[Geoserver-users] JDBC authentication

Just to check before I break out the debugger:

When you use JDBC Authentication can it allow any user you create in GeoServer (which get written in then tables) login in or does it only allow the user used for the postgis connection (or other postgis users) to log in?

It seems like this is a bug, but I may just be missing something (and I think I’m not the only one https://gis.stackexchange.com/questions/274834/geoserver-jdbc-user-group-services-problem)

I’d be interested if any one is successfully using JDBC authentication in the wild?

Cheers

Ian

···

Ian Turton

Hi Ian,
Thanks for getting back, the stack exchange denotes the exact problem I’m facing. The new “users” are created but they can not be used to login, only the ‘users’ which are user of PostgreSQL can be used to login

Thank you,
Krishna G. Lodha

On 3 Mar 2021, 5:04 PM +0530, Ian Turton <ijturton@anonymised.com>, wrote:

Just to check before I break out the debugger:

When you use JDBC Authentication can it allow any user you create in GeoServer (which get written in then tables) login in or does it only allow the user used for the postgis connection (or other postgis users) to log in?

It seems like this is a bug, but I may just be missing something (and I think I'm not the only one security - Geoserver JDBC User Group Services Problem - Geographic Information Systems Stack Exchange)

I'd be interested if any one is successfully using JDBC authentication in the wild?

Cheers

Ian

--
Ian Turton
_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: Earning Your Support Instead of Buying it
- The GeoServer user list posting guidelines: User group posting guidelines

If you want to request a feature or an improvement, also see this: Successfully requesting and integrating new features and improvements in GeoServer · geoserver/geoserver Wiki · GitHub

Geoserver-users@lists.sourceforge.net
geoserver-users List Signup and Options

Hi Ian,

there are both functionalities, they are separate classes and are configured in a different way:

Just a note, one has to be very careful when using the auth subsystem, many options, lots of complexity. I know I curse every time :smiley:

Cheers
Andrea

···

Regards, Andrea Aime

== GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

Hi Ian,
the JDBC Authentication Provider is meant to be used to login using the database (e.g. postgresql) users.

If you want to store your own users on a database, the JDBC UserGroup Service has to be used (together with the standard UsernamePassword Authentication Provider).
I know it’s confusing. This is why I usually suggest people to ignore the JDBC Authentication Provider.

Hope this helps
Mauro

···

Regards,

Mauro Bartolomeoli

==
GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy

mobile: +39 393 904 1756
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

Hi,
So the bottom line is we can’t use database to store users? That can be then used further to login to geoserver ?

···

Krishna G. Lodha

Hi Ian,

there are both functionalities, they are separate classes and are configured in a different way:

I think (and I may be wrong) that this one only assigns a role to a postgres user (that is why you can set the password field to empty) - if it was intended to work that way I can try to find some time to debug it (when I finish this course).

Back when we wrote the training material they were both working, not sure about the present.

I’m pretty sure it used to work (when I wrote my training notes too) but it’s been a while since I had a trainee choose the JDBC path instead of the LDAP path through the course (we have a lot of windows users) so I can’t recall for sure (and if I used ian as my test user then it would have worked as I have a DB login).

Just a note, one has to be very careful when using the auth subsystem, many options, lots of complexity. I know I curse every time :smiley:

Oh, yes that is for sure!

Ian

···

Ian Turton

Hi Ian,

the role handling is a third class:

image.png

1: authentication via database users (tries to connect to the database using the username/password provided in the request)
2: authentication via table contents (looks up a user with the same name provided in the request, and verifies the password)
3: adds role to a given user, after it has been authenticated

Cheers
Andrea

···

Regards, Andrea Aime

== GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

Thanks to everyone for their help on this I have finally got my head around it and have added an answer to the gis.stackoverflow question I linked to earlier (https://gis.stackexchange.com/a/388940/79) - If I get some time over the weekend I’ll see if I can try to make the documentation clearer.

Ian

image.png

···

Ian Turton

Quoting from stack overflow: “After much head scratching and asking the guys who wrote this stuff on the users mailing list”

Hell no, I had nothing to do with those modules! :smiley:

Cheers
Andrea

image.png

···

Regards, Andrea Aime

== GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

So who did write it? I’m still trying to come up with a reason to let my database users log into geoserver.

Ian

On Wed, 3 Mar 2021, 17:39 Andrea Aime, <andrea.aime@anonymised.com> wrote:

Quoting from stack overflow: “After much head scratching and asking the guys who wrote this stuff on the users mailing list”

Hell no, I had nothing to do with those modules! :smiley:

Cheers
Andrea

On Wed, Mar 3, 2021 at 6:35 PM Ian Turton <ijturton@anonymised.com> wrote:

Thanks to everyone for their help on this I have finally got my head around it and have added an answer to the gis.stackoverflow question I linked to earlier (https://gis.stackexchange.com/a/388940/79) - If I get some time over the weekend I’ll see if I can try to make the documentation clearer.

Ian

On Wed, 3 Mar 2021 at 15:03, Andrea Aime <andrea.aime@anonymised.com> wrote:

Hi Ian,

the role handling is a third class:

image.png

1: authentication via database users (tries to connect to the database using the username/password provided in the request)
2: authentication via table contents (looks up a user with the same name provided in the request, and verifies the password)
3: adds role to a given user, after it has been authenticated

Cheers
Andrea

On Wed, Mar 3, 2021 at 3:50 PM Ian Turton <ijturton@anonymised.com…> wrote:

On Wed, 3 Mar 2021 at 13:33, Andrea Aime <andrea.aime@anonymised.com> wrote:

Hi Ian,

there are both functionalities, they are separate classes and are configured in a different way:

I think (and I may be wrong) that this one only assigns a role to a postgres user (that is why you can set the password field to empty) - if it was intended to work that way I can try to find some time to debug it (when I finish this course).

Back when we wrote the training material they were both working, not sure about the present.

I’m pretty sure it used to work (when I wrote my training notes too) but it’s been a while since I had a trainee choose the JDBC path instead of the LDAP path through the course (we have a lot of windows users) so I can’t recall for sure (and if I used ian as my test user then it would have worked as I have a DB login).

Just a note, one has to be very careful when using the auth subsystem, many options, lots of complexity. I know I curse every time :smiley:

Oh, yes that is for sure!

Ian

Cheers
Andrea

On Wed, Mar 3, 2021 at 12:42 PM Ian Turton <ijturton@anonymised.com> wrote:

Just to check before I break out the debugger:

When you use JDBC Authentication can it allow any user you create in GeoServer (which get written in then tables) login in or does it only allow the user used for the postgis connection (or other postgis users) to log in?

It seems like this is a bug, but I may just be missing something (and I think I’m not the only one https://gis.stackexchange.com/questions/274834/geoserver-jdbc-user-group-services-problem)

I’d be interested if any one is successfully using JDBC authentication in the wild?

