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira
>> >>> >> <jdeolive@anonymised.com>
>> >>> >> wrote:
>> >>> >>>
>> >>> >>> Hi all,
>> >>> >>>
>> >>> >>>
>> >>> >>> The security work has been committed. The settings on the
>> >>> >>> build
>> >>> >>> server
>> >>> >>> (256M of heap for tests) have brought out a memory leak. I run
>> >>> >>> with
>> >>> >>> 512m
>> >>> >>> locally (the default defined in the root pom) so I didn't see
>> >>> >>> this
>> >>> >>> before. I
>> >>> >>> spent a while looking for the leak tonight but haven't come up
>> >>> >>> with
>> >>> >>> anything
>> >>> >>> yet. I will have to pick this back up tomorrow, it will be my
>> >>> >>> top
>> >>> >>> priority.
>> >>> >>>
>> >>> >>> For now i have upped the test heap on the server to 512m as a
>> >>> >>> temporary
>> >>> >>> measure to try and get the build back. Hopefully that fixes
>> >>> >>> it.
>> >>> >>>
>> >>> >>> Again I will pick this back up first thing tomorrow. I
>> >>> >>> apologize
>> >>> >>> for
>> >>> >>> the inconvenience.
>> >>> >>>
>> >>> >>> -Justin
>> >>> >>>
>> >>> >>> --
>> >>> >>> Justin Deoliveira
>> >>> >>> OpenGeo - http://opengeo.org
>> >>> >>> Enterprise support for open source geospatial.
>> >>> >>>
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >> --
>> >>> >> Justin Deoliveira
>> >>> >> OpenGeo - http://opengeo.org
>> >>> >> Enterprise support for open source geospatial.
>> >>> >>
>> >>> >
>> >>> >
>> >>> >
>> >>> > --
>> >>> > Justin Deoliveira
>> >>> > OpenGeo - http://opengeo.org
>> >>> > Enterprise support for open source geospatial.
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> > ------------------------------------------------------------------------------
>> >>> > Better than sec? Nothing is better than sec when it comes to
>> >>> > monitoring Big Data applications. Try Boundary one-second
>> >>> > resolution app monitoring today. Free.
>> >>> > http://p.sf.net/sfu/Boundary-dev2dev
>> >>> > _______________________________________________
>> >>> > Geoserver-devel mailing list
>> >>> > Geoserver-devel@lists.sourceforge.net
>> >>> > https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>> >>> >
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Francesco Izzi
>> >>> CNR - IMAA
>> >>> geoSDI
>> >>> Direzione Tecnologie e Sviluppo
>> >>>
>> >>> C.da S. Loja
>> >>> 85050 Tito Scalo - POTENZA (PZ)
>> >>> Italia
>> >>>
>> >>> phone: +39 0971427305
>> >>> fax: +39 0971 427271
>> >>> mob: +39 3203126609
>> >>> mail: francesco.izzi@anonymised.com
>> >>> skype: neofx8080
>> >>>
>> >>> web: http://www.geosdi.org
>> >>
>> >>
>> >>
>> >>
>> >> --
>> >> Justin Deoliveira
>> >> OpenGeo - http://opengeo.org
>> >> Enterprise support for open source geospatial.
>> >>
>> >
>> >
>> >
>> > --
>> > Francesco Izzi
>> > CNR - IMAA
>> > geoSDI
>> > Direzione Tecnologie e Sviluppo
>> >
>> > C.da S. Loja
>> > 85050 Tito Scalo - POTENZA (PZ)
>> > Italia
>> >
>> > phone: +39 0971427305
>> > fax: +39 0971 427271
>> > mob: +39 3203126609
>> > mail: francesco.izzi@anonymised.com
>> > skype: neofx8080
>> >
>> > web: http://www.geosdi.org
>>
>>
>>
>> --
>> Francesco Izzi
>> CNR - IMAA
>> geoSDI
>> Direzione Tecnologie e Sviluppo
>>
>> C.da S. Loja
>> 85050 Tito Scalo - POTENZA (PZ)
>> Italia
>>
>> phone: +39 0971427305
>> fax: +39 0971 427271
>> mob: +39 3203126609
>> mail: francesco.izzi@anonymised.com
>> skype: neofx8080
>>
>> web: http://www.geosdi.org
>
>
>
>
> --
> Justin Deoliveira
> OpenGeo - http://opengeo.org
> Enterprise support for open source geospatial.
>

--
Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org

------------------------------------------------------------------------------
Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.

--
Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org

Hi Francesco, can you try to logout fizzy explicitly ?

If you can login with admin, he should have the role “ROLE_AUTHORIZED”

2012/4/10 Francesco Izzi <francesco.izzi@anonymised.com>

Hi Justin,

another issue.

I have 2 user in my ldap.

admin with no role
and fizzi with GP_ADMIN role.

I logged in with fizzi and all works.

if i try to login with admin user the effective user logged is fizzi.

I log this…

LOGIN WITH ADMIN

10 apr 17:42:59 INFO [geoserver.security] -
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@anonymised.com:
Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@anonymised.com:
Dn: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org; Username:
admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
CredentialsNonExpired: true; AccountNonLocked: true; Granted
Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details:
org.geoserver.security.filter.GeoServerWebAuthenticationDetails@anonymised.com:
RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: qfsj4ceu9ffd; Not
granted any authorities
10 apr 17:42:59 INFO [geoserver.security] -
org.springframework.security.authentication.UsernamePasswordAuthenticationToken@anonymised.com:
Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@anonymised.com:
Dn: uid=fizzi,ou=people,dc=geoserver,dc=geosdi,dc=org; Username:
fizzi; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
CredentialsNonExpired: true; AccountNonLocked: true; Granted
Authorities: ROLE_GP_ADMIN; Credentials: [PROTECTED]; Authenticated:
true; Details: org.geoserver.security.filter.GeoServerWebAuthenticationDetails@anonymised.com:
RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: qfsj4ceu9ffd; Granted
Authorities: ROLE_GP_ADMIN

Opinion?

2012/4/10 Justin Deoliveira <jdeolive@anonymised.com>:

Yeah, we should definitely expose the ability to set the role prefix on the
ldap auth provider. Or perhaps to drop it all together.

Francesco, can you open a jira issue for this? Thanks.

-Justin

On Tue, Apr 10, 2012 at 9:51 AM, Christian Mueller <mcrmcr21@anonymised.com>
wrote:

Hi, Francesco and Justin

I assume the problem is in the Spring DefaultLdapAuthoritiesPopulator
class, the implementation uses a role prefix “ROLE_”. I had the same problem
with the J2EE proxy authenticator, a J2EE role “admin” was mapped to
“ROLE_admin”.
I disabled this prefix logic behind the scenes for the J2EE proxy
authenticator and do not modify the roles.

Would be good to have a common strategy for all authentication providers,
I would prefer not modifying role names provided by an external party.

Christian

2012/4/10 Francesco Izzi <francesco.izzi@anonymised.com>

Hi Justin,

I’m still testing with ldap,

I noticed that if in my ldap tree there is a group called
“ROLE_GP_ADMIN” the Granted Authorities of Auth User: is
ROLE_ROLE_GP_ADMIN.

I try to create a role in my ldap named GP_ADMIN and all works.

Any opinion ?

2012/4/6 Justin Deoliveira <jdeolive@anonymised.com>:

Hi Francesco,

Role assignment with the ldap provider is explained here:

http://docs.geoserver.org/latest/en/user/security/auth/providers.html#role-assignment

Basically, for those groups in ldap your user is a part of will have to
present in the role service. So say you are part of an ldap group named
“foo”. That is mapped to the role “ROLE_FOO” when you are
authenticated. So
“ROLE_FOO” needs to be defined in the role service as an administrator
role
if you want to have full ui admin privileges. Explained here:

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#map-ldap-groups-to-geoserver-roles

The alternative is to ignore ldap groups and use a user group service.
But
this means having to redefine users in your user group service that are
in
your ldap server. But it gives you full control over the role
assignment.

On Fri, Apr 6, 2012 at 3:58 AM, Francesco Izzi
<francesco.izzi@anonymised.com>
wrote:

Hi Justin,

i try to manage also ldap group.

