We have a custom authentication/authorization plugin developed for use with GeoServer 2.1. It uses the Netegrity SiteMinder security proxy and a custom authorization provider called WebADE. It consists of the following classes implementing various Spring Security interfaces:
LdapAuthenticationProvider
ProviderManager
SmAuthenticationDetailsSource
SmProcessingFilter
WebADEAuthoritiesPopulator
Is there any information available on how to migrate this to the 2.2.x Security model?
Hi Martin
First I would recommend to invest in Geoserver 2.3 because the security subsystem in 2.2.x is a little bit experimental.
The architecture of the new security subsystems allows to add custom authentication mechanisms including configuration pages for the admin GUI.
Unfortunately there is no developer documentation until now because at the moment I have no time left.
Cheers
Christian
On 5 March 2013 21:05, Martin Davis <mtnclimb@anonymised.com> wrote:
We have a custom authentication/authorization plugin developed for use with GeoServer 2.1. It uses the Netegrity SiteMinder security proxy and a custom authorization provider called WebADE. It consists of the following classes implementing various Spring Security interfaces:
LdapAuthenticationProvider
ProviderManager
SmAuthenticationDetailsSource
SmProcessingFilter
WebADEAuthoritiesPopulatorIs there any information available on how to migrate this to the 2.2.x Security model?
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
Thanks for the info, Christian.
Do you mean that the code we would write for 2.2.x will need to be changed for 2.3.x? Or just that 2.3 is more functional than 2.2? I ask because it may not be an option to move straight to 2.3 yet, so we will have to make a decision about which version to target if they are different.
Martin
On 5 March 2013 21:05, Martin Davis <mtnclimb@anonymised.com> wrote:
We have a custom authentication/authorization plugin developed for use with GeoServer 2.1. It uses the Netegrity SiteMinder security proxy and a custom authorization provider called WebADE. It consists of the following classes implementing various Spring Security interfaces:
LdapAuthenticationProvider
ProviderManager
SmAuthenticationDetailsSource
SmProcessingFilter
WebADEAuthoritiesPopulatorIs there any information available on how to migrate this to the 2.2.x Security model?
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
Hey Martin!
If i can interject I think what Christian is trying to say is that there have been some good improvements to the new security authentication subsystem going from 2.2 to 2.3. Mostly surrounding authentication filters. Since one of the classes you mentioned is a filter class you may be affected going from 2.2 to 2.3 but the api changes are relatively minor. The big job will be going moving to 2.2. Going to 2.2 to 2.3 will be relatively minor.
The security docs in the user guide give a good overview of the system, and how security filters and authentication providers play with each other, but as christian says there is not much in terms of developer docs. Best thing would be to see how the existing filters and providers and follow suite.
Based on the classes you original mentioned here are some thoughts.
WE now ship with an ldap provider out of the box in geoserver, which uses this same class so i imagine that can probably replace this. Look at LDAPAuthenticationProvider in the sec-ldap module.
This is a core class in spring security that manages the authentication provider. In GeoServer we override this class with GeoServerSecurityManager in the main module.
This sounds like a “pre-authentication” filter that recognizes a header or some token passed through by siteminder. There are examples of filters that do this in the main module, look at all the subclasses of GeoServerPreAuthenticationFilter.
This one i am not so sure about… Does it implement the UserDetailsService interface?
Sounds like this is used by the authentication provider to assign roles to the principal. You should probably be able to use this as is from your authentication provider, see the ldap provider for an example, it used the spring security LdapAuthoritiesPopulator to determine roles from the ldap server in addition to doing the authentication.
Hope that helps.
-Justin
On Wed, Mar 6, 2013 at 10:51 AM, Martin Davis <mtnclimb@anonymised.com> wrote:
Thanks for the info, Christian.
Do you mean that the code we would write for 2.2.x will need to be changed for 2.3.x? Or just that 2.3 is more functional than 2.2? I ask because it may not be an option to move straight to 2.3 yet, so we will have to make a decision about which version to target if they are different.
Martin
On Wed, Mar 6, 2013 at 3:48 AM, Christian Mueller <christian.mueller@anonymised.com> wrote:
Hi Martin
First I would recommend to invest in Geoserver 2.3 because the security subsystem in 2.2.x is a little bit experimental.
The architecture of the new security subsystems allows to add custom authentication mechanisms including configuration pages for the admin GUI.
Unfortunately there is no developer documentation until now because at the moment I have no time left.
Cheers
Christian
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave™: Endpoint Security, Q1 2013 and “remains a good choice” in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
–
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.
On 5 March 2013 21:05, Martin Davis <mtnclimb@anonymised.com> wrote:
We have a custom authentication/authorization plugin developed for use with GeoServer 2.1. It uses the Netegrity SiteMinder security proxy and a custom authorization provider called WebADE. It consists of the following classes implementing various Spring Security interfaces:
LdapAuthenticationProvider
ProviderManager
SmAuthenticationDetailsSource
SmProcessingFilter
WebADEAuthoritiesPopulatorIs there any information available on how to migrate this to the 2.2.x Security model?
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
Thanks for the detailed reply, Justin.
We may change the design to avoid the need for LDAP authentication, but if not then it’s good to know about the built-in LDAP Auth.
We’ll be working on this in about a month, so may have more questions then.
Martin
On Wed, Mar 6, 2013 at 10:51 AM, Martin Davis <mtnclimb@anonymised.com.84…> wrote:
Thanks for the info, Christian.
Do you mean that the code we would write for 2.2.x will need to be changed for 2.3.x? Or just that 2.3 is more functional than 2.2? I ask because it may not be an option to move straight to 2.3 yet, so we will have to make a decision about which version to target if they are different.
Martin
On Wed, Mar 6, 2013 at 3:48 AM, Christian Mueller <christian.mueller@anonymised.com> wrote:
Hi Martin
First I would recommend to invest in Geoserver 2.3 because the security subsystem in 2.2.x is a little bit experimental.
The architecture of the new security subsystems allows to add custom authentication mechanisms including configuration pages for the admin GUI.
Unfortunately there is no developer documentation until now because at the moment I have no time left.
Cheers
Christian
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave™: Endpoint Security, Q1 2013 and “remains a good choice” in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
–
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.
On 5 March 2013 21:05, Martin Davis <mtnclimb@anonymised.com> wrote:
We have a custom authentication/authorization plugin developed for use with GeoServer 2.1. It uses the Netegrity SiteMinder security proxy and a custom authorization provider called WebADE. It consists of the following classes implementing various Spring Security interfaces:
LdapAuthenticationProvider
ProviderManager
SmAuthenticationDetailsSource
SmProcessingFilter
WebADEAuthoritiesPopulatorIs there any information available on how to migrate this to the 2.2.x Security model?
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users