Cheers

Ian

Ian Turton


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Regards, Andrea Aime

== GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

Ian Turton

Regards, Andrea Aime

== GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

Ian Turton

Regards, Andrea Aime

== GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

Each of those source file has an author tag, they all say:

@author christian

About a reason to do so, database centric security can be a reason. A system where the access restrictions are enforced
at the relational database level. In that case, you want to authenticate using database users, and then use impersonation
to connect to the database as that user, while fetching data:
https://docs.geoserver.org/latest/en/user/data/database/sqlsession.html#data-sqlsession

Cheers
Andrea

image.png

···

Regards, Andrea Aime

== GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

You guys are the best :smiley:
I was able to login to Geoserver using user credentials stored in db.
Thanks for the stack exchange answer Ian

Thank you,
Krishna G. Lodha
http://krishnaglodha.com
On 3 Mar 2021, 11:30 PM +0530, Andrea Aime <andrea.aime@anonymised.com>, wrote:

Each of those source file has an author tag, they all say:

@author christian

About a reason to do so, database centric security can be a reason. A system where the access restrictions are enforced
at the relational database level. In that case, you want to authenticate using database users, and then use impersonation
to connect to the database as that user, while fetching data:
Custom SQL session start/stop scripts — GeoServer 2.26.x User Manual

Cheers
Andrea

On Wed, Mar 3, 2021 at 6:52 PM Ian Turton <ijturton@anonymised.com> wrote:
> So who did write it? I'm still trying to come up with a reason to let my database users log into geoserver.
>
> Ian
>
> On Wed, 3 Mar 2021, 17:39 Andrea Aime, <andrea.aime@anonymised.com> wrote:
> > Quoting from stack overflow: "After much head scratching and asking the guys who wrote this stuff on the users mailing list"
> >
> > Hell no, I had nothing to do with those modules! :smiley:
> >
> > Cheers
> > Andrea
> >
> > On Wed, Mar 3, 2021 at 6:35 PM Ian Turton <ijturton@anonymised.com> wrote:
> > > Thanks to everyone for their help on this I have finally got my head around it and have added an answer to the gis.stackoverflow question I linked to earlier (security - Geoserver JDBC User Group Services Problem - Geographic Information Systems Stack Exchange) - If I get some time over the weekend I'll see if I can try to make the documentation clearer.
> > >
> > > Ian
> > >
> > > On Wed, 3 Mar 2021 at 15:03, Andrea Aime <andrea.aime@anonymised.com> wrote:
> > > > Hi Ian,
> > > > the role handling is a third class:
> > > >
> > > > <image.png>
> > > >
> > > > 1: authentication via database users (tries to connect to the database using the username/password provided in the request)
> > > > 2: authentication via table contents (looks up a user with the same name provided in the request, and verifies the password)
> > > > 3: adds role to a given user, after it has been authenticated
> > > >
> > > > Cheers
> > > > Andrea
> > > >
> > > > On Wed, Mar 3, 2021 at 3:50 PM Ian Turton <ijturton@anonymised.com> wrote:
> > > > >
> > > > >
> > > > > On Wed, 3 Mar 2021 at 13:33, Andrea Aime <andrea.aime@anonymised.com.> wrote:
> > > > > > Hi Ian,
> > > > > > there are both functionalities, they are separate classes and are configured in a different way:
> > > > > >
> > > > > > • Authenticating using the database own users: JDBC Authentication Provider — GeoServer Training
> > > > > > • Storing credentials in the database, use the table contents for authentication: JDBC Users and Group Services — GeoServer Training
> > > > >
> > > > > I think (and I may be wrong) that this one only assigns a role to a postgres user (that is why you can set the password field to empty) - if it was intended to work that way I can try to find some time to debug it (when I finish this course).
> > > > >
> > > > >
> > > > > > Back when we wrote the training material they were both working, not sure about the present.
> > > > >
> > > > > I'm pretty sure it used to work (when I wrote my training notes too) but it's been a while since I had a trainee choose the JDBC path instead of the LDAP path through the course (we have a lot of windows users) so I can't recall for sure (and if I used ian as my test user then it would have worked as I have a DB login).
> > > > >
> > > > > > Just a note, one has to be very careful when using the auth subsystem, many options, lots of complexity. I know I curse every time :smiley:
> > > > >
> > > > > Oh, yes that is for sure!
> > > > >
> > > > > Ian
> > > > >
> > > > >
> > > > > > Cheers
> > > > > > Andrea
> > > > > >
> > > > > > On Wed, Mar 3, 2021 at 12:42 PM Ian Turton <ijturton@anonymised.com> wrote:
> > > > > > >
> > > > > > > Just to check before I break out the debugger:
> > > > > > >
> > > > > > > When you use JDBC Authentication can it allow any user you create in GeoServer (which get written in then tables) login in or does it only allow the user used for the postgis connection (or other postgis users) to log in?
> > > > > > >
> > > > > > > It seems like this is a bug, but I may just be missing something (and I think I'm not the only one security - Geoserver JDBC User Group Services Problem - Geographic Information Systems Stack Exchange)
> > > > > > >
> > > > > > > I'd be interested if any one is successfully using JDBC authentication in the wild?
> > > > > > >
> > > > > > > Cheers
> > > > > > >
> > > > > > > Ian
> > > > > > >
> > > > > > > --
> > > > > > > Ian Turton
> > > > > > > _______________________________________________
> > > > > > > Geoserver-users mailing list
> > > > > > >
> > > > > > > Please make sure you read the following two resources before posting to this list:
> > > > > > > - Earning your support instead of buying it, but Ian Turton: Earning Your Support Instead of Buying it
> > > > > > > - The GeoServer user list posting guidelines: User group posting guidelines
> > > > > > >
> > > > > > > If you want to request a feature or an improvement, also see this: Successfully requesting and integrating new features and improvements in GeoServer · geoserver/geoserver Wiki · GitHub
> > > > > > >
> > > > > > >
> > > > > > > Geoserver-users@lists.sourceforge.net
> > > > > > > geoserver-users List Signup and Options
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Regards,
> > > > > > Andrea Aime
> > > > > >
> > > > > > ==
> > > > > > GeoServer Professional Services from the experts! Visit GeoSolutions Enterprise Support Services for more information.
> > > > > > ==
> > > > > >
> > > > > > Ing. Andrea Aime
> > > > > > @geowolf
> > > > > > Technical Lead
> > > > > >
> > > > > > GeoSolutions S.A.S.
> > > > > > Via di Montramito 3/A
> > > > > > 55054 Massarosa (LU)
> > > > > > phone: +39 0584 962313
> > > > > > fax: +39 0584 1660272
> > > > > > mob: +39 339 8844549
> > > > > >
> > > > > > http://www.geo-solutions.ithttp://twitter.com/geosolutions_it
> > > > > >
> > > > > >
> > > > > > -------------------------------------------------------
> > > > > >
> > > > > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
> > > > > >
> > > > > > This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.
> > > > >
> > > > >
> > > > > --
> > > > > Ian Turton
> > > >
> > > >
> > > > --
> > > > Regards,
> > > > Andrea Aime
> > > >
> > > > ==
> > > > GeoServer Professional Services from the experts! Visit GeoSolutions Enterprise Support Services for more information.
> > > > ==
> > > >
> > > > Ing. Andrea Aime
> > > > @geowolf
> > > > Technical Lead
> > > >
> > > > GeoSolutions S.A.S.
> > > > Via di Montramito 3/A
> > > > 55054 Massarosa (LU)
> > > > phone: +39 0584 962313
> > > > fax: +39 0584 1660272
> > > > mob: +39 339 8844549
> > > >
> > > > http://www.geo-solutions.ithttp://twitter.com/geosolutions_it
> > > >
> > > >
> > > > -------------------------------------------------------
> > > >
> > > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
> > > >
> > > > This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.
> > >
> > >
> > > --
> > > Ian Turton
> >
> >
> > --
> > Regards,
> > Andrea Aime
> >
> > ==
> > GeoServer Professional Services from the experts! Visit GeoSolutions Enterprise Support Services for more information.
> > ==
> >
> > Ing. Andrea Aime
> > @geowolf
> > Technical Lead
> >
> > GeoSolutions S.A.S.
> > Via di Montramito 3/A
> > 55054 Massarosa (LU)
> > phone: +39 0584 962313
> > fax: +39 0584 1660272
> > mob: +39 339 8844549
> >
> > http://www.geo-solutions.ithttp://twitter.com/geosolutions_it
> >
> >
> > -------------------------------------------------------
> >
> > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
> >
> > This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

--
Regards,
Andrea Aime

==
GeoServer Professional Services from the experts! Visit GeoSolutions Enterprise Support Services for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.ithttp://twitter.com/geosolutions_it

-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.
_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: Earning Your Support Instead of Buying it
- The GeoServer user list posting guidelines: User group posting guidelines

If you want to request a feature or an improvement, also see this: Successfully requesting and integrating new features and improvements in GeoServer · geoserver/geoserver Wiki · GitHub

Geoserver-users@lists.sourceforge.net
geoserver-users List Signup and Options

Absolutely. We use PG to control authentication across our entire system. This includes authenticated WMS calls to geoServer. It’s critical for us.