I set this for group binding:

Group search base
ou=groups

Group search filter
memberUid={0}

The login working but the ldap user logged without any role.

I see in the log:

06 apr 11:54:20 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty String
as Principal
06 apr 11:54:20 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty String
as Credentials

2012/4/5 Francesco Izzi <francesco.izzi@anonymised.com>:

Yep Justin,

works !!!

Thanks,

2012/4/5 Justin Deoliveira <jdeolive@anonymised.com>:

Hi Francesco,

It is a bit weird but the root domain components are actually
specified
as
part of the server url… so try the following instead:

url: ldap://150.145.133.83/dc=geoserver,dc=geosdi,dc=org

Also, the user lookup is a template for a lookup, and generally not
a
fixed
user… but i guess it could be. The idea is to specify this:

user: uid={0},ou=people,dc=geoserver,dc=geosdi,dc=org

Where {0} is replaced with the username being logged in. The abobe
would
ignore the username specified and always log in as admin… perhaps
that is
intended.

Also, there is a tutorial here that might be worth going through.

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html

Hope that helps, let me know how it goes.

-Justin

On Thu, Apr 5, 2012 at 7:02 AM, Francesco Izzi
<francesco.izzi@anonymised.com>
wrote:

Hi Justing,

i see your work, very impressed.

I try to configure an ldap provider but i have always :

javax.naming.InvalidNameException: [LDAP: error code 34 - invalid
DN]

my configuration parameter:

name: ldap-geosdi
url: ldap://150.145.133.83/
user lookup pattern: dc=geoserver,dc=geosdi,dc=org

user: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org
pass: myPass

the stack trace:

org.apache.wicket.util.io.SerializableChecker$WicketNotSerializableException:
Unable to serialize class: com.sun.jndi.ldap.LdapCtx
Field hierarchy is:
3 [class=org.geoserver.security.web.SecurityNamedServiceNewPage,
path=3]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=[Ljava.lang.Object;]
protected org.apache.wicket.util.collections.MiniMap

org.apache.wicket.markup.html.link.BookmarkablePageLink.parameters[8]
[class=org.apache.wicket.markup.html.panel.FeedbackPanel,
path=3:feedback]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$1,
path=3:feedback:feedbackul]
private java.lang.Object
org.apache.wicket.MarkupContainer.children

[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView,
path=3:feedback:feedbackul:messages]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.list.ListItem,
path=3:feedback:feedbackul:messages:0]
java.lang.Object org.apache.wicket.Component.data
[class=[Ljava.lang.Object;]
java.lang.Object
org.apache.wicket.Component.data[0][1]
[class=org.apache.wicket.AttributeModifier]
private final org.apache.wicket.model.IModel
org.apache.wicket.AttributeModifier.replaceModel

[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1]
final
org.apache.wicket.feedback.FeedbackMessage

org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1.val$message
[class=org.apache.wicket.feedback.FeedbackMessage]
private final java.io.Serializable
org.apache.wicket.feedback.FeedbackMessage.message
[class=javax.naming.InvalidNameException]
protected java.lang.Object
javax.naming.NamingException.resolvedObj
[class=com.sun.jndi.ldap.LdapCtx] <----- field that is not
serializable
at

org.apache.wicket.util.io.SerializableChecker.check(SerializableChecker.java:346)

Suggestion?

Regard,

2012/4/4 Justin Deoliveira <jdeolive@anonymised.com>:

Ok, build should be back to normal now. Thanks for the patience
everyone.

On Wed, Apr 4, 2012 at 2:51 AM, Justin Deoliveira
<jdeolive@anonymised.com>
wrote:

OK… good news i found the leak. Was a matter of making sure
the
wicket
tester instance is destroyed in test tear down. Bad news is the
build
is
still failing because of some issues in the jdbc security
module.
Those
tests arent actually supposed to be running, i put them in a
profile to
explicitly be run. Again… will have to pick this up tomorrow.
And
again…
apologies for inconvenience.

On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira
<jdeolive@anonymised.com>
wrote:

Hi all,

The security work has been committed. The settings on the
build
server
(256M of heap for tests) have brought out a memory leak. I run
with
512m
locally (the default defined in the root pom) so I didn’t see
this
before. I
spent a while looking for the leak tonight but haven’t come up
with
anything
yet. I will have to pick this back up tomorrow, it will be my
top
priority.

For now i have upped the test heap on the server to 512m as a
temporary
measure to try and get the build back. Hopefully that fixes
it.

Again I will pick this back up first thing tomorrow. I
apologize
for
the inconvenience.

-Justin


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org

Yes i explicitly logout fizzi user.

This occurs even if the admin user have the same role set in fizzi user .

The strange thing is that the first user logged is what is always used.

I will try to find the problem

Regards,

2012/4/11 Christian Mueller <mcrmcr21@anonymised.com>:

Hi Francesco, can you try to logout fizzy explicitly ?

If you can login with admin, he should have the role "ROLE_AUTHORIZED"

2012/4/10 Francesco Izzi <francesco.izzi@anonymised.com>

Hi Justin,

another issue.

I have 2 user in my ldap.

admin with no role
and fizzi with GP_ADMIN role.

I logged in with fizzi and all works.

if i try to login with admin user the effective user logged is fizzi.

I log this...

LOGIN WITH ADMIN

10 apr 17:42:59 INFO [geoserver.security] -

org.springframework.security.authentication.UsernamePasswordAuthenticationToken@anonymised.com:
Principal:
org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@anonymised.com6...:
Dn: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org; Username:
admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
CredentialsNonExpired: true; AccountNonLocked: true; Granted
Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details:
org.geoserver.security.filter.GeoServerWebAuthenticationDetails@anonymised.com..:
RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: qfsj4ceu9ffd; Not
granted any authorities
10 apr 17:42:59 INFO [geoserver.security] -

org.springframework.security.authentication.UsernamePasswordAuthenticationToken@anonymised.com:
Principal:
org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@anonymised.com9...:
Dn: uid=fizzi,ou=people,dc=geoserver,dc=geosdi,dc=org; Username:
fizzi; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
CredentialsNonExpired: true; AccountNonLocked: true; Granted
Authorities: ROLE_GP_ADMIN; Credentials: [PROTECTED]; Authenticated:
true; Details:
org.geoserver.security.filter.GeoServerWebAuthenticationDetails@anonymised.com..:
RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: qfsj4ceu9ffd; Granted
Authorities: ROLE_GP_ADMIN

Opinion?

