[Geoserver-users] Master or root password in 2.2.4

Hi Sean, answers inside

Zitat von Sean K <sk92129@anonymised.com>:

Hi,

I've been reading the 2.2.4 manual about authentication and security for
the master or root account.

And since the security or authentication has been re-engineered as of 2.2
(and we were using 2.1.1), the way we were using geoserver needs to change.

In 2.1.1, since the password was not being encrypted, our geoserver had
been customized at the GeoServerUserDao level, we injected a password
encoder bean into this and encrypted the password using the Spring encoder.

You can inject your own password encoder, look at applicationSecurityContext.xml. You have to prefix the password with an unique string identifying your password encoder, e. g.

myencoder:XXXXXXXXXXXXXXXXXx

Now looking at 2.2.4, I see that the a lot of thing has changed.

There are two things that we need:

1.) we need to use create or use a ROLE_ADMINISTRATOR with a name other
than "root" -- for example, "myappadmin"

For each role service, you can specify a local role which is mapped to ROLE_ADMINISTRATOR. The standard xml role service has a role ADMIN. Users/groups having the role ADMIN also have the role ROLE_ADMINISTRATOR.

Look at security/role/default/roles.xml

2.) we need to keep the password encrypted on the hard drive -- we dont
need LDAP or other external systems. Since I see that encrypted
passwords are not supported in 2.2.4, I figure this should be easier.

Password encryption is supported in 2.2.x. There are 4 encoders out of the box

1) plain
2) digest
3) encrypt (DES, weak)
4) encrypt (AES, strong) if you install the unrestricted policy files

If I want to zip up the entire geoserver web app with the all these
changes, what are my best approaches? (I figure that I could change the
source code again or the spring context files but I think I would prefer to
avoid that to avoid future upgrade issues.)

Try to create a user properties file with plain text passwords. Migration code contained in 2.2.x will encrypt your passwords with 3)

I tried to use the users.properties with content that looks like this:

myappadmin=digest1:YgaweuS60t+mJNobGlf9hzUC6g7gGTtPEu0TlnUxFlv0fYtBuTsQDzZcBM4AfZHd,ROLE_ADMINISTRATOR,enabled

And I restarted my geoserver, but that did not work.

The file user.properties is deprecated. The new default location is
security/usergroup/default/users.xml

Any guidance or suggestions would be appreciated.

--
Sean

Cheers
Christian

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Christian -

     I know that you have been working on this and I was wondering what is the status of this addition to Geoserver?

     What version can I install to try out CAS protection?

Garey Mills

Hi Gary

You have to use GeoServer 2.3 beta1 or a nightly build.

http://geoserver.org/display/GEOS/Latest

The CAS extension is ready for testing. (And yes, it works with proxy tickets too). Unfortunately I had no time to add the documentation until now, but the GUI with the help buttons should assist you.

Some hints:

1) If you do not use SSL you will have no Single Sign On meaning that you have to log in for GeoServer individually.

2) If you want to avoid sending a new CAS ticket for each request, you should enable "allow session creation" for each filter chain containing the CAS filter. Session creation means sending back a cookie to the GeoServer client.

Looking forward to hear about your experience.

Christian

Zitat von Garey Mills <gmills@anonymised.com>:

Christian -

    I know that you have been working on this and I was wondering what
is the status of this addition to Geoserver?

    What version can I install to try out CAS protection?

Garey Mills

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.