On Wed., Mar. 3, 2021, 11:01 a.m. Andrea Aime, <andrea.aime@anonymised.com> wrote:

Each of those source file has an author tag, they all say:

@author christian

About a reason to do so, database centric security can be a reason. A system where the access restrictions are enforced
at the relational database level. In that case, you want to authenticate using database users, and then use impersonation
to connect to the database as that user, while fetching data:
https://docs.geoserver.org/latest/en/user/data/database/sqlsession.html#data-sqlsession

Cheers
Andrea

On Wed, Mar 3, 2021 at 6:52 PM Ian Turton <ijturton@anonymised.com> wrote:

So who did write it? I’m still trying to come up with a reason to let my database users log into geoserver.

Ian

On Wed, 3 Mar 2021, 17:39 Andrea Aime, <andrea.aime@anonymised.com> wrote:

Quoting from stack overflow: “After much head scratching and asking the guys who wrote this stuff on the users mailing list”

Hell no, I had nothing to do with those modules! :smiley:

Cheers
Andrea

On Wed, Mar 3, 2021 at 6:35 PM Ian Turton <ijturton@anonymised.com.84…> wrote:

Thanks to everyone for their help on this I have finally got my head around it and have added an answer to the gis.stackoverflow question I linked to earlier (https://gis.stackexchange.com/a/388940/79) - If I get some time over the weekend I’ll see if I can try to make the documentation clearer.

Ian

On Wed, 3 Mar 2021 at 15:03, Andrea Aime <andrea.aime@anonymised.com> wrote:

Hi Ian,

the role handling is a third class:

image.png

1: authentication via database users (tries to connect to the database using the username/password provided in the request)
2: authentication via table contents (looks up a user with the same name provided in the request, and verifies the password)
3: adds role to a given user, after it has been authenticated

Cheers
Andrea

On Wed, Mar 3, 2021 at 3:50 PM Ian Turton <ijturton@anonymised.com> wrote:

On Wed, 3 Mar 2021 at 13:33, Andrea Aime <andrea.aime@anonymised.com> wrote:

Hi Ian,

there are both functionalities, they are separate classes and are configured in a different way:

I think (and I may be wrong) that this one only assigns a role to a postgres user (that is why you can set the password field to empty) - if it was intended to work that way I can try to find some time to debug it (when I finish this course).

Back when we wrote the training material they were both working, not sure about the present.

I’m pretty sure it used to work (when I wrote my training notes too) but it’s been a while since I had a trainee choose the JDBC path instead of the LDAP path through the course (we have a lot of windows users) so I can’t recall for sure (and if I used ian as my test user then it would have worked as I have a DB login).

Just a note, one has to be very careful when using the auth subsystem, many options, lots of complexity. I know I curse every time :smiley:

Oh, yes that is for sure!

Ian

Cheers
Andrea

On Wed, Mar 3, 2021 at 12:42 PM Ian Turton <ijturton@anonymised.com> wrote:

Just to check before I break out the debugger:

When you use JDBC Authentication can it allow any user you create in GeoServer (which get written in then tables) login in or does it only allow the user used for the postgis connection (or other postgis users) to log in?

It seems like this is a bug, but I may just be missing something (and I think I’m not the only one https://gis.stackexchange.com/questions/274834/geoserver-jdbc-user-group-services-problem)

I’d be interested if any one is successfully using JDBC authentication in the wild?

Cheers

Ian

Ian Turton


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Regards, Andrea Aime

== GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

Ian Turton

Regards, Andrea Aime

== GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

Ian Turton

Regards, Andrea Aime

== GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

Regards, Andrea Aime

== GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Hi, I tested the solution https://gis.stackexchange.com/a/388940/79 mentioned here, it works perfectly fine as long as roles are Default when I tried to put roles in PG as well, it gives me HTTP error 500 for the users. What should I do?
Screenshot 2021-03-09 at 11.20.20 AM.png

image.png

···

Thank you,
Krishna G. Lodha
http://krishnaglodha.com

You need to look in the GeoServer log file to find out what’s gone wrong. You really need to add some more detail as to how you put the roles into PostGresql

Ian

image.png

Screenshot 2021-03-09 at 11.20.20 AM.png

···

Ian Turton

Hi Ian,
Thanks for getting back, Appreciate your time :slight_smile:

I created a role service as JDBC role service ( Postgres_geoserver_role), in which then I defined couple of roles. I kept one role as administrator role.
Then I created user/group service in JDBC user/group service (Postgres_user_group). And then created bunch of users with WEAK PBE as password encryption. I set Active role service as ‘Postgres_geoserver_role’ and then I assigned roles to those users
Then I removed earlier data rules, and added fresh rules such as

1. All layers read for - Postgres_admin role
2. Topp workspace read for - Postgres_topp role

Finally O also added a filter authentication Provider with ‘basic username/password authentication’ and added it above ‘default’ in Provider chain Selected Panel.