2012/4/10 Justin Deoliveira <jdeolive@anonymised.com>:
> Yeah, we should definitely expose the ability to set the role prefix on
> the
> ldap auth provider. Or perhaps to drop it all together.
>
> Francesco, can you open a jira issue for this? Thanks.
>
> -Justin
>
>
> On Tue, Apr 10, 2012 at 9:51 AM, Christian Mueller <mcrmcr21@anonymised.com>
> wrote:
>>
>>
>> Hi, Francesco and Justin
>>
>> I assume the problem is in the Spring DefaultLdapAuthoritiesPopulator
>> class, the implementation uses a role prefix "ROLE_". I had the same
>> problem
>> with the J2EE proxy authenticator, a J2EE role "admin" was mapped to
>> "ROLE_admin".
>> I disabled this prefix logic behind the scenes for the J2EE proxy
>> authenticator and do not modify the roles.
>>
>> Would be good to have a common strategy for all authentication
>> providers,
>> I would prefer not modifying role names provided by an external party.
>>
>> Christian
>>
>>
>>
>> 2012/4/10 Francesco Izzi <francesco.izzi@anonymised.com>
>>>
>>> Hi Justin,
>>>
>>> I'm still testing with ldap,
>>>
>>> I noticed that if in my ldap tree there is a group called
>>> "ROLE_GP_ADMIN" the Granted Authorities of Auth User: is
>>> ROLE_ROLE_GP_ADMIN.
>>>
>>> I try to create a role in my ldap named GP_ADMIN and all works.
>>>
>>> Any opinion ?
>>>
>>> 2012/4/6 Justin Deoliveira <jdeolive@anonymised.com>:
>>> > Hi Francesco,
>>> >
>>> > Role assignment with the ldap provider is explained here:
>>> >
>>> >
>>> >
>>> > http://docs.geoserver.org/latest/en/user/security/auth/providers.html#role-assignment
>>> >
>>> > Basically, for those groups in ldap your user is a part of will have
>>> > to
>>> > present in the role service. So say you are part of an ldap group
>>> > named
>>> > "foo". That is mapped to the role "ROLE_FOO" when you are
>>> > authenticated. So
>>> > "ROLE_FOO" needs to be defined in the role service as an
>>> > administrator
>>> > role
>>> > if you want to have full ui admin privileges. Explained here:
>>> >
>>> >
>>> >
>>> > http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#map-ldap-groups-to-geoserver-roles
>>> >
>>> > The alternative is to ignore ldap groups and use a user group
>>> > service.
>>> > But
>>> > this means having to redefine users in your user group service that
>>> > are
>>> > in
>>> > your ldap server. But it gives you full control over the role
>>> > assignment.
>>> >
>>> > On Fri, Apr 6, 2012 at 3:58 AM, Francesco Izzi
>>> > <francesco.izzi@anonymised.com>
>>> > wrote:
>>> >>
>>> >> Hi Justin,
>>> >>
>>> >> i try to manage also ldap group.
>>> >>
>>> >> I set this for group binding:
>>> >>
>>> >> Group search base
>>> >> ou=groups
>>> >>
>>> >> Group search filter
>>> >> memberUid={0}
>>> >>
>>> >> The login working but the ldap user logged without any role.
>>> >>
>>> >> I see in the log:
>>> >>
>>> >> 06 apr 11:54:20 WARN
>>> >> [authentication.SpringSecurityAuthenticationSource] - No
>>> >> Authentication object set in SecurityContext - returning empty
>>> >> String
>>> >> as Principal
>>> >> 06 apr 11:54:20 WARN
>>> >> [authentication.SpringSecurityAuthenticationSource] - No
>>> >> Authentication object set in SecurityContext - returning empty
>>> >> String
>>> >> as Credentials
>>> >>
>>> >>
>>> >>
>>> >> 2012/4/5 Francesco Izzi <francesco.izzi@anonymised.com>:
>>> >> > Yep Justin,
>>> >> >
>>> >> > works !!!
>>> >> >
>>> >> >
>>> >> > Thanks,
>>> >> >
>>> >> > 2012/4/5 Justin Deoliveira <jdeolive@anonymised.com>:
>>> >> >> Hi Francesco,
>>> >> >>
>>> >> >> It is a bit weird but the root domain components are actually
>>> >> >> specified
>>> >> >> as
>>> >> >> part of the server url... so try the following instead:
>>> >> >>
>>> >> >> url: ldap://150.145.133.83/dc=geoserver,dc=geosdi,dc=org
>>> >> >>
>>> >> >> Also, the user lookup is a template for a lookup, and generally
>>> >> >> not
>>> >> >> a
>>> >> >> fixed
>>> >> >> user... but i guess it could be. The idea is to specify this:
>>> >> >>
>>> >> >> user: uid={0},ou=people,dc=geoserver,dc=geosdi,dc=org
>>> >> >>
>>> >> >> Where {0} is replaced with the username being logged in. The
>>> >> >> abobe
>>> >> >> would
>>> >> >> ignore the username specified and always log in as admin...
>>> >> >> perhaps
>>> >> >> that is
>>> >> >> intended.
>>> >> >>
>>> >> >> Also, there is a tutorial here that might be worth going
>>> >> >> through.
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html
>>> >> >>
>>> >> >> Hope that helps, let me know how it goes.
>>> >> >>
>>> >> >> -Justin
>>> >> >>
>>> >> >>
>>> >> >> On Thu, Apr 5, 2012 at 7:02 AM, Francesco Izzi
>>> >> >> <francesco.izzi@anonymised.com>
>>> >> >> wrote:
>>> >> >>>
>>> >> >>> Hi Justing,
>>> >> >>>
>>> >> >>> i see your work, very impressed.
>>> >> >>>
>>> >> >>> I try to configure an ldap provider but i have always :
>>> >> >>>
>>> >> >>> javax.naming.InvalidNameException: [LDAP: error code 34 -
>>> >> >>> invalid
>>> >> >>> DN]
>>> >> >>>
>>> >> >>> my configuration parameter:
>>> >> >>>
>>> >> >>> name: ldap-geosdi
>>> >> >>> url: ldap://150.145.133.83/
>>> >> >>> user lookup pattern: dc=geoserver,dc=geosdi,dc=org
>>> >> >>>
>>> >> >>> user: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org
>>> >> >>> pass: myPass
>>> >> >>>
>>> >> >>> the stack trace:
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> org.apache.wicket.util.io.SerializableChecker$WicketNotSerializableException:
>>> >> >>> Unable to serialize class: com.sun.jndi.ldap.LdapCtx
>>> >> >>> Field hierarchy is:
>>> >> >>> 3
>>> >> >>> [class=org.geoserver.security.web.SecurityNamedServiceNewPage,
>>> >> >>> path=3]
>>> >> >>> private java.lang.Object
>>> >> >>> org.apache.wicket.MarkupContainer.children
>>> >> >>> [class=[Ljava.lang.Object;]
>>> >> >>> protected org.apache.wicket.util.collections.MiniMap
>>> >> >>>
>>> >> >>>
>>> >> >>> org.apache.wicket.markup.html.link.BookmarkablePageLink.parameters[8]
>>> >> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel,
>>> >> >>> path=3:feedback]
>>> >> >>> private java.lang.Object
>>> >> >>> org.apache.wicket.MarkupContainer.children
>>> >> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel$1,
>>> >> >>> path=3:feedback:feedbackul]
>>> >> >>> private java.lang.Object
>>> >> >>> org.apache.wicket.MarkupContainer.children
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView,
>>> >> >>> path=3:feedback:feedbackul:messages]
>>> >> >>> private java.lang.Object
>>> >> >>> org.apache.wicket.MarkupContainer.children
>>> >> >>> [class=org.apache.wicket.markup.html.list.ListItem,
>>> >> >>> path=3:feedback:feedbackul:messages:0]
>>> >> >>> java.lang.Object org.apache.wicket.Component.data
>>> >> >>> [class=[Ljava.lang.Object;]
>>> >> >>> java.lang.Object
>>> >> >>> org.apache.wicket.Component.data[0][1]
>>> >> >>> [class=org.apache.wicket.AttributeModifier]
>>> >> >>> private final org.apache.wicket.model.IModel
>>> >> >>> org.apache.wicket.AttributeModifier.replaceModel
