[Geoserver-devel] User based flow control and authentication

Hi,
currently the “user” based flow control works by setting cookies to
identify the caller, which I believe works pretty much only against browsers
accepting cookies.

However sometimes we do have the actual user logging in, in that case
I believe we should use that to drive the limits instead of a cookie.

However… how does one know if the user is the anonymous one?
Just checking if the authentication is a AnonymousAuthenticationToken
seems a bit weak, I’ve for example noticed that GeoNode has
its own AnonymousGeoNodeAuthenticationToken which is, for some
strange reason, a subclass of UsernamePasswordAuthenticationToken

Cheers
Andrea

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


Hi Andrea

···

On Wed, Oct 22, 2014 at 12:51 PM, Andrea Aime <andrea.aime@anonymised.com> wrote:

Hi,
currently the “user” based flow control works by setting cookies to
identify the caller, which I believe works pretty much only against browsers
accepting cookies.

Yes without comment :slight_smile:

However sometimes we do have the actual user logging in, in that case
I believe we should use that to drive the limits instead of a cookie.

However… how does one know if the user is the anonymous one?
Just checking if the authentication is a AnonymousAuthenticationToken
seems a bit weak, I’ve for example noticed that GeoNode has
its own AnonymousGeoNodeAuthenticationToken which is, for some
strange reason, a subclass of UsernamePasswordAuthenticationToken

Not sure how to understand. Does GeoNeode extend the Geoserver code ?. I do not know Geonode but how is the class
AnonymousGeoNodeAuthenticationToken injected into GeoServer ?

Cheers
Andrea

Cheers
Christian

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.



Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Wed, Oct 22, 2014 at 1:12 PM, Christian Mueller <
christian.mueller@anonymised.com> wrote:

However sometimes we do have the actual user logging in, in that case

I believe we should use that to drive the limits instead of a cookie.

However... how does one know if the user is the anonymous one?
Just checking if the authentication is a AnonymousAuthenticationToken
seems a bit weak, I've for example noticed that GeoNode has
its own AnonymousGeoNodeAuthenticationToken which is, for some
strange reason, a subclass of UsernamePasswordAuthenticationToken

Not sure how to understand. Does GeoNeode extend the Geoserver code ?. I
do not know Geonode but how is the class
AnonymousGeoNodeAuthenticationToken injected into GeoServer ?

Here: https://github.com/GeoNode/geoserver-geonode-ext
It seems to be they are implementing the standard authentication java
interfaces
to have GeoServer use GeoNode as the user and authentication source:
https://github.com/GeoNode/geoserver-geonode-ext/tree/master/src/main/java/org/geonode/security

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

Strange

Looking at
https://github.com/GeoNode/geoserver-geonode-ext/blob/master/src/main/java/org/geonode/security/AnonymousGeoNodeAuthenticationToken.java

I am asking me two questions

  1. Credentials for an anonymous user ?
  2. An individual user name for an anonymous user ?

We solve the problem with
GeoServerUser.createAnonymous()

At a minimum I think they should use

org.springframework.security.authentication.AnonymousAuthenticationToken

and we can check with

SecurityContextHolder.getContext().getAuthentication()

Just my 2 cents

···

On Wed, Oct 22, 2014 at 2:14 PM, Andrea Aime <andrea.aime@anonymised.com> wrote:

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Wed, Oct 22, 2014 at 1:12 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Here: https://github.com/GeoNode/geoserver-geonode-ext
It seems to be they are implementing the standard authentication java interfaces
to have GeoServer use GeoNode as the user and authentication source:
https://github.com/GeoNode/geoserver-geonode-ext/tree/master/src/main/java/org/geonode/security

Cheers

Andrea

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


However sometimes we do have the actual user logging in, in that case

I believe we should use that to drive the limits instead of a cookie.

However… how does one know if the user is the anonymous one?
Just checking if the authentication is a AnonymousAuthenticationToken
seems a bit weak, I’ve for example noticed that GeoNode has
its own AnonymousGeoNodeAuthenticationToken which is, for some
strange reason, a subclass of UsernamePasswordAuthenticationToken

Not sure how to understand. Does GeoNeode extend the Geoserver code ?. I do not know Geonode but how is the class
AnonymousGeoNodeAuthenticationToken injected into GeoServer ?

Hi Christian,
your comment makes me think GeoNode should rethink the way they handle
user authentication.

Regardless, what about my question? How to best check if the user is the anonymous one?

