Hi all I think it would be the best to add a method to the GeoServerSecurityManager to check if there is an anonymous authentication.
We already have such a method for checking administrative privileges public boolean checkAuthenticationForAdminRole() I think something like public boolen isAuthenticatedAnonymous() would be fine. Cheers Christian On Wed, Oct 22, 2014 at 5:37 PM, Ian Schneider <[email protected]> wrote: > FWIW, I _think_ the reason the AnonymousGeoNodeAuthenticationToken is > extending UsernamePasswordAuthenticationToken is to hold the cookie value > that ties the anonymous user to a Django session. > > It seems like this could be done differently for sure, especially to play > well with the proposed functionality or other security aspects that would > (logically) expect an instanceof AnonymousAuthenticationToken check to > work. > > Thanks for pointing this out :) > > On Wed, Oct 22, 2014 at 6:52 AM, Andrea Aime <[email protected] > > wrote: > >> Hi Christian, >> your comment makes me think GeoNode should rethink the way they handle >> user authentication. >> >> Regardless, what about my question? How to best check if the user is the >> anonymous one? >> >> Cheers >> Andrea >> >> >> On Wed, Oct 22, 2014 at 2:45 PM, Christian Mueller < >> [email protected]> wrote: >> >>> Strange >>> >>> Looking at >>> >>> https://github.com/GeoNode/geoserver-geonode-ext/blob/master/src/main/java/org/geonode/security/AnonymousGeoNodeAuthenticationToken.java >>> >>> I am asking me two questions >>> >>> 1) Credentials for an anonymous user ? >>> 2) An individual user name for an anonymous user ? >>> >>> We solve the problem with >>> GeoServerUser.createAnonymous() >>> >>> >>> At a minimum I think they should use >>> >>> org.springframework.security.authentication.AnonymousAuthenticationToken >>> >>> and we can check with >>> >>> SecurityContextHolder.getContext().getAuthentication() >>> >>> >>> Just my 2 cents >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> On Wed, Oct 22, 2014 at 2:14 PM, Andrea Aime < >>> [email protected]> wrote: >>> >>>> On Wed, Oct 22, 2014 at 1:12 PM, Christian Mueller < >>>> [email protected]> wrote: >>>> >>>>> However sometimes we do have the actual user logging in, in that case >>>>>> I believe we should use that to drive the limits instead of a cookie. >>>>>> >>>>>> However... how does one know if the user is the anonymous one? >>>>>> Just checking if the authentication is a AnonymousAuthenticationToken >>>>>> seems a bit weak, I've for example noticed that GeoNode has >>>>>> its own AnonymousGeoNodeAuthenticationToken which is, for some >>>>>> strange reason, a subclass of UsernamePasswordAuthenticationToken >>>>>> >>>>> >>>>> >>>>> Not sure how to understand. Does GeoNeode extend the Geoserver code ?. >>>>> I do not know Geonode but how is the class >>>>> AnonymousGeoNodeAuthenticationToken injected into GeoServer ? >>>>> >>>> >>>> Here: https://github.com/GeoNode/geoserver-geonode-ext >>>> It seems to be they are implementing the standard authentication java >>>> interfaces >>>> to have GeoServer use GeoNode as the user and authentication source: >>>> >>>> https://github.com/GeoNode/geoserver-geonode-ext/tree/master/src/main/java/org/geonode/security >>>> >>>> Cheers >>>> Andrea >>>> >>>> -- >>>> == >>>> GeoServer Professional Services from the experts! Visit >>>> http://goo.gl/NWWaa2 for more information. >>>> == >>>> >>>> Ing. Andrea Aime >>>> @geowolf >>>> Technical Lead >>>> >>>> GeoSolutions S.A.S. >>>> Via Poggio alle Viti 1187 >>>> 55054 Massarosa (LU) >>>> Italy >>>> phone: +39 0584 962313 >>>> fax: +39 0584 1660272 >>>> mob: +39 339 8844549 >>>> >>>> http://www.geo-solutions.it >>>> http://twitter.com/geosolutions_it >>>> >>>> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003* >>>> >>>> Le informazioni contenute in questo messaggio di posta elettronica e/o >>>> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il >>>> loro utilizzo è consentito esclusivamente al destinatario del messaggio, >>>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo >>>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di >>>> darcene notizia via e-mail e di procedere alla distruzione del messaggio >>>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, >>>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od >>>> utilizzarlo per finalità