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1]
>>> >> >>> final
>>> >> >>> org.apache.wicket.feedback.FeedbackMessage
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1.val$message
>>> >> >>> [class=org.apache.wicket.feedback.FeedbackMessage]
>>> >> >>> private final java.io.Serializable
>>> >> >>> org.apache.wicket.feedback.FeedbackMessage.message
>>> >> >>> [class=javax.naming.InvalidNameException]
>>> >> >>> protected java.lang.Object
>>> >> >>> javax.naming.NamingException.resolvedObj
>>> >> >>> [class=com.sun.jndi.ldap.LdapCtx] <----- field that is not
>>> >> >>> serializable
>>> >> >>> at
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> org.apache.wicket.util.io.SerializableChecker.check(SerializableChecker.java:346)
>>> >> >>>
>>> >> >>> Suggestion?
>>> >> >>>
>>> >> >>>
>>> >> >>> Regard,
>>> >> >>>
>>> >> >>> 2012/4/4 Justin Deoliveira <jdeolive@anonymised.com>:
>>> >> >>> > Ok, build should be back to normal now. Thanks for the
>>> >> >>> > patience
>>> >> >>> > everyone.
>>> >> >>> >
>>> >> >>> > On Wed, Apr 4, 2012 at 2:51 AM, Justin Deoliveira
>>> >> >>> > <jdeolive@anonymised.com>
>>> >> >>> > wrote:
>>> >> >>> >>
>>> >> >>> >> OK... good news i found the leak. Was a matter of making
>>> >> >>> >> sure
>>> >> >>> >> the
>>> >> >>> >> wicket
>>> >> >>> >> tester instance is destroyed in test tear down. Bad news is
>>> >> >>> >> the
>>> >> >>> >> build
>>> >> >>> >> is
>>> >> >>> >> still failing because of some issues in the jdbc security
>>> >> >>> >> module.
>>> >> >>> >> Those
>>> >> >>> >> tests arent actually supposed to be running, i put them in a
>>> >> >>> >> profile to
>>> >> >>> >> explicitly be run. Again... will have to pick this
>>> >> >>> >> up tomorrow.
>>> >> >>> >> And
>>> >> >>> >> again...
>>> >> >>> >> apologies for inconvenience.
>>> >> >>> >>
>>> >> >>> >> On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira
>>> >> >>> >> <jdeolive@anonymised.com>
>>> >> >>> >> wrote:
>>> >> >>> >>>
>>> >> >>> >>> Hi all,
>>> >> >>> >>>
>>> >> >>> >>>
>>> >> >>> >>> The security work has been committed. The settings on the
>>> >> >>> >>> build
>>> >> >>> >>> server
>>> >> >>> >>> (256M of heap for tests) have brought out a memory leak. I
>>> >> >>> >>> run
>>> >> >>> >>> with
>>> >> >>> >>> 512m
>>> >> >>> >>> locally (the default defined in the root pom) so I didn't
>>> >> >>> >>> see
>>> >> >>> >>> this
>>> >> >>> >>> before. I
>>> >> >>> >>> spent a while looking for the leak tonight but haven't come
>>> >> >>> >>> up
>>> >> >>> >>> with
>>> >> >>> >>> anything
>>> >> >>> >>> yet. I will have to pick this back up tomorrow, it will be
>>> >> >>> >>> my
>>> >> >>> >>> top
>>> >> >>> >>> priority.
>>> >> >>> >>>
>>> >> >>> >>> For now i have upped the test heap on the server to 512m as
>>> >> >>> >>> a
>>> >> >>> >>> temporary
>>> >> >>> >>> measure to try and get the build back. Hopefully that fixes
>>> >> >>> >>> it.
>>> >> >>> >>>
>>> >> >>> >>> Again I will pick this back up first thing tomorrow. I
>>> >> >>> >>> apologize
>>> >> >>> >>> for
>>> >> >>> >>> the inconvenience.
>>> >> >>> >>>
>>> >> >>> >>> -Justin
>>> >> >>> >>>
>>> >> >>> >>> --
>>> >> >>> >>> Justin Deoliveira
>>> >> >>> >>> OpenGeo - http://opengeo.org
>>> >> >>> >>> Enterprise support for open source geospatial.
>>> >> >>> >>>
>>> >> >>> >>
>>> >> >>> >>
>>> >> >>> >>
>>> >> >>> >> --
>>> >> >>> >> Justin Deoliveira
>>> >> >>> >> OpenGeo - http://opengeo.org
>>> >> >>> >> Enterprise support for open source geospatial.
>>> >> >>> >>
>>> >> >>> >
>>> >> >>> >
>>> >> >>> >
>>> >> >>> > --
>>> >> >>> > Justin Deoliveira
>>> >> >>> > OpenGeo - http://opengeo.org
>>> >> >>> > Enterprise support for open source geospatial.
>>> >> >>> >
>>> >> >>> >
>>> >> >>> >
>>> >> >>> >
>>> >> >>> >
>>> >> >>> >
>>> >> >>> > ------------------------------------------------------------------------------
>>> >> >>> > Better than sec? Nothing is better than sec when it comes to
>>> >> >>> > monitoring Big Data applications. Try Boundary one-second
>>> >> >>> > resolution app monitoring today. Free.
>>> >> >>> > http://p.sf.net/sfu/Boundary-dev2dev
>>> >> >>> > _______________________________________________
>>> >> >>> > Geoserver-devel mailing list
>>> >> >>> > Geoserver-devel@lists.sourceforge.net
>>> >> >>> > https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>> >> >>> >
>>> >> >>>
>>> >> >>>
>>> >> >>>
>>> >> >>> --
>>> >> >>> Francesco Izzi
>>> >> >>> CNR - IMAA
>>> >> >>> geoSDI
>>> >> >>> Direzione Tecnologie e Sviluppo
>>> >> >>>
>>> >> >>> C.da S. Loja
>>> >> >>> 85050 Tito Scalo - POTENZA (PZ)
>>> >> >>> Italia
>>> >> >>>
>>> >> >>> phone: +39 0971427305
>>> >> >>> fax: +39 0971 427271
>>> >> >>> mob: +39 3203126609
>>> >> >>> mail: francesco.izzi@anonymised.com
>>> >> >>> skype: neofx8080
>>> >> >>>
>>> >> >>> web: http://www.geosdi.org
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >>
>>> >> >> --
>>> >> >> Justin Deoliveira
>>> >> >> OpenGeo - http://opengeo.org
>>> >> >> Enterprise support for open source geospatial.
>>> >> >>
>>> >> >
>>> >> >
>>> >> >
>>> >> > --
>>> >> > Francesco Izzi
>>> >> > CNR - IMAA
>>> >> > geoSDI
>>> >> > Direzione Tecnologie e Sviluppo
>>> >> >
>>> >> > C.da S. Loja
>>> >> > 85050 Tito Scalo - POTENZA (PZ)
>>> >> > Italia
>>> >> >
>>> >> > phone: +39 0971427305
>>> >> > fax: +39 0971 427271
>>> >> > mob: +39 3203126609
>>> >> > mail: francesco.izzi@anonymised.com
>>> >> > skype: neofx8080
>>> >> >
>>> >> > web: http://www.geosdi.org
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Francesco Izzi
>>> >> CNR - IMAA
>>> >> geoSDI
>>> >> Direzione Tecnologie e Sviluppo
>>> >>
>>> >> C.da S. Loja
>>> >> 85050 Tito Scalo - POTENZA (PZ)
>>> >> Italia
>>> >>
>>> >> phone: +39 0971427305
>>> >> fax: +39 0971 427271
>>> >> mob: +39 3203126609
>>> >> mail: francesco.izzi@anonymised.com
>>> >> skype: neofx8080
>>> >>
>>> >> web: http://www.geosdi.org
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Justin Deoliveira
>>> > OpenGeo - http://opengeo.org
>>> > Enterprise support for open source geospatial.
>>> >
>>>
>>>
>>>
>>> --
>>> Francesco Izzi
>>> CNR - IMAA
>>> geoSDI
>>> Direzione Tecnologie e Sviluppo
>>>
>>> C.da S. Loja
>>> 85050 Tito Scalo - POTENZA (PZ)
>>> Italia
>>>
>>> phone: +39 0971427305
>>> fax: +39 0971 427271
>>> mob: +39 3203126609
>>> mail: francesco.izzi@anonymised.com
>>> skype: neofx8080
>>>
>>> web: http://www.geosdi.org
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Better than sec? Nothing is better than sec when it comes to
>>> monitoring Big Data applications. Try Boundary one-second
>>> resolution app monitoring today. Free.
>>> http://p.sf.net/sfu/Boundary-dev2dev
>>> _______________________________________________
>>> Geoserver-devel mailing list
>>> Geoserver-devel@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>
>>
>
>
>
> --
> Justin Deoliveira
> OpenGeo - http://opengeo.org
> Enterprise support for open source geospatial.
>