I’m getting following error

09 Mar 14:10:52 ERROR [wicket.DefaultExceptionMapper] - unexpected exception when handling another exception: Can't instantiate page using constructor 'public org.geoserver.web.GeoServerHomePage()'. An exception has been thrown during construction!
org.apache.wicket.WicketRuntimeException: Can't instantiate page using constructor 'public org.geoserver.web.GeoServerHomePage()'. An exception has been thrown during construction!
  at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:194)
  at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:67)
  at org.apache.wicket.DefaultMapperContext.newPageInstance(DefaultMapperContext.java:102)
  at org.apache.wicket.core.request.handler.PageProvider.resolvePageInstance(PageProvider.java:271)
  at org.apache.wicket.core.request.handler.PageProvider.getPageInstance(PageProvider.java:169)
  at org.apache.wicket.request.handler.render.PageRenderer.getPage(PageRenderer.java:78)
  at org.apache.wicket.request.handler.render.WebPageRenderer.isPageStateless(WebPageRenderer.java:287)
  at org.apache.wicket.request.handler.render.WebPageRenderer.shouldRenderPageAndWriteResponse(WebPageRenderer.java:329)
  at org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:193)
  at org.apache.wicket.core.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:175)
  at org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:895)
  at org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64)
  at org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:265)
  at org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:222)
  at org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:293)
  at org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261)
  at org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203)
  at org.apache.wicket.protocol.http.WicketServlet.doGet(WicketServlet.java:137)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
  at org.springframework.web.servlet.mvc.ServletWrappingController.handleRequestInternal(ServletWrappingController.java:166)
  at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:177)
  at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:52)
  at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)
  at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)
  at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
  at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
  at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
  at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873)
  at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
  at org.geoserver.filters.ThreadLocalsCleanupFilter.doFilter(ThreadLocalsCleanupFilter.java:26)
  at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
  at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:69)
  at org.geoserver.wms.animate.AnimatorFilter.doFilter(AnimatorFilter.java:70)
  at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:66)
  at org.geoserver.filters.SpringDelegatingFilter.doFilter(SpringDelegatingFilter.java:41)
  at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
  at org.geoserver.platform.AdvancedDispatchFilter.doFilter(AdvancedDispatchFilter.java:37)
  at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)
  at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:70)
  at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)
  at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
  at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:74)
  at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
  at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:70)
  at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
  at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:74)
  at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
  at org.geoserver.security.filter.GeoServerAnonymousAuthenticationFilter.doFilter(GeoServerAnonymousAuthenticationFilter.java:51)
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
  at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:70)
  at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
  at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:74)
  at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
  at org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationFilter.doFilter(GeoServerUserNamePasswordAuthenticationFilter.java:122)
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
  at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:70)
  at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:158)
  at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:74)
  at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
  at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:70)
  at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
  at org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:52)
  at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:74)
  at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
  at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
  at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
  at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
  at org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:142)
  at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
  at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
  at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
  at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:101)
  at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
  at org.geoserver.filters.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:77)
  at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
  at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:47)
  at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
  at org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:46)
  at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
  at org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:42)
  at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
  at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
  at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
  at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602)
  at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
  at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
  at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
  at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
  at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
  at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1700)
  at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
  at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
  at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
  at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
  at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1667)
  at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
  at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
  at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
  at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
  at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:152)
  at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
  at org.eclipse.jetty.server.Server.handle(Server.java:505)
  at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
  at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
  at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
  at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
  at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
  at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
  at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
  at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
  at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
  at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
  at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:698)
  at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:804)
  at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.reflect.InvocationTargetException
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
  at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
  at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
  at org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:175)
  ... 121 more
Caused by: com.google.common.util.concurrent.UncheckedExecutionException: java.lang.NullPointerException
  at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2050)
  at com.google.common.cache.LocalCache.get(LocalCache.java:3952)
  at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3974)
  at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4958)
  at org.geoserver.geofence.cache.CachedRuleReader.getAdminAuthorization(CachedRuleReader.java:251)
  at org.geoserver.geofence.GeofenceAccessManager.isWorkspaceAdmin(GeofenceAccessManager.java:178)
  at org.geoserver.geofence.GeofenceAccessManager.getAccessLimits(GeofenceAccessManager.java:143)
  at org.geoserver.security.ResourceAccessManagerWrapper.getAccessLimits(ResourceAccessManagerWrapper.java:229)
  at org.geoserver.security.CatalogFilterAccessManager.getAccessLimits(CatalogFilterAccessManager.java:80)
  at org.geoserver.security.SecureCatalogImpl.buildWrapperPolicy(SecureCatalogImpl.java:862)
  at org.geoserver.security.SecureCatalogImpl.buildWrapperPolicy(SecureCatalogImpl.java:808)
  at org.geoserver.security.SecureCatalogImpl.checkAccess(SecureCatalogImpl.java:704)
  at org.geoserver.security.SecureCatalogImpl.filterWorkspaces(SecureCatalogImpl.java:1074)
  at org.geoserver.security.SecureCatalogImpl.getWorkspaces(SecureCatalogImpl.java:479)
  at org.geoserver.catalog.impl.AbstractFilteredCatalog.getWorkspaces(AbstractFilteredCatalog.java:353)
  at org.geoserver.catalog.impl.AbstractCatalogDecorator.getWorkspaces(AbstractCatalogDecorator.java:599)
  at org.geoserver.web.WorkspaceAdminComponentAuthorizer.isWorkspaceAdmin(WorkspaceAdminComponentAuthorizer.java:53)
  at org.geoserver.web.WorkspaceAdminComponentAuthorizer.isAccessAllowed(WorkspaceAdminComponentAuthorizer.java:35)
  at org.geoserver.web.GeoServerBasePage.filterByAuth(GeoServerBasePage.java:604)
  at org.geoserver.web.GeoServerBasePage.<init>(GeoServerBasePage.java:324)
  at org.geoserver.web.GeoServerHomePage.<init>(GeoServerHomePage.java:58)
  ... 126 more
Caused by: java.lang.NullPointerException
  at org.hibernate.impl.SessionFactoryImpl.getClassMetadata(SessionFactoryImpl.java:807)
  at com.googlecode.genericdao.search.hibernate.HibernateMetadataUtil.get(HibernateMetadataUtil.java:92)
  at com.googlecode.genericdao.search.hibernate.HibernateMetadataUtil.get(HibernateMetadataUtil.java:103)
  at com.googlecode.genericdao.search.BaseSearchProcessor.prepareValue(BaseSearchProcessor.java:723)
  at com.googlecode.genericdao.search.BaseSearchProcessor.filterToQL(BaseSearchProcessor.java:461)
  at com.googlecode.genericdao.search.BaseSearchProcessor.filterToQL(BaseSearchProcessor.java:503)
  at com.googlecode.genericdao.search.BaseSearchProcessor.filterToQL(BaseSearchProcessor.java:503)
  at com.googlecode.genericdao.search.BaseSearchProcessor.generateWhereClause(BaseSearchProcessor.java:431)
  at com.googlecode.genericdao.search.BaseSearchProcessor.generateQL(BaseSearchProcessor.java:113)
  at com.googlecode.genericdao.search.jpa.JPASearchProcessor.search(JPASearchProcessor.java:76)
  at com.googlecode.genericdao.dao.jpa.JPABaseDAO._search(JPABaseDAO.java:322)
  at com.googlecode.genericdao.dao.jpa.GenericDAOImpl.search(GenericDAOImpl.java:123)
  at org.geoserver.geofence.core.dao.impl.PrioritizableDAOImpl.search(PrioritizableDAOImpl.java:180)
  at org.geoserver.geofence.core.dao.impl.AdminRuleDAOImpl.search(AdminRuleDAOImpl.java:98)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.lang.reflect.Method.invoke(Method.java:498)
  at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
  at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
  at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:295)
  at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98)
  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
  at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
  at com.sun.proxy.$Proxy39.search(Unknown Source)
  at org.geoserver.geofence.services.RuleReaderServiceImpl.getAdminAuthAux(RuleReaderServiceImpl.java:746)
  at org.geoserver.geofence.services.RuleReaderServiceImpl.getAdminAuth(RuleReaderServiceImpl.java:718)
  at org.geoserver.geofence.services.RuleReaderServiceImpl.getAdminAuthorization(RuleReaderServiceImpl.java:158)
  at org.geoserver.geofence.cache.CachedRuleReader$AuthLoader.load(CachedRuleReader.java:141)
  at org.geoserver.geofence.cache.CachedRuleReader$AuthLoader.load(CachedRuleReader.java:134)
  at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3528)
  at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2277)
  at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2154)
  at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2044)

Thank you,
Krishna G. Lodha
http://krishnaglodha.com
On 9 Mar 2021, 1:54 PM +0530, Ian Turton <ijturton@anonymised.com>, wrote:

You need to look in the GeoServer log file to find out what's gone wrong. You really need to add some more detail as to how you put the roles into PostGresql

