On Thu, Oct 23, 2014 at 12:19 AM, Christian Mueller < [email protected]> wrote:
> Hi all > > I think it would be the best to add a method to the > GeoServerSecurityManager to check if there is an anonymous authentication. > > We already have such a method for checking administrative privileges > > public boolean checkAuthenticationForAdminRole() > > I think something like > > public boolen isAuthenticatedAnonymous() > > would be fine. > +1. Although being the consistent naming nanny can we call it something like "checkAuthenticationForAnonymous()"? :) > > Cheers > Christian > > > > > On Wed, Oct 22, 2014 at 5:37 PM, Ian Schneider < > [email protected]> wrote: > >> FWIW, I _think_ the reason the AnonymousGeoNodeAuthenticationToken is >> extending UsernamePasswordAuthenticationToken is to hold the cookie value >> that ties the anonymous user to a Django session. >> >> It seems like this could be done differently for sure, especially to play >> well with the proposed functionality or other security aspects that would >> (logically) expect an instanceof AnonymousAuthenticationToken check to >> work. >> >> Thanks for pointing this out :) >> >> On Wed, Oct 22, 2014 at 6:52 AM, Andrea Aime < >> [email protected]> wrote: >> >>> Hi Christian, >>> your comment makes me think GeoNode should rethink the way they handle >>> user authentication. >>> >>> Regardless, what about my question? How to best check if the user is the >>> anonymous one? >>> >>> Cheers >>> Andrea >>> >>> >>> On Wed, Oct 22, 2014 at 2:45 PM, Christian Mueller < >>> [email protected]> wrote: >>> >>>> Strange >>>> >>>> Looking at >>>> >>>> https://github.com/GeoNode/geoserver-geonode-ext/blob/master/src/main/java/org/geonode/security/AnonymousGeoNodeAuthenticationToken.java >>>> >>>> I am asking me two questions >>>> >>>> 1) Credentials for an anonymous user ? >>>> 2) An individual user name for an anonymous user ? >>>> >>>> We solve the problem with >>>> GeoServerUser.createAnonymous() >>>> >>>> >>>> At a minimum I think they should use >>>> >>>> org.springframework.security.authentication.AnonymousAuthenticationToken >>>> >>>> and we can check with >>>> >>>> SecurityContextHolder.getContext().getAuthentication() >>>> >>>> >>>> Just my 2 cents >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Wed, Oct 22, 2014 at 2:14 PM, Andrea Aime < >>>> [email protected]> wrote: >>>> >>>>> On Wed, Oct 22, 2014 at 1:12 PM, Christian Mueller < >>>>> [email protected]> wrote: >>>>> >>>>>> However sometimes we do have the actual user logging in, in that case >>>>>>> I believe we should use that to drive the limits instead of a cookie. >>>>>>> >>>>>>> However... how does one know if the user is the anonymous one? >>>>>>> Just checking if the authentication is a AnonymousAuthenticationToken >>>>>>> seems a bit weak, I've for example noticed that GeoNode has >>>>>>> its own AnonymousGeoNodeAuthenticationToken which is, for some >>>>>>> strange reason, a subclass of UsernamePasswordAuthenticationToken >>>>>>> >>>>>> >>>>>> >>>>>> Not sure how to understand. Does GeoNeode extend the Geoserver code >>>>>> ?. I do not know Geonode but how is the class >>>>>> AnonymousGeoNodeAuthenticationToken injected into GeoServer ? >>>>>> >>>>> >>>>> Here: https://github.com/GeoNode/geoserver-geonode-ext >>>>> It seems to be they are implementing the standard authentication java >>>>> interfaces >>>>> to have GeoServer use GeoNode as the user and authentication source: >>>>> >>>>> https://github.com/GeoNode/geoserver-geonode-ext/tree/master/src/main/java/org/geonode/security >>>>> >>>>> Cheers >>>>> Andrea >>>>> >>>>> -- >>>>> == >>>>> GeoServer Professional Services from the experts! Visit >>>>> http://goo.gl/NWWaa2 for more information. >>>>> == >>>>> >>>>> Ing. Andrea Aime >>>>> @geowolf >>>>> Technical Lead >>>>> >>>>> GeoSolutions S.A.S. >>>>> Via Poggio alle Viti 1187 >>>>> 55054 Massarosa (LU) >>>>> Italy >>>>> phone: +39 0584 962313 >>>>> fax: +39 0584 1660272 >>>>> mob: +39 339 8844549 >>>>> >>>>> http://www.geo-solutions.it >>>>> http://twitter.com/geosolutions_it >>>>> >>>>> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003* >>>>> >>>>> Le informazioni contenute in questo messaggio di posta elettronica e/o >>>>> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il >>>>> loro utilizzo è consentito esclusivamente al destinatario del messaggio, >>>>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo >>>>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di >>>>> darcene notizia via e-mail e di procedere alla distruzione del messaggio >>>>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, >>>>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od >>>>> utilizzarlo per finalità diverse, costituisce