Forwarding along a message from an OpenGeo employee who'll be working with us to get the security integration working in time for the beta. This was originally sent to an internal list.
On 07/08/2010 05:45 AM, Andrea Aime wrote: > Hi all, > my name's Andrea Aime, I work for OpenGeo as a GeoServer core developer > and I've recently being tasked to improve the security integration > between GeoServer and GeoNode. > > The integration should make it so that GeoServer delegates to GeoNode > for the authentication, in a way that provides: > - single sign on, in case the authentication has been already performed > against GeoNode > - user and authorizations sharing, in case a desktop application > hits directly GeoServer with basic authentication (which is pretty > much the only kind of authentication all desktop products consistently > support) > > David has collected some notes on how this should happen protocol > wise: > http://atlas.openplans.org/~dwinslow/geonode-spec/spec/technical/geonode-core/geoserver/permissions.html > > > > Implementation wise the GeoServer security subsystem is still not > pluggable enough and the work has to be done against GS 2.0.x, > so a mini-fork is required. > > The data security requires two things: > - An authentication phase, which uses the above protocols. To do > that we need to replace the normal GS Acegi filter chain > with a custom one, that will require _one_ change in web.xml > (thus the mini-fork ;-) ) > - An authorization phase, in which the informations collected > during the auth phase are used to decide which layers a user > can access (and whether she can write on them). For this we > get lucky and we can use the already existing pluggable > authorization system of GeoServer, writing a new GeoNode specific > plugin for it. > > I discussed a bit with David, GeoNode already has a modified > GeoServer app module, we just need to modify a bit more then > web.xml to point it to a new filter chain. > > And then we need a new module where we can keep the GeoNode > specific bits. Either that, or we add them directly into > the existing GeoNode app module clone. > > I personally would prefer things modularized, but it's just > me. Let me know which way you like the most. > > In the meantime I'll start working in my git local clone, > I can move stuff as we see fit before committing them. > > Ah, since I have no GeoNode counterpart to test against > for the moment I'll develop everything but the network > communication part. > > I'll keep you appraised as I make progress > > Cheers > Andrea >