Cheers
Andrea

···

On Wed, Oct 22, 2014 at 2:45 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Strange

Looking at
https://github.com/GeoNode/geoserver-geonode-ext/blob/master/src/main/java/org/geonode/security/AnonymousGeoNodeAuthenticationToken.java

I am asking me two questions

  1. Credentials for an anonymous user ?
  2. An individual user name for an anonymous user ?

We solve the problem with
GeoServerUser.createAnonymous()

At a minimum I think they should use

org.springframework.security.authentication.AnonymousAuthenticationToken

and we can check with

SecurityContextHolder.getContext().getAuthentication()

Just my 2 cents

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


On Wed, Oct 22, 2014 at 2:14 PM, Andrea Aime <andrea.aime@anonymised.com> wrote:

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Wed, Oct 22, 2014 at 1:12 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Here: https://github.com/GeoNode/geoserver-geonode-ext
It seems to be they are implementing the standard authentication java interfaces
to have GeoServer use GeoNode as the user and authentication source:
https://github.com/GeoNode/geoserver-geonode-ext/tree/master/src/main/java/org/geonode/security

Cheers

Andrea

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


However sometimes we do have the actual user logging in, in that case

I believe we should use that to drive the limits instead of a cookie.

However… how does one know if the user is the anonymous one?
Just checking if the authentication is a AnonymousAuthenticationToken
seems a bit weak, I’ve for example noticed that GeoNode has
its own AnonymousGeoNodeAuthenticationToken which is, for some
strange reason, a subclass of UsernamePasswordAuthenticationToken

Not sure how to understand. Does GeoNeode extend the Geoserver code ?. I do not know Geonode but how is the class
AnonymousGeoNodeAuthenticationToken injected into GeoServer ?

Hi Andrea

I cannot investigate at the moment but I would try with

SecurityContextHolder.getContext().getAuthentication instanceof or.springframework.security.authentication.AnonymousAuthenticationToken.

If you have problems let me know, I can spend some time tomorrow.

Cheers
Christian


···

On Wed, Oct 22, 2014 at 2:52 PM, Andrea Aime <andrea.aime@anonymised.com68…> wrote:

Hi Christian,
your comment makes me think GeoNode should rethink the way they handle
user authentication.

Regardless, what about my question? How to best check if the user is the anonymous one?

Cheers

Andrea

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Wed, Oct 22, 2014 at 2:45 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Strange

Looking at
https://github.com/GeoNode/geoserver-geonode-ext/blob/master/src/main/java/org/geonode/security/AnonymousGeoNodeAuthenticationToken.java

I am asking me two questions

  1. Credentials for an anonymous user ?
  2. An individual user name for an anonymous user ?

We solve the problem with
GeoServerUser.createAnonymous()

At a minimum I think they should use

org.springframework.security.authentication.AnonymousAuthenticationToken

and we can check with

SecurityContextHolder.getContext().getAuthentication()

Just my 2 cents

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


On Wed, Oct 22, 2014 at 2:14 PM, Andrea Aime <andrea.aime@anonymised.com> wrote:

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Wed, Oct 22, 2014 at 1:12 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Here: https://github.com/GeoNode/geoserver-geonode-ext
It seems to be they are implementing the standard authentication java interfaces
to have GeoServer use GeoNode as the user and authentication source:
https://github.com/GeoNode/geoserver-geonode-ext/tree/master/src/main/java/org/geonode/security

Cheers

Andrea

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


However sometimes we do have the actual user logging in, in that case

I believe we should use that to drive the limits instead of a cookie.

However… how does one know if the user is the anonymous one?
Just checking if the authentication is a AnonymousAuthenticationToken
seems a bit weak, I’ve for example noticed that GeoNode has
its own AnonymousGeoNodeAuthenticationToken which is, for some
strange reason, a subclass of UsernamePasswordAuthenticationToken

Not sure how to understand. Does GeoNeode extend the Geoserver code ?. I do not know Geonode but how is the class
AnonymousGeoNodeAuthenticationToken injected into GeoServer ?

FWIW, I think the reason the AnonymousGeoNodeAuthenticationToken is extending UsernamePasswordAuthenticationToken is to hold the cookie value that ties the anonymous user to a Django session.

It seems like this could be done differently for sure, especially to play well with the proposed functionality or other security aspects that would (logically) expect an instanceof AnonymousAuthenticationToken check to work.

Thanks for pointing this out :slight_smile:

···

On Wed, Oct 22, 2014 at 6:52 AM, Andrea Aime <andrea.aime@anonymised.com> wrote:

Hi Christian,
your comment makes me think GeoNode should rethink the way they handle
user authentication.