Ian

On Tue, 9 Mar 2021 at 05:52, krishna lodha <krishnaglodha@anonymised.com> wrote:
> Hi, I tested the solution security - Geoserver JDBC User Group Services Problem - Geographic Information Systems Stack Exchange mentioned here, it works perfectly fine as long as roles are Default when I tried to put roles in PG as well, it gives me HTTP error 500 for the users. What should I do?
> <Screenshot 2021-03-09 at 11.20.20 AM.png>
>
> On Sat, Mar 6, 2021 at 4:20 AM Vera Green <vera.green.ca@anonymised.com> wrote:
> > Absolutely. We use PG to control authentication across our entire system. This includes authenticated WMS calls to geoServer. It's critical for us.
> >
> > On Wed., Mar. 3, 2021, 11:01 a.m. Andrea Aime, <andrea.aime@anonymised.com.> wrote:
> > > Each of those source file has an author tag, they all say:
> > >
> > > @author christian
> > >
> > > About a reason to do so, database centric security can be a reason. A system where the access restrictions are enforced
> > > at the relational database level. In that case, you want to authenticate using database users, and then use impersonation
> > > to connect to the database as that user, while fetching data:
> > > Custom SQL session start/stop scripts — GeoServer 2.26.x User Manual
> > >
> > > Cheers
> > > Andrea
> > >
> > >
> > > On Wed, Mar 3, 2021 at 6:52 PM Ian Turton <ijturton@anonymised.com> wrote:
> > > > So who did write it? I'm still trying to come up with a reason to let my database users log into geoserver.
> > > >
> > > > Ian
> > > >
> > > > On Wed, 3 Mar 2021, 17:39 Andrea Aime, <andrea.aime@anonymised.com> wrote:
> > > > > Quoting from stack overflow: "After much head scratching and asking the guys who wrote this stuff on the users mailing list"
> > > > >
> > > > > Hell no, I had nothing to do with those modules! :smiley:
> > > > >
> > > > > Cheers
> > > > > Andrea
> > > > >
> > > > > On Wed, Mar 3, 2021 at 6:35 PM Ian Turton <ijturton@anonymised.com> wrote:
> > > > > > Thanks to everyone for their help on this I have finally got my head around it and have added an answer to the gis.stackoverflow question I linked to earlier (security - Geoserver JDBC User Group Services Problem - Geographic Information Systems Stack Exchange) - If I get some time over the weekend I'll see if I can try to make the documentation clearer.
> > > > > >
> > > > > > Ian
> > > > > >
> > > > > > On Wed, 3 Mar 2021 at 15:03, Andrea Aime <andrea.aime@anonymised.com...> wrote:
> > > > > > > Hi Ian,
> > > > > > > the role handling is a third class:
> > > > > > >
> > > > > > > <image.png>
> > > > > > >
> > > > > > > 1: authentication via database users (tries to connect to the database using the username/password provided in the request)
> > > > > > > 2: authentication via table contents (looks up a user with the same name provided in the request, and verifies the password)
> > > > > > > 3: adds role to a given user, after it has been authenticated
> > > > > > >
> > > > > > > Cheers
> > > > > > > Andrea
> > > > > > >
> > > > > > > On Wed, Mar 3, 2021 at 3:50 PM Ian Turton <ijturton@anonymised.com.> wrote:
> > > > > > > >
> > > > > > > >
> > > > > > > > On Wed, 3 Mar 2021 at 13:33, Andrea Aime <andrea.aime@anonymised.com1107...> wrote:
> > > > > > > > > Hi Ian,
> > > > > > > > > there are both functionalities, they are separate classes and are configured in a different way:
> > > > > > > > >
> > > > > > > > > • Authenticating using the database own users: JDBC Authentication Provider — GeoServer Training
> > > > > > > > > • Storing credentials in the database, use the table contents for authentication: JDBC Users and Group Services — GeoServer Training
> > > > > > > >
> > > > > > > > I think (and I may be wrong) that this one only assigns a role to a postgres user (that is why you can set the password field to empty) - if it was intended to work that way I can try to find some time to debug it (when I finish this course).
> > > > > > > >
> > > > > > > >
> > > > > > > > > Back when we wrote the training material they were both working, not sure about the present.
> > > > > > > >
> > > > > > > > I'm pretty sure it used to work (when I wrote my training notes too) but it's been a while since I had a trainee choose the JDBC path instead of the LDAP path through the course (we have a lot of windows users) so I can't recall for sure (and if I used ian as my test user then it would have worked as I have a DB login).
> > > > > > > >
> > > > > > > > > Just a note, one has to be very careful when using the auth subsystem, many options, lots of complexity. I know I curse every time :smiley:
> > > > > > > >
> > > > > > > > Oh, yes that is for sure!
> > > > > > > >
> > > > > > > > Ian
> > > > > > > >
> > > > > > > >
> > > > > > > > > Cheers
> > > > > > > > > Andrea
> > > > > > > > >
> > > > > > > > > On Wed, Mar 3, 2021 at 12:42 PM Ian Turton <ijturton@anonymised.com.84...> wrote:
> > > > > > > > > >
> > > > > > > > > > Just to check before I break out the debugger:
> > > > > > > > > >
> > > > > > > > > > When you use JDBC Authentication can it allow any user you create in GeoServer (which get written in then tables) login in or does it only allow the user used for the postgis connection (or other postgis users) to log in?
> > > > > > > > > >
> > > > > > > > > > It seems like this is a bug, but I may just be missing something (and I think I'm not the only one security - Geoserver JDBC User Group Services Problem - Geographic Information Systems Stack Exchange)
> > > > > > > > > >
> > > > > > > > > > I'd be interested if any one is successfully using JDBC authentication in the wild?
> > > > > > > > > >
> > > > > > > > > > Cheers
> > > > > > > > > >
> > > > > > > > > > Ian
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Ian Turton
> > > > > > > > > > _______________________________________________
> > > > > > > > > > Geoserver-users mailing list
> > > > > > > > > >
> > > > > > > > > > Please make sure you read the following two resources before posting to this list:
> > > > > > > > > > - Earning your support instead of buying it, but Ian Turton: Earning Your Support Instead of Buying it
> > > > > > > > > > - The GeoServer user list posting guidelines: User group posting guidelines
> > > > > > > > > >
> > > > > > > > > > If you want to request a feature or an improvement, also see this: Successfully requesting and integrating new features and improvements in GeoServer · geoserver/geoserver Wiki · GitHub
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Geoserver-users@lists.sourceforge.net
> > > > > > > > > > geoserver-users List Signup and Options
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Regards,
> > > > > > > > > Andrea Aime
> > > > > > > > >
> > > > > > > > > ==
> > > > > > > > > GeoServer Professional Services from the experts! Visit GeoSolutions Enterprise Support Services for more information.
> > > > > > > > > ==
> > > > > > > > >
> > > > > > > > > Ing. Andrea Aime
> > > > > > > > > @geowolf
> > > > > > > > > Technical Lead
> > > > > > > > >
> > > > > > > > > GeoSolutions S.A.S.
> > > > > > > > > Via di Montramito 3/A
> > > > > > > > > 55054 Massarosa (LU)
> > > > > > > > > phone: +39 0584 962313
> > > > > > > > > fax: +39 0584 1660272
> > > > > > > > > mob: +39 339 8844549
> > > > > > > > >
> > > > > > > > > http://www.geo-solutions.ithttp://twitter.com/geosolutions_it
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > -------------------------------------------------------
> > > > > > > > >
> > > > > > > > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
> > > > > > > > >
> > > > > > > > > This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Ian Turton
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Regards,
> > > > > > > Andrea Aime
> > > > > > >
> > > > > > > ==
> > > > > > > GeoServer Professional Services from the experts! Visit GeoSolutions Enterprise Support Services for more information.
> > > > > > > ==
> > > > > > >
> > > > > > > Ing. Andrea Aime
> > > > > > > @geowolf
> > > > > > > Technical Lead
> > > > > > >
> > > > > > > GeoSolutions S.A.S.
> > > > > > > Via di Montramito 3/A
> > > > > > > 55054 Massarosa (LU)
> > > > > > > phone: +39 0584 962313
> > > > > > > fax: +39 0584 1660272
> > > > > > > mob: +39 339 8844549
> > > > > > >
> > > > > > > http://www.geo-solutions.ithttp://twitter.com/geosolutions_it
> > > > > > >
> > > > > > >
> > > > > > > -------------------------------------------------------
> > > > > > >
> > > > > > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
> > > > > > >
> > > > > > > This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Ian Turton
> > > > >
> > > > >
> > > > > --
> > > > > Regards,
> > > > > Andrea Aime
> > > > >
> > > > > ==
> > > > > GeoServer Professional Services from the experts! Visit GeoSolutions Enterprise Support Services for more information.
> > > > > ==
> > > > >
> > > > > Ing. Andrea Aime
> > > > > @geowolf
> > > > > Technical Lead
> > > > >
> > > > > GeoSolutions S.A.S.
> > > > > Via di Montramito 3/A
> > > > > 55054 Massarosa (LU)
> > > > > phone: +39 0584 962313
> > > > > fax: +39 0584 1660272
> > > > > mob: +39 339 8844549
> > > > >
> > > > > http://www.geo-solutions.ithttp://twitter.com/geosolutions_it
> > > > >
> > > > >
> > > > > -------------------------------------------------------
> > > > >
> > > > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
> > > > >
> > > > > This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.
> > >
> > >
> > > --
> > > Regards,
> > > Andrea Aime
> > >
> > > ==
> > > GeoServer Professional Services from the experts! Visit GeoSolutions Enterprise Support Services for more information.
> > > ==
> > >
> > > Ing. Andrea Aime
> > > @geowolf
> > > Technical Lead
> > >
> > > GeoSolutions S.A.S.
> > > Via di Montramito 3/A
> > > 55054 Massarosa (LU)
> > > phone: +39 0584 962313
> > > fax: +39 0584 1660272
> > > mob: +39 339 8844549
> > >
> > > http://www.geo-solutions.ithttp://twitter.com/geosolutions_it
> > >
> > >
> > > -------------------------------------------------------
> > >
> > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
> > >
> > > This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.
> > > _______________________________________________
> > > Geoserver-users mailing list
> > >
> > > Please make sure you read the following two resources before posting to this list:
> > > - Earning your support instead of buying it, but Ian Turton: Earning Your Support Instead of Buying it
> > > - The GeoServer user list posting guidelines: User group posting guidelines
> > >
> > > If you want to request a feature or an improvement, also see this: Successfully requesting and integrating new features and improvements in GeoServer · geoserver/geoserver Wiki · GitHub
> > >
> > >
> > > Geoserver-users@lists.sourceforge.net
> > > geoserver-users List Signup and Options
> > _______________________________________________
> > Geoserver-users mailing list
> >
> > Please make sure you read the following two resources before posting to this list:
> > - Earning your support instead of buying it, but Ian Turton: Earning Your Support Instead of Buying it
> > - The GeoServer user list posting guidelines: User group posting guidelines
> >
> > If you want to request a feature or an improvement, also see this: Successfully requesting and integrating new features and improvements in GeoServer · geoserver/geoserver Wiki · GitHub
> >
> >
> > Geoserver-users@lists.sourceforge.net
> > geoserver-users List Signup and Options
>
>
> --
> Thank you,
> Krishna G. Lodha
> http://krishnaglodha.com