--
Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org

--
Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org

Hi Francessco

The URL you can enter for an explict logout is

http://localhost:8080/geoserver/j_spring_security_logout
or
http://localhost:8080/geoserver/j_spring_security_logout/

This should invalidate your http session.

Can you try

Christian

2012/4/12 Francesco Izzi <francesco.izzi@anonymised.com.2344…>

Yes i explicitly logout fizzi user.

This occurs even if the admin user have the same role set in fizzi user .

The strange thing is that the first user logged is what is always used.

I will try to find the problem

Regards,

2012/4/11 Christian Mueller <mcrmcr21@anonymised.com>:

Hi Francesco, can you try to logout fizzy explicitly ?

If you can login with admin, he should have the role “ROLE_AUTHORIZED”

2012/4/10 Francesco Izzi <francesco.izzi@anonymised.com>

Hi Justin,

another issue.

I have 2 user in my ldap.

admin with no role
and fizzi with GP_ADMIN role.

I logged in with fizzi and all works.

if i try to login with admin user the effective user logged is fizzi.

I log this…

LOGIN WITH ADMIN

10 apr 17:42:59 INFO [geoserver.security] -

org.springframework.security.authentication.UsernamePasswordAuthenticationToken@anonymised.com:
Principal:
org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@…2956…:
Dn: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org; Username:
admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
CredentialsNonExpired: true; AccountNonLocked: true; Granted
Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details:
org.geoserver.security.filter.GeoServerWebAuthenticationDetails@anonymised.com.2957…:
RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: qfsj4ceu9ffd; Not
granted any authorities
10 apr 17:42:59 INFO [geoserver.security] -

org.springframework.security.authentication.UsernamePasswordAuthenticationToken@anonymised.com:
Principal:
org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@…2959…:
Dn: uid=fizzi,ou=people,dc=geoserver,dc=geosdi,dc=org; Username:
fizzi; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
CredentialsNonExpired: true; AccountNonLocked: true; Granted
Authorities: ROLE_GP_ADMIN; Credentials: [PROTECTED]; Authenticated:
true; Details:
org.geoserver.security.filter.GeoServerWebAuthenticationDetails@anonymised.com.2957…:
RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: qfsj4ceu9ffd; Granted
Authorities: ROLE_GP_ADMIN

Opinion?

2012/4/10 Justin Deoliveira <jdeolive@anonymised.com>:

Yeah, we should definitely expose the ability to set the role prefix on
the
ldap auth provider. Or perhaps to drop it all together.

Francesco, can you open a jira issue for this? Thanks.

-Justin

On Tue, Apr 10, 2012 at 9:51 AM, Christian Mueller <mcrmcr21@anonymised.com>
wrote:

Hi, Francesco and Justin

I assume the problem is in the Spring DefaultLdapAuthoritiesPopulator
class, the implementation uses a role prefix “ROLE_”. I had the same
problem
with the J2EE proxy authenticator, a J2EE role “admin” was mapped to
“ROLE_admin”.
I disabled this prefix logic behind the scenes for the J2EE proxy
authenticator and do not modify the roles.

Would be good to have a common strategy for all authentication
providers,
I would prefer not modifying role names provided by an external party.

Christian

2012/4/10 Francesco Izzi <francesco.izzi@anonymised.com>

Hi Justin,

I’m still testing with ldap,

I noticed that if in my ldap tree there is a group called
“ROLE_GP_ADMIN” the Granted Authorities of Auth User: is
ROLE_ROLE_GP_ADMIN.

I try to create a role in my ldap named GP_ADMIN and all works.

Any opinion ?

2012/4/6 Justin Deoliveira <jdeolive@anonymised.com>:

Hi Francesco,

Role assignment with the ldap provider is explained here:

http://docs.geoserver.org/latest/en/user/security/auth/providers.html#role-assignment

Basically, for those groups in ldap your user is a part of will have
to
present in the role service. So say you are part of an ldap group
named
“foo”. That is mapped to the role “ROLE_FOO” when you are
authenticated. So
“ROLE_FOO” needs to be defined in the role service as an
administrator
role
if you want to have full ui admin privileges. Explained here:

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#map-ldap-groups-to-geoserver-roles

The alternative is to ignore ldap groups and use a user group
service.
But
this means having to redefine users in your user group service that
are
in
your ldap server. But it gives you full control over the role
assignment.

On Fri, Apr 6, 2012 at 3:58 AM, Francesco Izzi
<francesco.izzi@anonymised.com>
wrote:

Hi Justin,

i try to manage also ldap group.

I set this for group binding:

Group search base
ou=groups

Group search filter
memberUid={0}

The login working but the ldap user logged without any role.

I see in the log:

06 apr 11:54:20 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty
String
as Principal
06 apr 11:54:20 WARN
[authentication.SpringSecurityAuthenticationSource] - No
Authentication object set in SecurityContext - returning empty
String
as Credentials

2012/4/5 Francesco Izzi <francesco.izzi@anonymised.com>:

Yep Justin,

works !!!

Thanks,

2012/4/5 Justin Deoliveira <jdeolive@anonymised.com>:

Hi Francesco,

It is a bit weird but the root domain components are actually
specified
as
part of the server url… so try the following instead:

url: ldap://150.145.133.83/dc=geoserver,dc=geosdi,dc=org

Also, the user lookup is a template for a lookup, and generally
not
a
fixed
user… but i guess it could be. The idea is to specify this:

user: uid={0},ou=people,dc=geoserver,dc=geosdi,dc=org

Where {0} is replaced with the username being logged in. The
abobe
would
ignore the username specified and always log in as admin…
perhaps
that is
intended.

Also, there is a tutorial here that might be worth going
through.

http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html

Hope that helps, let me know how it goes.

-Justin

On Thu, Apr 5, 2012 at 7:02 AM, Francesco Izzi
<francesco.izzi@anonymised.com>
wrote:

Hi Justing,

i see your work, very impressed.

I try to configure an ldap provider but i have always :

javax.naming.InvalidNameException: [LDAP: error code 34 -
invalid
DN]

my configuration parameter:

name: ldap-geosdi
url: ldap://150.145.133.83/
user lookup pattern: dc=geoserver,dc=geosdi,dc=org

user: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org
pass: myPass

the stack trace:

org.apache.wicket.util.io.SerializableChecker$WicketNotSerializableException:
Unable to serialize class: com.sun.jndi.ldap.LdapCtx
Field hierarchy is:
3
[class=org.geoserver.security.web.SecurityNamedServiceNewPage,
path=3]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=[Ljava.lang.Object;]
protected org.apache.wicket.util.collections.MiniMap

org.apache.wicket.markup.html.link.BookmarkablePageLink.parameters[8]
[class=org.apache.wicket.markup.html.panel.FeedbackPanel,
path=3:feedback]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.panel.FeedbackPanel$1,
path=3:feedback:feedbackul]
private java.lang.Object
org.apache.wicket.MarkupContainer.children

[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView,
path=3:feedback:feedbackul:messages]
private java.lang.Object
org.apache.wicket.MarkupContainer.children
[class=org.apache.wicket.markup.html.list.ListItem,
path=3:feedback:feedbackul:messages:0]
java.lang.Object org.apache.wicket.Component.data
[class=[Ljava.lang.Object;]
java.lang.Object
org.apache.wicket.Component.data[0][1]
[class=org.apache.wicket.AttributeModifier]
private final org.apache.wicket.model.IModel
org.apache.wicket.AttributeModifier.replaceModel

[class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1]
final
org.apache.wicket.feedback.FeedbackMessage

org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1.val$message
[class=org.apache.wicket.feedback.FeedbackMessage]
private final java.io.Serializable
org.apache.wicket.feedback.FeedbackMessage.message
[class=javax.naming.InvalidNameException]
protected java.lang.Object
javax.naming.NamingException.resolvedObj
[class=com.sun.jndi.ldap.LdapCtx] <----- field that is not
serializable
at

org.apache.wicket.util.io.SerializableChecker.check(SerializableChecker.java:346)

Suggestion?

Regard,

2012/4/4 Justin Deoliveira <jdeolive@anonymised.com>:

Ok, build should be back to normal now. Thanks for the
patience
everyone.

On Wed, Apr 4, 2012 at 2:51 AM, Justin Deoliveira
<jdeolive@anonymised.com>
wrote:

OK… good news i found the leak. Was a matter of making
sure
the
wicket
tester instance is destroyed in test tear down. Bad news is
the
build
is
still failing because of some issues in the jdbc security
module.
Those
tests arent actually supposed to be running, i put them in a
profile to
explicitly be run. Again… will have to pick this
up tomorrow.
And
again…
apologies for inconvenience.

On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira
<jdeolive@anonymised.com>
wrote:

Hi all,

The security work has been committed. The settings on the
build
server
(256M of heap for tests) have brought out a memory leak. I
run
with
512m
locally (the default defined in the root pom) so I didn’t
see
this
before. I
spent a while looking for the leak tonight but haven’t come
up
with
anything
yet. I will have to pick this back up tomorrow, it will be
my
top
priority.

