Von: Dominik Gärner
Gesendet: Freitag, 20. November 2015 10:20
An: ‘geoserver-users@lists.sourceforge.net’
Betreff: unexpected behaviour in layer wise security restrictions

Hi, I found some inconsistencies when setting up a security for single layers.

What I want is, for a specific role and workspace, to set up something like: “Hide/restrict access to all layers except of…”

With a simple set up for the “topp" workspace it would look like this:

..r=*

..w=*

topp.*.r=ADMIN,GROUP_ADMIN

topp.states.r=TEST

mode=HIDE

A GetCapabilities request (and also the layer preview in the browser) for a TEST-user looks like what I’d expect: he sees only the topp.states layer from the topp workspace. But the access to it is still restricted, giving me a 404:resource not available.

Now, setting the mode=CHALLENGE, I can access topp.states. But this workaround isn’t what I want because it exposes all the layers to a getCapabilities request.

Do I misunderstood the security concept or is this a wrong behaviour of Geoserver?

Best Regards

Dominik

On Mon, Nov 30, 2015 at 5:03 PM, Dominik Gärner <Dominik.Gaerner@anonymised.com> wrote:

I think this is a bug in Geoserver, because the resource should have in this constellation dedicated READ (topp.states.) access. Even if that’s not the case and access is permitted – maybe because the other rule (topp.*.r) is overruling? – than getCapabilities shouldn’t show the resource in HIDE mode.

Can anyone confirm this as a bug?

Regards

Dominik

Von: Dominik Gärner
Gesendet: Freitag, 20. November 2015 10:20
An: ‘geoserver-users@lists.sourceforge.net’
Betreff: unexpected behaviour in layer wise security restrictions

Hi, I found some inconsistencies when setting up a security for single layers.

What I want is, for a specific role and workspace, to set up something like: “Hide/restrict access to all layers except of…”

With a simple set up for the “topp" workspace it would look like this:

..r=*

..w=*

topp.*.r=ADMIN,GROUP_ADMIN

topp.states.r=TEST

mode=HIDE

A GetCapabilities request (and also the layer preview in the browser) for a TEST-user looks like what I’d expect: he sees only the topp.states layer from the topp workspace. But the access to it is still restricted, giving me a 404:resource not available.

Now, setting the mode=CHALLENGE, I can access topp.states. But this workaround isn’t what I want because it exposes all the layers to a getCapabilities request.

Do I misunderstood the security concept or is this a wrong behaviour of Geoserver?

Best Regards

Dominik

–

Dominik Gärner
GRINTEC GmbH
Anzengrubergasse 6, 8010 Graz, Austria
Tel: +43(316)383706-0
mailto:dominik.gaerner@anonymised.com
http://www.grintec.com

FN 47845k Handelsgericht Graz

---

Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140

---

Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

–

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Geosolutions’ Winter Holidays from 24/12 to 6/1

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

On Tue, Dec 1, 2015 at 6:02 PM, Andrea Aime <andrea.aime@anonymised.com> wrote:

Hi Dominik,
this sounds like a bug, but I’m a bit surprised about it, we have quite a bit of automated tests
that should have caught this issue.
Which version of GeoServer are you using?

Cheers
Andrea

–

On Mon, Nov 30, 2015 at 5:03 PM, Dominik Gärner <Dominik.Gaerner@anonymised.com> wrote:

I think this is a bug in Geoserver, because the resource should have in this constellation dedicated READ (topp.states.) access. Even if that’s not the case and access is permitted – maybe because the other rule (topp.*.r) is overruling? – than getCapabilities shouldn’t show the resource in HIDE mode.

Can anyone confirm this as a bug?

Regards

Dominik

Von: Dominik Gärner
Gesendet: Freitag, 20. November 2015 10:20
An: ‘geoserver-users@lists.sourceforge.net’
Betreff: unexpected behaviour in layer wise security restrictions

Hi, I found some inconsistencies when setting up a security for single layers.