--
Ian Turton

Hi guys,
Can anyone please help me with this?

Thanks,
krishna

On Tue, Mar 9, 2021 at 2:11 PM Krishnaglodha <krishnaglodha@anonymised.com>
wrote:

Hi Ian,
Thanks for getting back, Appreciate your time :slight_smile:

I created a role service as JDBC role service ( Postgres_geoserver_role),
in which then I defined couple of roles. I kept one role as administrator
role.
Then I created user/group service in JDBC user/group service
(Postgres_user_group). And then created bunch of users with WEAK PBE as
password encryption. I set Active role service as
‘Postgres_geoserver_role’ and then I assigned roles to those users
Then I removed earlier data rules, and added fresh rules such as

   1. All layers read for - Postgres_admin role
   2. Topp workspace read for - Postgres_topp role

Finally O also added a filter authentication Provider with ‘basic
username/password authentication’ and added it above ‘default’ in Provider
chain Selected Panel.

I’m getting following error

09 Mar 14:10:52 ERROR [wicket.DefaultExceptionMapper] - unexpected
exception when handling another exception: Can't instantiate page using
constructor 'public org.geoserver.web.GeoServerHomePage()'. An exception
has been thrown during construction!
org.apache.wicket.WicketRuntimeException: Can't instantiate page using
constructor 'public org.geoserver.web.GeoServerHomePage()'. An exception
has been thrown during construction!
at
org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:194)
at
org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:67)
at
org.apache.wicket.DefaultMapperContext.newPageInstance(DefaultMapperContext.java:102)
at
org.apache.wicket.core.request.handler.PageProvider.resolvePageInstance(PageProvider.java:271)
at
org.apache.wicket.core.request.handler.PageProvider.getPageInstance(PageProvider.java:169)
at
org.apache.wicket.request.handler.render.PageRenderer.getPage(PageRenderer.java:78)
at
org.apache.wicket.request.handler.render.WebPageRenderer.isPageStateless(WebPageRenderer.java:287)
at
org.apache.wicket.request.handler.render.WebPageRenderer.shouldRenderPageAndWriteResponse(WebPageRenderer.java:329)
at
org.apache.wicket.request.handler.render.WebPageRenderer.respond(WebPageRenderer.java:193)
at
org.apache.wicket.core.request.handler.RenderPageRequestHandler.respond(RenderPageRequestHandler.java:175)
at
org.apache.wicket.request.cycle.RequestCycle$HandlerExecutor.respond(RequestCycle.java:895)
at
org.apache.wicket.request.RequestHandlerStack.execute(RequestHandlerStack.java:64)
at
org.apache.wicket.request.cycle.RequestCycle.execute(RequestCycle.java:265)
at
org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:222)
at
org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:293)
at
org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261)
at
org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203)
at
org.apache.wicket.protocol.http.WicketServlet.doGet(WicketServlet.java:137)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
org.springframework.web.servlet.mvc.ServletWrappingController.handleRequestInternal(ServletWrappingController.java:166)
at
org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:177)
at
org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:52)
at
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:1040)
at
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:943)
at
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:1006)
at
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:898)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
at
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:883)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
at
org.geoserver.filters.ThreadLocalsCleanupFilter.doFilter(ThreadLocalsCleanupFilter.java:26)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at
org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:69)
at
org.geoserver.wms.animate.AnimatorFilter.doFilter(AnimatorFilter.java:70)
at
org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:66)
at
org.geoserver.filters.SpringDelegatingFilter.doFilter(SpringDelegatingFilter.java:41)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at
org.geoserver.platform.AdvancedDispatchFilter.doFilter(AdvancedDispatchFilter.java:37)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:320)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:70)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:74)
at
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:70)
at
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:119)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:74)
at
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at
org.geoserver.security.filter.GeoServerAnonymousAuthenticationFilter.doFilter(GeoServerAnonymousAuthenticationFilter.java:51)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:70)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:74)
at
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at
org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationFilter.doFilter(GeoServerUserNamePasswordAuthenticationFilter.java:122)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:70)
at
org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:158)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:74)
at
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:70)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at
org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:52)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:74)
at
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
at
org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:142)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:101)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at
org.geoserver.filters.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:77)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:47)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at
org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:46)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:42)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1602)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1700)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1667)
at
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:220)
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:152)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:505)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:370)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:267)
at
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:117)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
at
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:698)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:804)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.apache.wicket.session.DefaultPageFactory.newPage(DefaultPageFactory.java:175)