For now i have upped the test heap on the server to 512m as
a
temporary
measure to try and get the build back. Hopefully that fixes
it.

Again I will pick this back up first thing tomorrow. I
apologize
for
the inconvenience.

-Justin


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Better than sec? Nothing is better than sec when it comes to
monitoring Big Data applications. Try Boundary one-second
resolution app monitoring today. Free.
http://p.sf.net/sfu/Boundary-dev2dev


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org


Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org

Yep,

I tried but the same issue happen.

here the stack

http://pastebin.com/JPwcswE6

2012/4/12 Christian Mueller <mcrmcr21@anonymised.com>:

Hi Francessco

The URL you can enter for an explict logout is

http://localhost:8080/geoserver/j_spring_security_logout
or
http://localhost:8080/geoserver/j_spring_security_logout/

This should invalidate your http session.

Can you try

Christian

2012/4/12 Francesco Izzi <francesco.izzi@anonymised.com>

Yes i explicitly logout fizzi user.

This occurs even if the admin user have the same role set in fizzi user .

The strange thing is that the first user logged is what is always used.

I will try to find the problem

Regards,

2012/4/11 Christian Mueller <mcrmcr21@anonymised.com>:
> Hi Francesco, can you try to logout fizzy explicitly ?
>
> If you can login with admin, he should have the role "ROLE_AUTHORIZED"
>
>
> 2012/4/10 Francesco Izzi <francesco.izzi@anonymised.com>
>>
>> Hi Justin,
>>
>> another issue.
>>
>> I have 2 user in my ldap.
>>
>> admin with no role
>> and fizzi with GP_ADMIN role.
>>
>> I logged in with fizzi and all works.
>>
>> if i try to login with admin user the effective user logged is fizzi.
>>
>> I log this...
>>
>> LOGIN WITH ADMIN
>>
>> 10 apr 17:42:59 INFO [geoserver.security] -
>>
>>
>> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@anonymised.com:
>> Principal:
>>
>> org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@anonymised.com2956...:
>> Dn: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org; Username:
>> admin; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
>> CredentialsNonExpired: true; AccountNonLocked: true; Granted
>> Authorities: ; Credentials: [PROTECTED]; Authenticated: true; Details:
>>
>> org.geoserver.security.filter.GeoServerWebAuthenticationDetails@anonymised.com57...:
>> RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: qfsj4ceu9ffd; Not
>> granted any authorities
>> 10 apr 17:42:59 INFO [geoserver.security] -
>>
>>
>> org.springframework.security.authentication.UsernamePasswordAuthenticationToken@anonymised.com:
>> Principal:
>>
>> org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@anonymised.com2959...:
>> Dn: uid=fizzi,ou=people,dc=geoserver,dc=geosdi,dc=org; Username:
>> fizzi; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
>> CredentialsNonExpired: true; AccountNonLocked: true; Granted
>> Authorities: ROLE_GP_ADMIN; Credentials: [PROTECTED]; Authenticated:
>> true; Details:
>>
>> org.geoserver.security.filter.GeoServerWebAuthenticationDetails@anonymised.com57...:
>> RemoteIpAddress: 0:0:0:0:0:0:0:1%0; SessionId: qfsj4ceu9ffd; Granted
>> Authorities: ROLE_GP_ADMIN
>>
>> Opinion?
>>
>>
>>
>> 2012/4/10 Justin Deoliveira <jdeolive@anonymised.com>:
>> > Yeah, we should definitely expose the ability to set the role prefix
>> > on
>> > the
>> > ldap auth provider. Or perhaps to drop it all together.
>> >
>> > Francesco, can you open a jira issue for this? Thanks.
>> >
>> > -Justin
>> >
>> >
>> > On Tue, Apr 10, 2012 at 9:51 AM, Christian Mueller
>> > <mcrmcr21@anonymised.com>
>> > wrote:
>> >>
>> >>
>> >> Hi, Francesco and Justin
>> >>
>> >> I assume the problem is in the Spring
>> >> DefaultLdapAuthoritiesPopulator
>> >> class, the implementation uses a role prefix "ROLE_". I had the same
>> >> problem
>> >> with the J2EE proxy authenticator, a J2EE role "admin" was mapped to
>> >> "ROLE_admin".
>> >> I disabled this prefix logic behind the scenes for the J2EE proxy
>> >> authenticator and do not modify the roles.
>> >>
>> >> Would be good to have a common strategy for all authentication
>> >> providers,
>> >> I would prefer not modifying role names provided by an external
>> >> party.
>> >>
>> >> Christian
>> >>
>> >>
>> >>
>> >> 2012/4/10 Francesco Izzi <francesco.izzi@anonymised.com>
>> >>>
>> >>> Hi Justin,
>> >>>
>> >>> I'm still testing with ldap,
>> >>>
>> >>> I noticed that if in my ldap tree there is a group called
>> >>> "ROLE_GP_ADMIN" the Granted Authorities of Auth User: is
>> >>> ROLE_ROLE_GP_ADMIN.
>> >>>
>> >>> I try to create a role in my ldap named GP_ADMIN and all works.
>> >>>
>> >>> Any opinion ?
>> >>>
>> >>> 2012/4/6 Justin Deoliveira <jdeolive@anonymised.com>:
>> >>> > Hi Francesco,
>> >>> >
>> >>> > Role assignment with the ldap provider is explained here:
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> > http://docs.geoserver.org/latest/en/user/security/auth/providers.html#role-assignment
>> >>> >
>> >>> > Basically, for those groups in ldap your user is a part of will
>> >>> > have
>> >>> > to
>> >>> > present in the role service. So say you are part of an ldap group
>> >>> > named
>> >>> > "foo". That is mapped to the role "ROLE_FOO" when you are
>> >>> > authenticated. So
>> >>> > "ROLE_FOO" needs to be defined in the role service as an
>> >>> > administrator
>> >>> > role
>> >>> > if you want to have full ui admin privileges. Explained here:
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> > http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html#map-ldap-groups-to-geoserver-roles
>> >>> >
>> >>> > The alternative is to ignore ldap groups and use a user group
>> >>> > service.
>> >>> > But
>> >>> > this means having to redefine users in your user group service
>> >>> > that
>> >>> > are
>> >>> > in
>> >>> > your ldap server. But it gives you full control over the role
>> >>> > assignment.
>> >>> >
>> >>> > On Fri, Apr 6, 2012 at 3:58 AM, Francesco Izzi
>> >>> > <francesco.izzi@anonymised.com>
>> >>> > wrote:
>> >>> >>
>> >>> >> Hi Justin,
>> >>> >>
>> >>> >> i try to manage also ldap group.
>> >>> >>
>> >>> >> I set this for group binding:
>> >>> >>
>> >>> >> Group search base
>> >>> >> ou=groups
>> >>> >>
>> >>> >> Group search filter
>> >>> >> memberUid={0}
>> >>> >>
>> >>> >> The login working but the ldap user logged without any role.
>> >>> >>
>> >>> >> I see in the log:
>> >>> >>
>> >>> >> 06 apr 11:54:20 WARN
>> >>> >> [authentication.SpringSecurityAuthenticationSource] - No
