Hey Christian,
Bringing the convo back on the public list since I think it’s important
info for other devs and the PSC.
To answer the question I left the spring-security dependency as is because
I was able to upgrade the spring dependency without it. While I don’t
specifically have a need to upgrade spring security at the moment I think
it’s a bad thing for the project to stay on an unmaintained version of it.
And it will limit our ability to upgrade spring any further because moving
to the core spring 4.x series will require an upgrade of spring-security to
at least the 3.2.x version.
To recap the issues with spring-security upgrade:
1. Moving to latest 3.2.x is doable safely except for the problems in the
cas module.
2. Moving to spring security 4.x is pretty much a no go at this point with
the way the security subsystem is architected because it relies on some
setter methods (which allow us to re-configure settings on the fly). Those
setters are removed in the latest spring security and say to use
constructor injection. This is a problem because those classes are
singletons which means we can no longer re-configure them on the fly.
I think I wrote up some options to address (2) in a previous email but I’ll
re-iterate here.
Option A: Simply require a GeoServer restart after changing security
settings (authentication providers or security filters).
Option B: Do a major refactor of GeoServerSecurityManager and
GeoServerFIlterChain so that instead of extending the spring security
classes they delegate to them. That way the SS can be re-instantiated as
needed when settings change.
Let me know if that all makes sense.
-Justin
On Mon, Nov 16, 2015 at 8:57 AM, Christian Mueller <
christian.muel...@os-solutions.at> wrote:
> Hi Justin
>
> I checked out your latest version of your "spring_upgrade" branch and I
> have seen you changed the spring-security version back to 3.0.5-RELEASE. Do
> you have a need to migrate to 3.2.9 ?
>
> Cheers
> Christian
>
> On Thu, Nov 12, 2015 at 10:49 AM, Christian Mueller <
> christian.muel...@os-solutions.at> wrote:
>
>> @Justin, not so far, I hope to get a time gap at the weekend.
>>
>> Christian
>>
>> On Sat, Nov 7, 2015 at 6:14 PM, Justin Deoliveira <jdeol...@gmail.com>
>> wrote:
>>
>>> Circling back on this one. So until the cas issue can be sorted out it
>>> looks like any upgrade to spring security is a no go. I was however able to
>>> update the base spring version to the latest 3.2 version. That at least
>>> gets us onto a version that is currently still being maintained, albeit
>>> probably for not much longer. Here is the pull request.
>>>
>>> https://github.com/geoserver/geoserver/pull/1327
>>>
>>> @Christian: any luck looking at the cas issue?
>>>
>>>
>>>
>>> On Sun, Oct 25, 2015 at 10:23 AM, Christian Mueller <
>>> christian.muel...@os-solutions.at> wrote:
>>>
>>>> Hi Justin
>>>>
>>>> Currently we use cas-client-core.jar version 3.1.12, the new version of
>>>> spring security needs version 3.3.3.
>>>>
>>>> The API of org.jasig.cas.client.session.SingleSignOutHandler has
>>>> changed. This is the reason for the compile errors.
>>>>
>>>> Not easy to solve, will have a lookt at it.
>>>>
>>>> Cheers
>>>> Christian
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Sat, Oct 24, 2015 at 6:43 PM, Justin Deoliveira <jdeol...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hey Christian,
>>>>>
>>>>> Yes, I was planning to upgrade spring security as well. Unfortunately
>>>>> that is not proving to be very easy.
>>>>>
>>>>> I tried jumping to 4.x but indeed the deprecated apis we are using are
>>>>> now gone. This impacts two of the most important classes in our security
>>>>> framework, one of them being GeoserverSecurityManager which more or less
>>>>> controls everything. Basically the base classes we are extending no long
>>>>> expose setter methods for various properties, with the only option begin
>>>>> to
>>>>> use constructor injection. Which is a major problem because we rely on
>>>>> those methods to change security configuration after the fact. I am not
>>>>> sure how to solve that… thoughts I have had (none of which are ideal).
>>>>>
>>>>> 1. Update GeoServerSecurityManager and GeoServerFilterChain to be
>>>>> non-singletons so we can re-instantiate them when configuration changes.
>>>>> This would be a pretty far reaching change, especially for the
>>>>> dependencies
>>>>> of GeoServerSecurityManager.
>>>>>
>>>>> 2. Require the user to restart GeoServer after making security
>>>>> configuration changes, or at least some kind of changes, basically when
>>>>> changing a provider or a filter.
>>>>>
>>>>> 3. Copy + modify versions of the base class from spring security into
>>>>> our codebase… and re-instate those method we need. A pretty ugly hack :)
>>>>>
>>>>> Anyways, all things considered that is a little dirtier than I can
>>>>> afford to get my hands :) So I was thinking for now just upgrading to the
>>>>> latest 3.x versions. However that also leads to some issues in the cas
>>>>> module. Knowing nothing about how the cas extensions work I’m not seeing
>>>>> obvious alternatives to the method calls we were using.