... 121 more
Caused by: com.google.common.util.concurrent.UncheckedExecutionException:
java.lang.NullPointerException
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2050)
at com.google.common.cache.LocalCache.get(LocalCache.java:3952)
at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3974)
at
com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4958)
at
org.geoserver.geofence.cache.CachedRuleReader.getAdminAuthorization(CachedRuleReader.java:251)
at
org.geoserver.geofence.GeofenceAccessManager.isWorkspaceAdmin(GeofenceAccessManager.java:178)
at
org.geoserver.geofence.GeofenceAccessManager.getAccessLimits(GeofenceAccessManager.java:143)
at
org.geoserver.security.ResourceAccessManagerWrapper.getAccessLimits(ResourceAccessManagerWrapper.java:229)
at
org.geoserver.security.CatalogFilterAccessManager.getAccessLimits(CatalogFilterAccessManager.java:80)
at
org.geoserver.security.SecureCatalogImpl.buildWrapperPolicy(SecureCatalogImpl.java:862)
at
org.geoserver.security.SecureCatalogImpl.buildWrapperPolicy(SecureCatalogImpl.java:808)
at
org.geoserver.security.SecureCatalogImpl.checkAccess(SecureCatalogImpl.java:704)
at
org.geoserver.security.SecureCatalogImpl.filterWorkspaces(SecureCatalogImpl.java:1074)
at
org.geoserver.security.SecureCatalogImpl.getWorkspaces(SecureCatalogImpl.java:479)
at
org.geoserver.catalog.impl.AbstractFilteredCatalog.getWorkspaces(AbstractFilteredCatalog.java:353)
at
org.geoserver.catalog.impl.AbstractCatalogDecorator.getWorkspaces(AbstractCatalogDecorator.java:599)
at
org.geoserver.web.WorkspaceAdminComponentAuthorizer.isWorkspaceAdmin(WorkspaceAdminComponentAuthorizer.java:53)
at
org.geoserver.web.WorkspaceAdminComponentAuthorizer.isAccessAllowed(WorkspaceAdminComponentAuthorizer.java:35)
at
org.geoserver.web.GeoServerBasePage.filterByAuth(GeoServerBasePage.java:604)
at org.geoserver.web.GeoServerBasePage.<init>(GeoServerBasePage.java:324)
at org.geoserver.web.GeoServerHomePage.<init>(GeoServerHomePage.java:58)
... 126 more
Caused by: java.lang.NullPointerException
at
org.hibernate.impl.SessionFactoryImpl.getClassMetadata(SessionFactoryImpl.java:807)
at
com.googlecode.genericdao.search.hibernate.HibernateMetadataUtil.get(HibernateMetadataUtil.java:92)
at
com.googlecode.genericdao.search.hibernate.HibernateMetadataUtil.get(HibernateMetadataUtil.java:103)
at
com.googlecode.genericdao.search.BaseSearchProcessor.prepareValue(BaseSearchProcessor.java:723)
at
com.googlecode.genericdao.search.BaseSearchProcessor.filterToQL(BaseSearchProcessor.java:461)
at
com.googlecode.genericdao.search.BaseSearchProcessor.filterToQL(BaseSearchProcessor.java:503)
at
com.googlecode.genericdao.search.BaseSearchProcessor.filterToQL(BaseSearchProcessor.java:503)
at
com.googlecode.genericdao.search.BaseSearchProcessor.generateWhereClause(BaseSearchProcessor.java:431)
at
com.googlecode.genericdao.search.BaseSearchProcessor.generateQL(BaseSearchProcessor.java:113)
at
com.googlecode.genericdao.search.jpa.JPASearchProcessor.search(JPASearchProcessor.java:76)
at
com.googlecode.genericdao.dao.jpa.JPABaseDAO._search(JPABaseDAO.java:322)
at
com.googlecode.genericdao.dao.jpa.GenericDAOImpl.search(GenericDAOImpl.java:123)
at
org.geoserver.geofence.core.dao.impl.PrioritizableDAOImpl.search(PrioritizableDAOImpl.java:180)
at
org.geoserver.geofence.core.dao.impl.AdminRuleDAOImpl.search(AdminRuleDAOImpl.java:98)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:343)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at
org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:295)
at
org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:98)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
at com.sun.proxy.$Proxy39.search(Unknown Source)
at
org.geoserver.geofence.services.RuleReaderServiceImpl.getAdminAuthAux(RuleReaderServiceImpl.java:746)
at
org.geoserver.geofence.services.RuleReaderServiceImpl.getAdminAuth(RuleReaderServiceImpl.java:718)
at
org.geoserver.geofence.services.RuleReaderServiceImpl.getAdminAuthorization(RuleReaderServiceImpl.java:158)
at
org.geoserver.geofence.cache.CachedRuleReader$AuthLoader.load(CachedRuleReader.java:141)
at
org.geoserver.geofence.cache.CachedRuleReader$AuthLoader.load(CachedRuleReader.java:134)
at
com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3528)
at
com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2277)
at
com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2154)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2044)

Thank you,
Krishna G. Lodha
http://krishnaglodha.com
On 9 Mar 2021, 1:54 PM +0530, Ian Turton <ijturton@anonymised.com>, wrote:

You need to look in the GeoServer log file to find out what's gone wrong.
You really need to add some more detail as to how you put the roles into
PostGresql

Ian

On Tue, 9 Mar 2021 at 05:52, krishna lodha <krishnaglodha@anonymised.com>
wrote:

Hi, I tested the solution security - Geoserver JDBC User Group Services Problem - Geographic Information Systems Stack Exchange mentioned
here, it works perfectly fine as long as roles are Default when I tried to
put roles in PG as well, it gives me HTTP error 500 for the users.
What should I do?

<Screenshot 2021-03-09 at 11.20.20 AM.png>

On Sat, Mar 6, 2021 at 4:20 AM Vera Green <vera.green.ca@anonymised.com> wrote:

Absolutely. We use PG to control authentication across our entire system.
This includes authenticated WMS calls to geoServer. It's critical for us.

On Wed., Mar. 3, 2021, 11:01 a.m. Andrea Aime, <
andrea.aime@anonymised.com> wrote:

Each of those source file has an author tag, they all say:

@author christian

About a reason to do so, database centric security can be a reason. A
system where the access restrictions are enforced

at the relational database level. In that case, you want to authenticate
using database users, and then use impersonation

to connect to the database as that user, while fetching data:

Custom SQL session start/stop scripts — GeoServer 2.26.x User Manual

Cheers

Andrea

On Wed, Mar 3, 2021 at 6:52 PM Ian Turton <ijturton@anonymised.com> wrote:

So who did write it? I'm still trying to come up with a reason to let my
database users log into geoserver.

Ian

On Wed, 3 Mar 2021, 17:39 Andrea Aime, <andrea.aime@anonymised.com>
wrote:

Quoting from stack overflow: "After much head scratching and asking the
guys who wrote this stuff on the users mailing list"

Hell no, I had nothing to do with those modules! :smiley:

Cheers

Andrea

On Wed, Mar 3, 2021 at 6:35 PM Ian Turton <ijturton@anonymised.com> wrote:

Thanks to everyone for their help on this I have finally got my head
around it and have added an answer to the gis.stackoverflow question I
linked to earlier (security - Geoserver JDBC User Group Services Problem - Geographic Information Systems Stack Exchange) - If I get
some time over the weekend I'll see if I can try to make the documentation
clearer.