comportamento contrario ai >>>>> principi dettati dal D.Lgs. 196/2003. >>>>> >>>>> >>>>> >>>>> The information in this message and/or attachments, is intended solely >>>>> for the attention and use of the named addressee(s) and may be >>>>> confidential >>>>> or proprietary in nature or covered by the provisions of privacy act >>>>> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection >>>>> Code).Any use not in accord with its purpose, any disclosure, >>>>> reproduction, >>>>> copying, distribution, or either dissemination, either whole or partial, >>>>> is >>>>> strictly forbidden except previous formal approval of the named >>>>> addressee(s). If you are not the intended recipient, please contact >>>>> immediately the sender by telephone, fax or e-mail and delete the >>>>> information in this message that has been received in error. The sender >>>>> does not give any warranty or accept liability as the content, accuracy or >>>>> completeness of sent messages and accepts no responsibility for changes >>>>> made after they were sent or for other risks which arise as a result of >>>>> e-mail transmission, viruses, etc. >>>>> >>>>> ------------------------------------------------------- >>>>> >>>> >>>> >>>> >>>> -- >>>> DI Christian Mueller MSc (GIS), MSc (IT-Security) >>>> OSS Open Source Solutions GmbH >>>> >>>> >>> >>> >>> -- >>> == >>> GeoServer Professional Services from the experts! Visit >>> http://goo.gl/NWWaa2 for more information. >>> == >>> >>> Ing. Andrea Aime >>> @geowolf >>> Technical Lead >>> >>> GeoSolutions S.A.S. >>> Via Poggio alle Viti 1187 >>> 55054 Massarosa (LU) >>> Italy >>> phone: +39 0584 962313 >>> fax: +39 0584 1660272 >>> mob: +39 339 8844549 >>> >>> http://www.geo-solutions.it >>> http://twitter.com/geosolutions_it >>> >>> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003* >>> >>> Le informazioni contenute in questo messaggio di posta elettronica e/o >>> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il >>> loro utilizzo è consentito esclusivamente al destinatario del messaggio, >>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo >>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di >>> darcene notizia via e-mail e di procedere alla distruzione del messaggio >>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, >>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od >>> utilizzarlo per finalità diverse, costituisce comportamento contrario ai >>> principi dettati dal D.Lgs. 196/2003. >>> >>> >>> >>> The information in this message and/or attachments, is intended solely >>> for the attention and use of the named addressee(s) and may be confidential >>> or proprietary in nature or covered by the provisions of privacy act >>> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection >>> Code).Any use not in accord with its purpose, any disclosure, reproduction, >>> copying, distribution, or either dissemination, either whole or partial, is >>> strictly forbidden except previous formal approval of the named >>> addressee(s). If you are not the intended recipient, please contact >>> immediately the sender by telephone, fax or e-mail and delete the >>> information in this message that has been received in error. The sender >>> does not give any warranty or accept liability as the content, accuracy or >>> completeness of sent messages and accepts no responsibility for changes >>> made after they were sent or for other risks which arise as a result of >>> e-mail transmission, viruses, etc. >>> >>> ------------------------------------------------------- >>> >>> >>> ------------------------------------------------------------------------------ >>> Comprehensive Server Monitoring with Site24x7. >>> Monitor 10 servers for $9/Month. >>> Get alerted through email, SMS, voice calls or mobile push notifications. >>> Take corrective actions from your mobile device. >>> http://p.sf.net/sfu/Zoho >>> _______________________________________________ >>> Geoserver-devel mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >>> >>> >> >> >> -- >> Ian Schneider >> Software Engineer | Boundless <http://boundlessgeo.com> >> [email protected] >> 1-877-673-6436 >> @boundlessgeo <http://twitter.com/boundlessgeo/> >> >> > > > -- > DI Christian Mueller MSc (GIS), MSc (IT-Security) > OSS Open Source Solutions GmbH > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Geoserver-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > > -- Justin Deoliveira VP Engineering | Boundless <http://boundlessgeo.com/> [email protected] @boundlessgeo <http://twitter.com/boundlessgeo/>
------------------------------------------------------------------------------
_______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