>>>>>
>>>>> If you would be willing to take a look that would be awesome in case
>>>>> it’’s obvious what to do. I’ve pushed the current changes up to a branch
>>>>> in
>>>>> my git repo:
>>>>>
>>>>> https://github.com/jdeolive/geoserver/tree/spring-upgrade
>>>>>
>>>>> Everything should compile up to extension/security/cas.
>>>>>
>>>>> Thanks!
>>>>>
>>>>> -Justin
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Oct 24, 2015 at 5:45 AM, Christian Mueller <
>>>>> christian.muel...@os-solutions.at> wrote:
>>>>>
>>>>>> HI Justin
>>>>>>
>>>>>> Do you plan to migrate Spring Security too ? Maybe we are using some
>>>>>> depricated APIs, please let me know.
>>>>>>
>>>>>> Christian
>>>>>>
>>>>>> On Fri, Oct 23, 2015 at 10:07 PM, Justin Deoliveira <
>>>>>> jdeol...@gmail.com> wrote:
>>>>>>
>>>>>>> Great, thanks guys. I’ll report back when I make some progress.
>>>>>>>
>>>>>>> On Fri, Oct 23, 2015 at 1:37 PM, Andrea Aime <
>>>>>>> andrea.a...@geo-solutions.it> wrote:
>>>>>>>
>>>>>>>> On Fri, Oct 23, 2015 at 9:21 PM, Jody Garnett <
>>>>>>>> jody.garn...@gmail.com> wrote:
>>>>>>>>
>>>>>>>>> +1 Now is the time with a fresh master branch.
>>>>>>>>>
>>>>>>>>
>>>>>>>> Agreed, +1
>>>>>>>>
>>>>>>>> Cheers
>>>>>>>> Andrea
>>>>>>>>
>>>>>>>> --
>>>>>>>> ==
>>>>>>>> GeoServer Professional Services from the experts! Visit
>>>>>>>> http://goo.gl/it488V for more information.
>>>>>>>> ==
>>>>>>>>
>>>>>>>> Ing. Andrea Aime
>>>>>>>> @geowolf
>>>>>>>> Technical Lead
>>>>>>>>
>>>>>>>> GeoSolutions S.A.S.
>>>>>>>> Via Poggio alle Viti 1187
>>>>>>>> 55054 Massarosa (LU)
>>>>>>>> Italy
>>>>>>>> phone: +39 0584 962313
>>>>>>>> fax: +39 0584 1660272
>>>>>>>> mob: +39 339 8844549
>>>>>>>>
>>>>>>>> http://www.geo-solutions.it
>>>>>>>> http://twitter.com/geosolutions_it
>>>>>>>>
>>>>>>>> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>>>>>>>>
>>>>>>>> Le informazioni contenute in questo messaggio di posta elettronica
>>>>>>>> e/o nel/i file/s allegato/i sono da considerarsi strettamente
>>>>>>>> riservate. Il
>>>>>>>> loro utilizzo è consentito esclusivamente al destinatario del
>>>>>>>> messaggio,
>>>>>>>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
>>>>>>>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
>>>>>>>> darcene notizia via e-mail e di procedere alla distruzione del
>>>>>>>> messaggio
>>>>>>>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio
>>>>>>>> stesso,
>>>>>>>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
>>>>>>>> utilizzarlo per finalità diverse, costituisce comportamento contrario
>>>>>>>> ai
>>>>>>>> principi dettati dal D.Lgs. 196/2003.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> The information in this message and/or attachments, is intended
>>>>>>>> solely for the attention and use of the named addressee(s) and may be
>>>>>>>> confidential or proprietary in nature or covered by the provisions of
>>>>>>>> privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New
>>>>>>>> Data
>>>>>>>> Protection Code).Any use not in accord with its purpose, any
>>>>>>>> disclosure,
>>>>>>>> reproduction, copying, distribution, or either dissemination, either
>>>>>>>> whole
>>>>>>>> or partial, is strictly forbidden except previous formal approval of
>>>>>>>> the
>>>>>>>> named addressee(s). If you are not the intended recipient, please
>>>>>>>> contact
>>>>>>>> immediately the sender by telephone, fax or e-mail and delete the
>>>>>>>> information in this message that has been received in error. The sender
>>>>>>>> does not give any warranty or accept liability as the content,
>>>>>>>> accuracy or
>>>>>>>> completeness of sent messages and accepts no responsibility for
>>>>>>>> changes
>>>>>>>> made after they were sent or for other risks which arise as a result of
>>>>>>>> e-mail transmission, viruses, etc.
>>>>>>>>
>>>>>>>> -------------------------------------------------------
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Geoserver-devel mailing list
>>>>>>> Geoserver-devel@lists.sourceforge.net
>>>>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>>>>>> OSS Open Source Solutions GmbH
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>>>> OSS Open Source Solutions GmbH
>>>>
>>>>
>>>
>>
>>
>> --
>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>> OSS Open Source Solutions GmbH
>>
>>
>
>
> --
> DI Christian Mueller MSc (GIS), MSc (IT-Security)
> OSS Open Source Solutions GmbH
>
>
------------------------------------------------------------------------------
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