Ian

On Wed, 3 Mar 2021 at 15:03, Andrea Aime <andrea.aime@anonymised.com>
wrote:

Hi Ian,

the role handling is a third class:

<image.png>

1: authentication via database users (tries to connect to the database
using the username/password provided in the request)

2: authentication via table contents (looks up a user with the same name
provided in the request, and verifies the password)

3: adds role to a given user, after it has been authenticated

Cheers

Andrea

On Wed, Mar 3, 2021 at 3:50 PM Ian Turton <ijturton@anonymised.com> wrote:

On Wed, 3 Mar 2021 at 13:33, Andrea Aime <andrea.aime@anonymised.com>
wrote:

Hi Ian,

there are both functionalities, they are separate classes and are
configured in a different way:

• Authenticating using the database own users:
JDBC Authentication Provider — GeoServer Training

• Storing credentials in the database, use the table contents for
authentication:
JDBC Users and Group Services — GeoServer Training

I think (and I may be wrong) that this one only assigns a role to a
postgres user (that is why you can set the password field to empty) - if
it was intended to work that way I can try to find some time to debug it
(when I finish this course).

Back when we wrote the training material they were both working, not sure
about the present.

I'm pretty sure it used to work (when I wrote my training notes too) but
it's been a while since I had a trainee choose the JDBC path instead of the
LDAP path through the course (we have a lot of windows users) so I can't
recall for sure (and if I used ian as my test user then it would have
worked as I have a DB login).

Just a note, one has to be very careful when using the auth subsystem,
many options, lots of complexity. I know I curse every time :smiley:

Oh, yes that is for sure!

Ian

Cheers

Andrea

On Wed, Mar 3, 2021 at 12:42 PM Ian Turton <ijturton@anonymised.com> wrote:

Just to check before I break out the debugger:

When you use JDBC Authentication can it allow any user you create in
GeoServer (which get written in then tables) login in or does it only
allow the user used for the postgis connection (or other postgis users) to
log in?

It seems like this is a bug, but I may just be missing something (and I
think I'm not the only one
security - Geoserver JDBC User Group Services Problem - Geographic Information Systems Stack Exchange
)

I'd be interested if any one is successfully using JDBC authentication in
the wild?

Cheers

Ian

--

Ian Turton

_______________________________________________

Geoserver-users mailing list

Please make sure you read the following two resources before posting to
this list:

- Earning your support instead of buying it, but Ian Turton:
Earning Your Support Instead of Buying it

- The GeoServer user list posting guidelines:
User group posting guidelines

If you want to request a feature or an improvement, also see this:
Successfully requesting and integrating new features and improvements in GeoServer · geoserver/geoserver Wiki · GitHub

Geoserver-users@lists.sourceforge.net

geoserver-users List Signup and Options

--

Regards,

Andrea Aime

==

GeoServer Professional Services from the experts! Visit
GeoSolutions Enterprise Support Services for more information.

==

Ing. Andrea Aime

@geowolf

Technical Lead

GeoSolutions S.A.S.

Via di Montramito 3/A

55054 Massarosa (LU)

phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

http://www.geo-solutions.ithttp://twitter.com/geosolutions_it

-------------------------------------------------------

*Con riferimento alla normativa sul trattamento dei dati personali (Reg.
UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
precisa che ogni circostanza inerente alla presente email (il suo
contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
operazione è illecita. Le sarei comunque grato se potesse darmene notizia.*

*This email is intended only for the person or entity to which it is
addressed and may contain information that is privileged, confidential or
otherwise protected from disclosure. We remind that - as provided by
European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
e-mail or the information herein by anyone other than the intended
recipient is prohibited. If you have received this email by mistake, please
notify us immediately by telephone or e-mail.*

--

Ian Turton

--

Regards,

Andrea Aime

==

GeoServer Professional Services from the experts! Visit
GeoSolutions Enterprise Support Services for more information.

==

Ing. Andrea Aime

@geowolf

Technical Lead

GeoSolutions S.A.S.

Via di Montramito 3/A

55054 Massarosa (LU)

phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

http://www.geo-solutions.ithttp://twitter.com/geosolutions_it

-------------------------------------------------------

*Con riferimento alla normativa sul trattamento dei dati personali (Reg.
UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
precisa che ogni circostanza inerente alla presente email (il suo
contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
operazione è illecita. Le sarei comunque grato se potesse darmene notizia.*

*This email is intended only for the person or entity to which it is
addressed and may contain information that is privileged, confidential or
otherwise protected from disclosure. We remind that - as provided by
European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
e-mail or the information herein by anyone other than the intended
recipient is prohibited. If you have received this email by mistake, please
notify us immediately by telephone or e-mail.*

--

Ian Turton

--

Regards,

Andrea Aime

==

GeoServer Professional Services from the experts! Visit
GeoSolutions Enterprise Support Services for more information.

==

Ing. Andrea Aime

@geowolf

Technical Lead

GeoSolutions S.A.S.

Via di Montramito 3/A

55054 Massarosa (LU)

phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

http://www.geo-solutions.ithttp://twitter.com/geosolutions_it

-------------------------------------------------------

*Con riferimento alla normativa sul trattamento dei dati personali (Reg.
UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
precisa che ogni circostanza inerente alla presente email (il suo
contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
operazione è illecita. Le sarei comunque grato se potesse darmene notizia.*

*This email is intended only for the person or entity to which it is
addressed and may contain information that is privileged, confidential or
otherwise protected from disclosure. We remind that - as provided by
European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
e-mail or the information herein by anyone other than the intended
recipient is prohibited. If you have received this email by mistake, please
notify us immediately by telephone or e-mail.*

--

Regards,

Andrea Aime

==

GeoServer Professional Services from the experts! Visit
GeoSolutions Enterprise Support Services for more information.

==

Ing. Andrea Aime

@geowolf

Technical Lead

GeoSolutions S.A.S.

Via di Montramito 3/A

55054 Massarosa (LU)

phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

http://www.geo-solutions.ithttp://twitter.com/geosolutions_it

-------------------------------------------------------

*Con riferimento alla normativa sul trattamento dei dati personali (Reg.
UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
precisa che ogni circostanza inerente alla presente email (il suo
contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
operazione è illecita. Le sarei comunque grato se potesse darmene notizia.*

*This email is intended only for the person or entity to which it is
addressed and may contain information that is privileged, confidential or
otherwise protected from disclosure. We remind that - as provided by
European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
e-mail or the information herein by anyone other than the intended
recipient is prohibited. If you have received this email by mistake, please
notify us immediately by telephone or e-mail.*

_______________________________________________

Geoserver-users mailing list

Please make sure you read the following two resources before posting to
this list:

- Earning your support instead of buying it, but Ian Turton:
Earning Your Support Instead of Buying it

- The GeoServer user list posting guidelines:
User group posting guidelines

If you want to request a feature or an improvement, also see this:
Successfully requesting and integrating new features and improvements in GeoServer · geoserver/geoserver Wiki · GitHub

Geoserver-users@lists.sourceforge.net

geoserver-users List Signup and Options

_______________________________________________

Geoserver-users mailing list

Please make sure you read the following two resources before posting to
this list:

- Earning your support instead of buying it, but Ian Turton:
Earning Your Support Instead of Buying it

- The GeoServer user list posting guidelines:
User group posting guidelines

If you want to request a feature or an improvement, also see this:
Successfully requesting and integrating new features and improvements in GeoServer · geoserver/geoserver Wiki · GitHub

Geoserver-users@lists.sourceforge.net

geoserver-users List Signup and Options

--

Thank you,

Krishna G. Lodha

http://krishnaglodha.com

--

Ian Turton

--
Thank you,
Krishna G. Lodha
http://krishnaglodha.com