On Fri, Jul 25, 2014 at 3:37 AM, Mauro Bartolomeoli <
[email protected]> wrote:
> Hi,
> recently I was thinking about what the following sentence should mean:
> "OGC services are supposed to be stateless".
>
> In my opinion, from the security point of view, it means that OGC services
> should completely ignore an eventual security context saved into the user
> session by other Geoserver requests (for example those created by logging
> into the web UI).
>
> Currently this is not true, due to the fact that we always have
> a GeoServerSecurityContextPersistenceFilter in the filter chains, also for
> the OGC services (default) chain.
> The only difference is that the default chain does not create a new
> session, if it does not exist yet, but it uses an existing one. When I say
> it uses the session I do not only mean that it reads security info from the
> session, but it also saves a new one if specified on the request.
>
> Not sure I understand you here. My understanding was that for the default
chain the session integration will never create a new session, only
integrate with an existing one. Am I wrong about that?
> I think we should add one more option to the chains to configure the
> possibility to completely ignore the session for OGC services, in addition
> to the existing "do not create HTTPSession" option.
>
> Agreed. But I would call the option "Session Integration", as it is
referred to by spring security.
Any opinion? Does this make any sense?
>
> Thanks
> Mauro
>
> --
> ==
> GeoServer Professional Services from the experts! Visit
> http://goo.gl/NWWaa2 for more information.
> ==
>
> Dott. Mauro Bartolomeoli
> @mauro_bart
> Senior Software Engineer
>
> GeoSolutions S.A.S.
> Via Poggio alle Viti 1187
> 55054 Massarosa (LU)
> Italy
> phone: +39 0584 962313
> fax: +39 0584 1660272
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
> -------------------------------------------------------
>
>
> ------------------------------------------------------------------------------
> Want fast and easy access to all the code in your enterprise? Index and
> search up to 200,000 lines of code with a free copy of Black Duck
> Code Sight - the same software that powers the world's largest code
> search on Ohloh, the Black Duck Open Hub! Try it now.
> http://p.sf.net/sfu/bds
> _______________________________________________
> Geoserver-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>
>
--
Justin Deoliveira
VP Engineering | Boundless <http://boundlessgeo.com/>
[email protected]
@boundlessgeo <http://twitter.com/boundlessgeo/>
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
