[Geoserver-devel] What source code controls layer access based on user roles?

Hi! In my testing it appears that a user need only be in one for the roles assigned to a layer in order to be granted access to the layer. This appears to be nominal behavior based on the current documentation: https://docs.geoserver.org/stable/en/user/security/layer.html : "If a user belongs to multiple roles, the least restrictive permission they inherit will apply.”

I would like to try a test and change the code to require the user to have all of the roles on the layer instead of just one of them. I would very much appreciate it if someone can help me identify the code that is responsible for this. I’m not familiar with the code base so I was just looking through and found a couple things that look promising but I’m not sure if these control layer access or not.

Things I came across and suspect are relevant (but not sure):
- SecureTreeNode.java : public boolean canAccess(Authentication user, AccessMode mode)
- SecuredLookupServiceImpl.java : private boolean canAccess(Secured sec)

Any help would be very much appreciated! I just need to identify the relevant code for this functionality.

Note - I’m using the 2.18.1 version released on source forge 23NOV2020.

Thanks!
-Andy

Hi, it appears the first one was correct. I’m not super familiar with java so this might not be the fastest or most elegant code but it seems to work for the test I wanted to try (require a user have all roles on a layer).

// Original -
for (GrantedAuthority authority : user.getAuthorities()) {
  final String userRole = authority.getAuthority();
  if (roles.contains(userRole) || ROOT_ROLE.equals(userRole)) return true;
}

// Change -
ArrayList<String> userRoles = new ArrayList<String>();
for (GrantedAuthority authority : user.getAuthorities()) {
  userRoles.add(authority.getAuthority());
}
if (userRoles.containsAll(roles) || userRoles.contains(ROOT_ROLE)) return true;

Thanks!
-Andy

On Dec 18, 2020, at 12:02 PM, Andy Arismendi <andyarismendi@anonymised.com> wrote:

Hi! In my testing it appears that a user need only be in one for the roles assigned to a layer in order to be granted access to the layer. This appears to be nominal behavior based on the current documentation: https://docs.geoserver.org/stable/en/user/security/layer.html : "If a user belongs to multiple roles, the least restrictive permission they inherit will apply.”

I would like to try a test and change the code to require the user to have all of the roles on the layer instead of just one of them. I would very much appreciate it if someone can help me identify the code that is responsible for this. I’m not familiar with the code base so I was just looking through and found a couple things that look promising but I’m not sure if these control layer access or not.

Things I came across and suspect are relevant (but not sure):
- SecureTreeNode.java : public boolean canAccess(Authentication user, AccessMode mode)
- SecuredLookupServiceImpl.java : private boolean canAccess(Secured sec)

Any help would be very much appreciated! I just need to identify the relevant code for this functionality.

Note - I’m using the 2.18.1 version released on source forge 23NOV2020.

Thanks!
-Andy