Hi Sean, answers inside
Zitat von Sean K <sk92129@anonymised.com>:
Hi,
I've been reading the 2.2.4 manual about authentication and security for
the master or root account.And since the security or authentication has been re-engineered as of 2.2
(and we were using 2.1.1), the way we were using geoserver needs to change.In 2.1.1, since the password was not being encrypted, our geoserver had
been customized at the GeoServerUserDao level, we injected a password
encoder bean into this and encrypted the password using the Spring encoder.
You can inject your own password encoder, look at applicationSecurityContext.xml. You have to prefix the password with an unique string identifying your password encoder, e. g.
myencoder:XXXXXXXXXXXXXXXXXx
Now looking at 2.2.4, I see that the a lot of thing has changed.
There are two things that we need:
1.) we need to use create or use a ROLE_ADMINISTRATOR with a name other
than "root" -- for example, "myappadmin"
For each role service, you can specify a local role which is mapped to ROLE_ADMINISTRATOR. The standard xml role service has a role ADMIN. Users/groups having the role ADMIN also have the role ROLE_ADMINISTRATOR.
Look at security/role/default/roles.xml
2.) we need to keep the password encrypted on the hard drive -- we dont
need LDAP or other external systems. Since I see that encrypted
passwords are not supported in 2.2.4, I figure this should be easier.
Password encryption is supported in 2.2.x. There are 4 encoders out of the box
1) plain
2) digest
3) encrypt (DES, weak)
4) encrypt (AES, strong) if you install the unrestricted policy files
If I want to zip up the entire geoserver web app with the all these
changes, what are my best approaches? (I figure that I could change the
source code again or the spring context files but I think I would prefer to
avoid that to avoid future upgrade issues.)
Try to create a user properties file with plain text passwords. Migration code contained in 2.2.x will encrypt your passwords with 3)
I tried to use the users.properties with content that looks like this:
myappadmin=digest1:YgaweuS60t+mJNobGlf9hzUC6g7gGTtPEu0TlnUxFlv0fYtBuTsQDzZcBM4AfZHd,ROLE_ADMINISTRATOR,enabled
And I restarted my geoserver, but that did not work.
The file user.properties is deprecated. The new default location is
security/usergroup/default/users.xml
Any guidance or suggestions would be appreciated.
--
Sean
Cheers
Christian
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.