>> >>> >> Authentication object set in SecurityContext - returning empty
>> >>> >> String
>> >>> >> as Principal
>> >>> >> 06 apr 11:54:20 WARN
>> >>> >> [authentication.SpringSecurityAuthenticationSource] - No
>> >>> >> Authentication object set in SecurityContext - returning empty
>> >>> >> String
>> >>> >> as Credentials
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >> 2012/4/5 Francesco Izzi <francesco.izzi@anonymised.com>:
>> >>> >> > Yep Justin,
>> >>> >> >
>> >>> >> > works !!!
>> >>> >> >
>> >>> >> >
>> >>> >> > Thanks,
>> >>> >> >
>> >>> >> > 2012/4/5 Justin Deoliveira <jdeolive@anonymised.com>:
>> >>> >> >> Hi Francesco,
>> >>> >> >>
>> >>> >> >> It is a bit weird but the root domain components are actually
>> >>> >> >> specified
>> >>> >> >> as
>> >>> >> >> part of the server url... so try the following instead:
>> >>> >> >>
>> >>> >> >> url: ldap://150.145.133.83/dc=geoserver,dc=geosdi,dc=org
>> >>> >> >>
>> >>> >> >> Also, the user lookup is a template for a lookup, and
>> >>> >> >> generally
>> >>> >> >> not
>> >>> >> >> a
>> >>> >> >> fixed
>> >>> >> >> user... but i guess it could be. The idea is to specify this:
>> >>> >> >>
>> >>> >> >> user: uid={0},ou=people,dc=geoserver,dc=geosdi,dc=org
>> >>> >> >>
>> >>> >> >> Where {0} is replaced with the username being logged in. The
>> >>> >> >> abobe
>> >>> >> >> would
>> >>> >> >> ignore the username specified and always log in as admin...
>> >>> >> >> perhaps
>> >>> >> >> that is
>> >>> >> >> intended.
>> >>> >> >>
>> >>> >> >> Also, there is a tutorial here that might be worth going
>> >>> >> >> through.
>> >>> >> >>
>> >>> >> >>
>> >>> >> >>
>> >>> >> >>
>> >>> >> >>
>> >>> >> >> http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html
>> >>> >> >>
>> >>> >> >> Hope that helps, let me know how it goes.
>> >>> >> >>
>> >>> >> >> -Justin
>> >>> >> >>
>> >>> >> >>
>> >>> >> >> On Thu, Apr 5, 2012 at 7:02 AM, Francesco Izzi
>> >>> >> >> <francesco.izzi@anonymised.com>
>> >>> >> >> wrote:
>> >>> >> >>>
>> >>> >> >>> Hi Justing,
>> >>> >> >>>
>> >>> >> >>> i see your work, very impressed.
>> >>> >> >>>
>> >>> >> >>> I try to configure an ldap provider but i have always :
>> >>> >> >>>
>> >>> >> >>> javax.naming.InvalidNameException: [LDAP: error code 34 -
>> >>> >> >>> invalid
>> >>> >> >>> DN]
>> >>> >> >>>
>> >>> >> >>> my configuration parameter:
>> >>> >> >>>
>> >>> >> >>> name: ldap-geosdi
>> >>> >> >>> url: ldap://150.145.133.83/
>> >>> >> >>> user lookup pattern: dc=geoserver,dc=geosdi,dc=org
>> >>> >> >>>
>> >>> >> >>> user: uid=admin,ou=people,dc=geoserver,dc=geosdi,dc=org
>> >>> >> >>> pass: myPass
>> >>> >> >>>
>> >>> >> >>> the stack trace:
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>> org.apache.wicket.util.io.SerializableChecker$WicketNotSerializableException:
>> >>> >> >>> Unable to serialize class: com.sun.jndi.ldap.LdapCtx
>> >>> >> >>> Field hierarchy is:
>> >>> >> >>> 3
>> >>> >> >>>
>> >>> >> >>> [class=org.geoserver.security.web.SecurityNamedServiceNewPage,
>> >>> >> >>> path=3]
>> >>> >> >>> private java.lang.Object
>> >>> >> >>> org.apache.wicket.MarkupContainer.children
>> >>> >> >>> [class=[Ljava.lang.Object;]
>> >>> >> >>> protected org.apache.wicket.util.collections.MiniMap
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>> org.apache.wicket.markup.html.link.BookmarkablePageLink.parameters[8]
>> >>> >> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel,
>> >>> >> >>> path=3:feedback]
>> >>> >> >>> private java.lang.Object
>> >>> >> >>> org.apache.wicket.MarkupContainer.children
>> >>> >> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel$1,
>> >>> >> >>> path=3:feedback:feedbackul]
>> >>> >> >>> private java.lang.Object
>> >>> >> >>> org.apache.wicket.MarkupContainer.children
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView,
>> >>> >> >>> path=3:feedback:feedbackul:messages]
>> >>> >> >>> private java.lang.Object
>> >>> >> >>> org.apache.wicket.MarkupContainer.children
>> >>> >> >>> [class=org.apache.wicket.markup.html.list.ListItem,
>> >>> >> >>> path=3:feedback:feedbackul:messages:0]
>> >>> >> >>> java.lang.Object
>> >>> >> >>> org.apache.wicket.Component.data
>> >>> >> >>> [class=[Ljava.lang.Object;]
>> >>> >> >>> java.lang.Object
>> >>> >> >>> org.apache.wicket.Component.data[0][1]
>> >>> >> >>> [class=org.apache.wicket.AttributeModifier]
>> >>> >> >>> private final
>> >>> >> >>> org.apache.wicket.model.IModel
>> >>> >> >>> org.apache.wicket.AttributeModifier.replaceModel
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>> [class=org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1]
>> >>> >> >>> final
>> >>> >> >>> org.apache.wicket.feedback.FeedbackMessage
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>> org.apache.wicket.markup.html.panel.FeedbackPanel$MessageListView$1.val$message
>> >>> >> >>> [class=org.apache.wicket.feedback.FeedbackMessage]
>> >>> >> >>> private final java.io.Serializable
>> >>> >> >>> org.apache.wicket.feedback.FeedbackMessage.message
>> >>> >> >>> [class=javax.naming.InvalidNameException]
>> >>> >> >>> protected java.lang.Object
>> >>> >> >>> javax.naming.NamingException.resolvedObj
>> >>> >> >>> [class=com.sun.jndi.ldap.LdapCtx] <----- field that is not
>> >>> >> >>> serializable
>> >>> >> >>> at
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>> org.apache.wicket.util.io.SerializableChecker.check(SerializableChecker.java:346)
>> >>> >> >>>
>> >>> >> >>> Suggestion?
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>> Regard,
>> >>> >> >>>
>> >>> >> >>> 2012/4/4 Justin Deoliveira <jdeolive@anonymised.com>:
>> >>> >> >>> > Ok, build should be back to normal now. Thanks for the
>> >>> >> >>> > patience
>> >>> >> >>> > everyone.
>> >>> >> >>> >
>> >>> >> >>> > On Wed, Apr 4, 2012 at 2:51 AM, Justin Deoliveira
>> >>> >> >>> > <jdeolive@anonymised.com>
>> >>> >> >>> > wrote:
>> >>> >> >>> >>
>> >>> >> >>> >> OK... good news i found the leak. Was a matter of making
>> >>> >> >>> >> sure
>> >>> >> >>> >> the
>> >>> >> >>> >> wicket
>> >>> >> >>> >> tester instance is destroyed in test tear down. Bad news
>> >>> >> >>> >> is
>> >>> >> >>> >> the
>> >>> >> >>> >> build
>> >>> >> >>> >> is
>> >>> >> >>> >> still failing because of some issues in the jdbc security
>> >>> >> >>> >> module.
>> >>> >> >>> >> Those
>> >>> >> >>> >> tests arent actually supposed to be running, i put them
>> >>> >> >>> >> in a
>> >>> >> >>> >> profile to
>> >>> >> >>> >> explicitly be run. Again... will have to pick this
>> >>> >> >>> >> up tomorrow.
>> >>> >> >>> >> And
>> >>> >> >>> >> again...
>> >>> >> >>> >> apologies for inconvenience.