Regardless, what about my question? How to best check if the user is the anonymous one?

Cheers

Andrea


Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Ian Schneider
Software Engineer | Boundless
ischneider@anonymised.com
1-877-673-6436

@boundlessgeo

On Wed, Oct 22, 2014 at 2:45 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Strange

Looking at
https://github.com/GeoNode/geoserver-geonode-ext/blob/master/src/main/java/org/geonode/security/AnonymousGeoNodeAuthenticationToken.java

I am asking me two questions

  1. Credentials for an anonymous user ?
  2. An individual user name for an anonymous user ?

We solve the problem with
GeoServerUser.createAnonymous()

At a minimum I think they should use

org.springframework.security.authentication.AnonymousAuthenticationToken

and we can check with

SecurityContextHolder.getContext().getAuthentication()

Just my 2 cents

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


On Wed, Oct 22, 2014 at 2:14 PM, Andrea Aime <andrea.aime@anonymised.com> wrote:

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Wed, Oct 22, 2014 at 1:12 PM, Christian Mueller <christian.mueller@anonymised.com.> wrote:

Here: https://github.com/GeoNode/geoserver-geonode-ext
It seems to be they are implementing the standard authentication java interfaces
to have GeoServer use GeoNode as the user and authentication source:
https://github.com/GeoNode/geoserver-geonode-ext/tree/master/src/main/java/org/geonode/security

Cheers

Andrea

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


However sometimes we do have the actual user logging in, in that case

I believe we should use that to drive the limits instead of a cookie.

However… how does one know if the user is the anonymous one?
Just checking if the authentication is a AnonymousAuthenticationToken
seems a bit weak, I’ve for example noticed that GeoNode has
its own AnonymousGeoNodeAuthenticationToken which is, for some
strange reason, a subclass of UsernamePasswordAuthenticationToken

Not sure how to understand. Does GeoNeode extend the Geoserver code ?. I do not know Geonode but how is the class
AnonymousGeoNodeAuthenticationToken injected into GeoServer ?

Hi all

I think it would be the best to add a method to the GeoServerSecurityManager to check if there is an anonymous authentication.

We already have such a method for checking administrative privileges

public boolean checkAuthenticationForAdminRole()

I think something like

public boolen isAuthenticatedAnonymous()

would be fine.

Cheers
Christian

···

On Wed, Oct 22, 2014 at 5:37 PM, Ian Schneider <ischneider@anonymised.com> wrote:

FWIW, I think the reason the AnonymousGeoNodeAuthenticationToken is extending UsernamePasswordAuthenticationToken is to hold the cookie value that ties the anonymous user to a Django session.

It seems like this could be done differently for sure, especially to play well with the proposed functionality or other security aspects that would (logically) expect an instanceof AnonymousAuthenticationToken check to work.

Thanks for pointing this out :slight_smile:

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Wed, Oct 22, 2014 at 6:52 AM, Andrea Aime <andrea.aime@anonymised.com> wrote:

Hi Christian,
your comment makes me think GeoNode should rethink the way they handle
user authentication.

Regardless, what about my question? How to best check if the user is the anonymous one?

Cheers

Andrea


Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Ian Schneider
Software Engineer | Boundless
ischneider@anonymised.com
1-877-673-6436

@boundlessgeo

On Wed, Oct 22, 2014 at 2:45 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Strange

Looking at
https://github.com/GeoNode/geoserver-geonode-ext/blob/master/src/main/java/org/geonode/security/AnonymousGeoNodeAuthenticationToken.java

I am asking me two questions

  1. Credentials for an anonymous user ?
  2. An individual user name for an anonymous user ?

We solve the problem with
GeoServerUser.createAnonymous()

At a minimum I think they should use

org.springframework.security.authentication.AnonymousAuthenticationToken

and we can check with

SecurityContextHolder.getContext().getAuthentication()

Just my 2 cents

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


On Wed, Oct 22, 2014 at 2:14 PM, Andrea Aime <andrea.aime@anonymised.com> wrote:

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

On Wed, Oct 22, 2014 at 1:12 PM, Christian Mueller <christian.mueller@anonymised.com> wrote:

Here: https://github.com/GeoNode/geoserver-geonode-ext
It seems to be they are implementing the standard authentication java interfaces
to have GeoServer use GeoNode as the user and authentication source:
https://github.com/GeoNode/geoserver-geonode-ext/tree/master/src/main/java/org/geonode/security

Cheers

Andrea

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


However sometimes we do have the actual user logging in, in that case

I believe we should use that to drive the limits instead of a cookie.