What I want is, for a specific role and workspace, to set up something like: “Hide/restrict access to all layers except of…”

With a simple set up for the “topp" workspace it would look like this:

..r=*

..w=*

topp.*.r=ADMIN,GROUP_ADMIN

topp.states.r=TEST

mode=HIDE

A GetCapabilities request (and also the layer preview in the browser) for a TEST-user looks like what I’d expect: he sees only the topp.states layer from the topp workspace. But the access to it is still restricted, giving me a 404:resource not available.

Now, setting the mode=CHALLENGE, I can access topp.states. But this workaround isn’t what I want because it exposes all the layers to a getCapabilities request.

Do I misunderstood the security concept or is this a wrong behaviour of Geoserver?

Best Regards

Dominik

–

Dominik Gärner
GRINTEC GmbH
Anzengrubergasse 6, 8010 Graz, Austria
Tel: +43(316)383706-0
mailto:dominik.gaerner@anonymised.com
http://www.grintec.com

FN 47845k Handelsgericht Graz

---

Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140

---

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

–

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Geosolutions’ Winter Holidays from 24/12 to 6/1

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Geosolutions’ Winter Holidays from 24/12 to 6/1

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

And also, what do you mean by “access”? GetMap calls?

Cheers

Andrea

On Tue, Dec 1, 2015 at 6:02 PM, Andrea Aime <andrea.aime@…1107…> wrote:

Hi Dominik,

this sounds like a bug, but I’m a bit surprised about it, we have quite a bit of automated tests

that should have caught this issue.

Which version of GeoServer are you using?

Cheers

Andrea

On Mon, Nov 30, 2015 at 5:03 PM, Dominik Gärner <Dominik.Gaerner@…7351…> wrote:

I think this is a bug in Geoserver, because the resource should have in this constellation dedicated READ (topp.states.) access. Even if that’s not the case and access is permitted – maybe because the other rule (topp.*.r) is overruling? – than getCapabilities shouldn’t show the resource in HIDE mode.

Can anyone confirm this as a bug?

Regards

Dominik

Von: Dominik Gärner
Gesendet: Freitag, 20. November 2015 10:20
An: ‘geoserver-users@lists.sourceforge.net’
Betreff: unexpected behaviour in layer wise security restrictions

Hi, I found some inconsistencies when setting up a security for single layers.

What I want is, for a specific role and workspace, to set up something like: “Hide/restrict access to all layers except of…”

With a simple set up for the “topp" workspace it would look like this:

..r=*

..w=*

topp.*.r=ADMIN,GROUP_ADMIN

topp.states.r=TEST

mode=HIDE

A GetCapabilities request (and also the layer preview in the browser) for a TEST-user looks like what I’d expect: he sees only the topp.states layer from the topp workspace. But the access to it is still restricted, giving me a 404:resource not available.

Now, setting the mode=CHALLENGE, I can access topp.states. But this workaround isn’t what I want because it exposes all the layers to a getCapabilities request.

Do I misunderstood the security concept or is this a wrong behaviour of Geoserver?

Best Regards

Dominik

–

Dominik Gärner
GRINTEC GmbH
Anzengrubergasse 6, 8010 Graz, Austria
Tel: +43(316)383706-0
mailto:dominik.gaerner@…7351…
http://www.grintec.com

FN 47845k Handelsgericht Graz

---

Go from Idea to Many App Stores Faster with Intel(R) XDK
Give your users amazing mobile app experiences with Intel(R) XDK.
Use one codebase in this all-in-one HTML5 development environment.
Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140

---

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

–

==

GeoServer Professional Services from the experts! Visit

http://goo.gl/it488V for more information.

==

Geosolutions’ Winter Holidays from 24/12 to 6/1

Ing. Andrea Aime

@geowolf

Technical Lead

GeoSolutions S.A.S.

Via Poggio alle Viti 1187

55054 Massarosa (LU)

Italy

phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

http://www.geo-solutions.it

http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

–

==

GeoServer Professional Services from the experts! Visit

http://goo.gl/it488V for more information.

==

Geosolutions’ Winter Holidays from 24/12 to 6/1

Ing. Andrea Aime

@geowolf

Technical Lead

GeoSolutions S.A.S.

Via Poggio alle Viti 1187

55054 Massarosa (LU)

Italy

phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

http://www.geo-solutions.it

http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.