[Geoserver-users] Version 2.3.0, Security at distinct ws-layer-rule combination

GeoServer GeoServer User
1

Dear all,

I am in a department which is using GeoServer for publishing read-only data only (for now).
The types of data to be published now requires for principal-type-level security to be implemented.
As a GIS-Java-guy I have been assigned the task to look in to that in respect of GeoServer.

For the present I have unzipped the Geoserver.war version 2.3.0, and have made a dynamic web-project for it in Eclipse (Helios). I am now able to deploy and run it in an Eclipse embedded Tomcat 6, and I am able to mess with all data-dir located .xml and .properties files from within Eclipse. So far so good!

According to the User Manual one should be able to specify layer-access-rules-roles associations as per distinct workspace,layer,access specification.

In my experience this only works for (distinct workspace, wildcard layer) combinations (as of WFS – I am not using other layertypes). Distinct ws-layer combinations only seems to work for administration roles, and for non-administration roles it has to be done at wildcard layer level. In practice this means, that I will have to introduce a workspace for each layer. This is not in line with what is promised, when reading the manual.

···

Nevertheless, when trying to do “DescribeFeature” on a layer for a non-administrative role assigned to a distinct ws-layer combination I receive the following output (having set my global-logging-level appropriately):

This is my filter-class’ output:

→ Server:localhost

→ Scheme:http

→ Port:8080

→ Protocol:HTTP/1.1

→ Localname:127.0.0.1

Hdr authorization=Basic c3BzX3NmX2FyY2hzaXRlczoxMjM=

Hdr user-agent=curl/7.28.1

Hdr host=localhost:8080

Hdr accept=/

Param service=WFS

Param service=WFS

Param version=1.0.0

Param version=1.0.0

Param typename=sf:archsites

Param request=GetFeature

Here comes the GS output:

22 mar 04:24:21 TRACE [org.geoserver.ows.OWSHandlerMapping] - No handler mapping found for [/wfs]

22 mar 04:24:21 TRACE [org.geoserver.ows.OWSHandlerMapping] - No handler mapping found for [/wfs]

22 mar 04:24:21 TRACE [org.geoserver.ows.OWSHandlerMapping] - No handler mapping found for [/wfs]

22 mar 04:24:21 DEBUG [org.geoserver.ows.OWSHandlerMapping] - Mapping [/wfs] to HandlerExecutionChain with handler [org.geoserver.ows.Dispatcher@anonymised.com] and 1 interceptor

22 mar 04:24:21 INFO [org.geoserver.wfs] -

Request: getServiceInfo

22 mar 04:24:21 ERROR [org.geoserver.ows] -

org.geoserver.wfs.WFSException: Unknown namespace [sf]

at org.geoserver.wfs.kvp.GetFeatureKvpRequestReader.checkTypeName(GetFeatureKvpRequestReader.java:379)

at org.geoserver.wfs.kvp.GetFeatureKvpRequestReader.read(GetFeatureKvpRequestReader.java:143)

at org.geoserver.ows.Dispatcher.parseRequestKVP(Dispatcher.java:1412)

at org.geoserver.ows.Dispatcher.dispatch(Dispatcher.java:622)

at org.geoserver.ows.Dispatcher.handleRequestInternal(Dispatcher.java:263)

at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:153)

at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:48)

at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:923)

at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852)

at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)

at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:778)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.geoserver.filters.ThreadLocalsCleanupFilter.doFilter(ThreadLocalsCleanupFilter.java:27)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(SpringDelegatingFilter.java:74)

at org.geoserver.filters.SpringDelegatingFilter.doFilter(SpringDelegatingFilter.java:45)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.geoserver.platform.AdvancedDispatchFilter.doFilter(AdvancedDispatchFilter.java:49)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.vfny.geoserver.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:109)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)

at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)

at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)

at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)

at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)

at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)

at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)

at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)

at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)

at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)

at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)

at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:201)

at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)

at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)

at org.geoserver.security.filter.GeoServerBasicAuthenticationFilter.doFilter(GeoServerBasicAuthenticationFilter.java:82)

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)

at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:68)

at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)

at org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:46)

at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:72)

at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)

at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)

at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)

at org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:103)

at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)

at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:75)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:48)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:47)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at secure.GeoserverSecureFilter.doFilter(GeoserverSecureFilter.java:65)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:263)

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:584)

at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)

at java.lang.Thread.run(Thread.java:662)

Please note that the “sf” namespace is completely valid. It’s in the demo-set.

Can anybody tell me what’s wrong?

I will be happy to post my configuration, but please try it out yourself. Thanks!

Best regards,

Aron