However… how does one know if the user is the anonymous one?
Just checking if the authentication is a AnonymousAuthenticationToken
seems a bit weak, I’ve for example noticed that GeoNode has
its own AnonymousGeoNodeAuthenticationToken which is, for some
strange reason, a subclass of UsernamePasswordAuthenticationToken

Not sure how to understand. Does GeoNeode extend the Geoserver code ?. I do not know Geonode but how is the class
AnonymousGeoNodeAuthenticationToken injected into GeoServer ?

On Thu, Oct 23, 2014 at 12:19 AM, Christian Mueller <
christian.mueller@anonymised.com> wrote:

Hi all

I think it would be the best to add a method to the
GeoServerSecurityManager to check if there is an anonymous authentication.

We already have such a method for checking administrative privileges

public boolean checkAuthenticationForAdminRole()

I think something like

public boolen isAuthenticatedAnonymous()

would be fine.

+1. Although being the consistent naming nanny can we call it something
like "checkAuthenticationForAnonymous()"? :slight_smile:

Cheers
Christian

On Wed, Oct 22, 2014 at 5:37 PM, Ian Schneider <
ischneider@anonymised.com> wrote:

FWIW, I _think_ the reason the AnonymousGeoNodeAuthenticationToken is
extending UsernamePasswordAuthenticationToken is to hold the cookie value
that ties the anonymous user to a Django session.

It seems like this could be done differently for sure, especially to play
well with the proposed functionality or other security aspects that would
(logically) expect an instanceof AnonymousAuthenticationToken check to
work.

Thanks for pointing this out :slight_smile:

On Wed, Oct 22, 2014 at 6:52 AM, Andrea Aime <
andrea.aime@anonymised.com> wrote:

Hi Christian,
your comment makes me think GeoNode should rethink the way they handle
user authentication.

Regardless, what about my question? How to best check if the user is the
anonymous one?

Cheers
Andrea

On Wed, Oct 22, 2014 at 2:45 PM, Christian Mueller <
christian.mueller@anonymised.com> wrote:

Strange

Looking at

https://github.com/GeoNode/geoserver-geonode-ext/blob/master/src/main/java/org/geonode/security/AnonymousGeoNodeAuthenticationToken.java

I am asking me two questions

1) Credentials for an anonymous user ?
2) An individual user name for an anonymous user ?

We solve the problem with
GeoServerUser.createAnonymous()

At a minimum I think they should use

org.springframework.security.authentication.AnonymousAuthenticationToken

and we can check with

SecurityContextHolder.getContext().getAuthentication()

Just my 2 cents

On Wed, Oct 22, 2014 at 2:14 PM, Andrea Aime <
andrea.aime@anonymised.com> wrote:

On Wed, Oct 22, 2014 at 1:12 PM, Christian Mueller <
christian.mueller@anonymised.com> wrote:

However sometimes we do have the actual user logging in, in that case

I believe we should use that to drive the limits instead of a cookie.

However... how does one know if the user is the anonymous one?
Just checking if the authentication is a AnonymousAuthenticationToken
seems a bit weak, I've for example noticed that GeoNode has
its own AnonymousGeoNodeAuthenticationToken which is, for some
strange reason, a subclass of UsernamePasswordAuthenticationToken

Not sure how to understand. Does GeoNeode extend the Geoserver code
?. I do not know Geonode but how is the class
AnonymousGeoNodeAuthenticationToken injected into GeoServer ?

Here: https://github.com/GeoNode/geoserver-geonode-ext
It seems to be they are implementing the standard authentication java
interfaces
to have GeoServer use GeoNode as the user and authentication source:

https://github.com/GeoNode/geoserver-geonode-ext/tree/master/src/main/java/org/geonode/security

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely
for the attention and use of the named addressee(s) and may be confidential
or proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely
for the attention and use of the named addressee(s) and may be confidential
or proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
Ian Schneider
Software Engineer | Boundless <http://boundlessgeo.com>
ischneider@anonymised.com
1-877-673-6436
@boundlessgeo <http://twitter.com/boundlessgeo/&gt;

--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

------------------------------------------------------------------------------

_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
Justin Deoliveira
VP Engineering | Boundless <http://boundlessgeo.com/&gt;
jdeolive@anonymised.com
@boundlessgeo <http://twitter.com/boundlessgeo/&gt;