diverse, costituisce comportamento contrario ai >>>> principi dettati dal D.Lgs. 196/2003. >>>> >>>> >>>> >>>> The information in this message and/or attachments, is intended solely >>>> for the attention and use of the named addressee(s) and may be confidential >>>> or proprietary in nature or covered by the provisions of privacy act >>>> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection >>>> Code).Any use not in accord with its purpose, any disclosure, reproduction, >>>> copying, distribution, or either dissemination, either whole or partial, is >>>> strictly forbidden except previous formal approval of the named >>>> addressee(s). If you are not the intended recipient, please contact >>>> immediately the sender by telephone, fax or e-mail and delete the >>>> information in this message that has been received in error. The sender >>>> does not give any warranty or accept liability as the content, accuracy or >>>> completeness of sent messages and accepts no responsibility for changes >>>> made after they were sent or for other risks which arise as a result of >>>> e-mail transmission, viruses, etc. >>>> >>>> ------------------------------------------------------- >>>> >>> >>> >>> >>> -- >>> DI Christian Mueller MSc (GIS), MSc (IT-Security) >>> OSS Open Source Solutions GmbH >>> >>> >> >> >> -- >> == >> GeoServer Professional Services from the experts! Visit >> http://goo.gl/NWWaa2 for more information. >> == >> >> Ing. Andrea Aime >> @geowolf >> Technical Lead >> >> GeoSolutions S.A.S. >> Via Poggio alle Viti 1187 >> 55054 Massarosa (LU) >> Italy >> phone: +39 0584 962313 >> fax: +39 0584 1660272 >> mob: +39 339 8844549 >> >> http://www.geo-solutions.it >> http://twitter.com/geosolutions_it >> >> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003* >> >> Le informazioni contenute in questo messaggio di posta elettronica e/o >> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il >> loro utilizzo è consentito esclusivamente al destinatario del messaggio, >> per le finalità indicate nel messaggio stesso. Qualora riceviate questo >> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di >> darcene notizia via e-mail e di procedere alla distruzione del messaggio >> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, >> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od >> utilizzarlo per finalità diverse, costituisce comportamento contrario ai >> principi dettati dal D.Lgs. 196/2003. >> >> >> >> The information in this message and/or attachments, is intended solely >> for the attention and use of the named addressee(s) and may be confidential >> or proprietary in nature or covered by the provisions of privacy act >> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection >> Code).Any use not in accord with its purpose, any disclosure, reproduction, >> copying, distribution, or either dissemination, either whole or partial, is >> strictly forbidden except previous formal approval of the named >> addressee(s). If you are not the intended recipient, please contact >> immediately the sender by telephone, fax or e-mail and delete the >> information in this message that has been received in error. The sender >> does not give any warranty or accept liability as the content, accuracy or >> completeness of sent messages and accepts no responsibility for changes >> made after they were sent or for other risks which arise as a result of >> e-mail transmission, viruses, etc. >> >> ------------------------------------------------------- >> >> >> ------------------------------------------------------------------------------ >> Comprehensive Server Monitoring with Site24x7. >> Monitor 10 servers for $9/Month. >> Get alerted through email, SMS, voice calls or mobile push notifications. >> Take corrective actions from your mobile device. >> http://p.sf.net/sfu/Zoho >> _______________________________________________ >> Geoserver-devel mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >> >> > > > -- > Ian Schneider > Software Engineer | Boundless <http://boundlessgeo.com> > [email protected] > 1-877-673-6436 > @boundlessgeo <http://twitter.com/boundlessgeo/> > > -- DI Christian Mueller MSc (GIS), MSc (IT-Security) OSS Open Source Solutions GmbH
------------------------------------------------------------------------------
_______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