>> >>> >> >>> >>
>> >>> >> >>> >> On Wed, Apr 4, 2012 at 8:26 AM, Justin Deoliveira
>> >>> >> >>> >> <jdeolive@anonymised.com>
>> >>> >> >>> >> wrote:
>> >>> >> >>> >>>
>> >>> >> >>> >>> Hi all,
>> >>> >> >>> >>>
>> >>> >> >>> >>>
>> >>> >> >>> >>> The security work has been committed. The settings on
>> >>> >> >>> >>> the
>> >>> >> >>> >>> build
>> >>> >> >>> >>> server
>> >>> >> >>> >>> (256M of heap for tests) have brought out a memory leak.
>> >>> >> >>> >>> I
>> >>> >> >>> >>> run
>> >>> >> >>> >>> with
>> >>> >> >>> >>> 512m
>> >>> >> >>> >>> locally (the default defined in the root pom) so I
>> >>> >> >>> >>> didn't
>> >>> >> >>> >>> see
>> >>> >> >>> >>> this
>> >>> >> >>> >>> before. I
>> >>> >> >>> >>> spent a while looking for the leak tonight but haven't
>> >>> >> >>> >>> come
>> >>> >> >>> >>> up
>> >>> >> >>> >>> with
>> >>> >> >>> >>> anything
>> >>> >> >>> >>> yet. I will have to pick this back up tomorrow, it will
>> >>> >> >>> >>> be
>> >>> >> >>> >>> my
>> >>> >> >>> >>> top
>> >>> >> >>> >>> priority.
>> >>> >> >>> >>>
>> >>> >> >>> >>> For now i have upped the test heap on the server to 512m
>> >>> >> >>> >>> as
>> >>> >> >>> >>> a
>> >>> >> >>> >>> temporary
>> >>> >> >>> >>> measure to try and get the build back. Hopefully that
>> >>> >> >>> >>> fixes
>> >>> >> >>> >>> it.
>> >>> >> >>> >>>
>> >>> >> >>> >>> Again I will pick this back up first thing tomorrow. I
>> >>> >> >>> >>> apologize
>> >>> >> >>> >>> for
>> >>> >> >>> >>> the inconvenience.
>> >>> >> >>> >>>
>> >>> >> >>> >>> -Justin
>> >>> >> >>> >>>
>> >>> >> >>> >>> --
>> >>> >> >>> >>> Justin Deoliveira
>> >>> >> >>> >>> OpenGeo - http://opengeo.org
>> >>> >> >>> >>> Enterprise support for open source geospatial.
>> >>> >> >>> >>>
>> >>> >> >>> >>
>> >>> >> >>> >>
>> >>> >> >>> >>
>> >>> >> >>> >> --
>> >>> >> >>> >> Justin Deoliveira
>> >>> >> >>> >> OpenGeo - http://opengeo.org
>> >>> >> >>> >> Enterprise support for open source geospatial.
>> >>> >> >>> >>
>> >>> >> >>> >
>> >>> >> >>> >
>> >>> >> >>> >
>> >>> >> >>> > --
>> >>> >> >>> > Justin Deoliveira
>> >>> >> >>> > OpenGeo - http://opengeo.org
>> >>> >> >>> > Enterprise support for open source geospatial.
>> >>> >> >>> >
>> >>> >> >>> >
>> >>> >> >>> >
>> >>> >> >>> >
>> >>> >> >>> >
>> >>> >> >>> >
>> >>> >> >>> >
>> >>> >> >>> > ------------------------------------------------------------------------------
>> >>> >> >>> > Better than sec? Nothing is better than sec when it comes
>> >>> >> >>> > to
>> >>> >> >>> > monitoring Big Data applications. Try Boundary one-second
>> >>> >> >>> > resolution app monitoring today. Free.
>> >>> >> >>> > http://p.sf.net/sfu/Boundary-dev2dev
>> >>> >> >>> > _______________________________________________
>> >>> >> >>> > Geoserver-devel mailing list
>> >>> >> >>> > Geoserver-devel@lists.sourceforge.net
>> >>> >> >>> >
>> >>> >> >>> > https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>> >>> >> >>> >
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>>
>> >>> >> >>> --
>> >>> >> >>> Francesco Izzi
>> >>> >> >>> CNR - IMAA
>> >>> >> >>> geoSDI
>> >>> >> >>> Direzione Tecnologie e Sviluppo
>> >>> >> >>>
>> >>> >> >>> C.da S. Loja
>> >>> >> >>> 85050 Tito Scalo - POTENZA (PZ)
>> >>> >> >>> Italia
>> >>> >> >>>
>> >>> >> >>> phone: +39 0971427305
>> >>> >> >>> fax: +39 0971 427271
>> >>> >> >>> mob: +39 3203126609
>> >>> >> >>> mail: francesco.izzi@anonymised.com
>> >>> >> >>> skype: neofx8080
>> >>> >> >>>
>> >>> >> >>> web: http://www.geosdi.org
>> >>> >> >>
>> >>> >> >>
>> >>> >> >>
>> >>> >> >>
>> >>> >> >> --
>> >>> >> >> Justin Deoliveira
>> >>> >> >> OpenGeo - http://opengeo.org
>> >>> >> >> Enterprise support for open source geospatial.
>> >>> >> >>
>> >>> >> >
>> >>> >> >
>> >>> >> >
>> >>> >> > --
>> >>> >> > Francesco Izzi
>> >>> >> > CNR - IMAA
>> >>> >> > geoSDI
>> >>> >> > Direzione Tecnologie e Sviluppo
>> >>> >> >
>> >>> >> > C.da S. Loja
>> >>> >> > 85050 Tito Scalo - POTENZA (PZ)
>> >>> >> > Italia
>> >>> >> >
>> >>> >> > phone: +39 0971427305
>> >>> >> > fax: +39 0971 427271
>> >>> >> > mob: +39 3203126609
>> >>> >> > mail: francesco.izzi@anonymised.com
>> >>> >> > skype: neofx8080
>> >>> >> >
>> >>> >> > web: http://www.geosdi.org
>> >>> >>
>> >>> >>
>> >>> >>
>> >>> >> --
>> >>> >> Francesco Izzi
>> >>> >> CNR - IMAA
>> >>> >> geoSDI
>> >>> >> Direzione Tecnologie e Sviluppo
>> >>> >>
>> >>> >> C.da S. Loja
>> >>> >> 85050 Tito Scalo - POTENZA (PZ)
>> >>> >> Italia
>> >>> >>
>> >>> >> phone: +39 0971427305
>> >>> >> fax: +39 0971 427271
>> >>> >> mob: +39 3203126609
>> >>> >> mail: francesco.izzi@anonymised.com
>> >>> >> skype: neofx8080
>> >>> >>
>> >>> >> web: http://www.geosdi.org
>> >>> >
>> >>> >
>> >>> >
>> >>> >
>> >>> > --
>> >>> > Justin Deoliveira
>> >>> > OpenGeo - http://opengeo.org
>> >>> > Enterprise support for open source geospatial.
>> >>> >
>> >>>
>> >>>
>> >>>
>> >>> --
>> >>> Francesco Izzi
>> >>> CNR - IMAA
>> >>> geoSDI
>> >>> Direzione Tecnologie e Sviluppo
>> >>>
>> >>> C.da S. Loja
>> >>> 85050 Tito Scalo - POTENZA (PZ)
>> >>> Italia
>> >>>
>> >>> phone: +39 0971427305
>> >>> fax: +39 0971 427271
>> >>> mob: +39 3203126609
>> >>> mail: francesco.izzi@anonymised.com
>> >>> skype: neofx8080
>> >>>
>> >>> web: http://www.geosdi.org
>> >>>
>> >>>
>> >>>
>> >>>
>> >>> ------------------------------------------------------------------------------
>> >>> Better than sec? Nothing is better than sec when it comes to
>> >>> monitoring Big Data applications. Try Boundary one-second
>> >>> resolution app monitoring today. Free.
>> >>> http://p.sf.net/sfu/Boundary-dev2dev
>> >>> _______________________________________________
>> >>> Geoserver-devel mailing list
>> >>> Geoserver-devel@lists.sourceforge.net
>> >>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>> >>
>> >>
>> >
>> >
>> >
>> > --
>> > Justin Deoliveira
>> > OpenGeo - http://opengeo.org
>> > Enterprise support for open source geospatial.
>> >
>>
>>
>>
>> --
>> Francesco Izzi
>> CNR - IMAA
>> geoSDI
>> Direzione Tecnologie e Sviluppo
>>
>> C.da S. Loja
>> 85050 Tito Scalo - POTENZA (PZ)
>> Italia
>>
>> phone: +39 0971427305
>> fax: +39 0971 427271
>> mob: +39 3203126609
>> mail: francesco.izzi@anonymised.com
>> skype: neofx8080
>>
>> web: http://www.geosdi.org
>
>

--
Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org

--
Francesco Izzi
CNR - IMAA
geoSDI
Direzione Tecnologie e Sviluppo

C.da S. Loja
85050 Tito Scalo - POTENZA (PZ)
Italia

phone: +39 0971427305
fax: +39 0971 427271
mob: +39 3203126609
mail: francesco.izzi@anonymised.com
skype: neofx8080

web: http://www.geosdi.org