Hi Christian and all,
I prepared the related (trivial) pull request here:
https://github.com/geoserver/geoserver/pull/1899
Mauro
2016-10-20 9:20 GMT+02:00 Christian Mueller <
christian.muel...@os-solutions.at>:
> Hi Mauro
>
> I tested the first patch in my online test environment --> no issues,
> seems to be correct.
>
> The second patch is not up to date, the code does not contain a call
>
> getHandler().recordSession(httpReq);
>
> I think we should apply the first patch.
>
> Christian
>
>
> On Wed, Oct 19, 2016 at 12:22 PM, Mauro Bartolomeoli <
> mauro.bartolome...@geo-solutions.it> wrote:
>
>> Hi everybody,
>> I was asked by one of our customers to investigate if
>> https://osgeo-org.atlassian.net/browse/GEOS-6189 is still current and if
>> we can apply the patch that's attached to the JIRA ticket.
>>
>> Basically, they are experiencing some issues with single sign out.
>>
>> I will try to explain what I have understood so far about the proposed
>> patches.
>>
>> *First patch:*
>>
>> In GeoServerCasAuthenticationFilter there is some code to handle single
>> sign out:
>>
>> if (isLogoutRequest(httpReq)) {
>> if (singleSignOut) { // do we participate
>> LOGGER.info("Single Sign Out received from CAS server -->
>> starting log out");
>> handler.process(httpReq, httpRes);
>> LogoutFilterChain logOutChain = (LogoutFilterChain)
>>
>> getSecurityManager().getSecuri
>> tyConfig().getFilterChain().getRequestChainByName("webLogout");
>> logOutChain.doLogout(getSecurityManager(), httpReq,
>> httpRes,getName());
>>
>> } else
>> LOGGER.info("Single Sign Out received from CAS server -->
>> ignoring");
>> return;
>> }
>>
>> The handler.process(...) call is handling the CAS related logout, but it
>> seems that doing that before calling the GeoServer logout chaing is the
>> cause of issues, so we suggest to move the code this way:
>>
>> if (isLogoutRequest(httpReq)) {
>> if (singleSignOut) { // do we participate
>> LOGGER.info("Single Sign Out received from CAS server -->
>> starting log out");
>> LogoutFilterChain logOutChain = (LogoutFilterChain)
>> getSecurityManager().getSecuri
>> tyConfig().getFilterChain().getRequestChainByName("webLogout");
>> logOutChain.doLogout(getSecurityManager(), httpReq,
>> httpRes,getName());
>> handler.process(httpReq, httpRes);
>> } else
>> LOGGER.info("Single Sign Out received from CAS server -->
>> ignoring");
>> return;
>> }
>>
>> This makes sense to me and I did some tests to see if it breaks the
>> logout scenario, with no issues.
>>
>> *Second patch:*
>>
>> Another piece of code is registering the CAS token when available so that
>> it can be used during the single logut procedure.
>>
>> if (SecurityContextHolder.getContext().getAuthentication()!=null) {
>> HttpSession session = httpReq.getSession(false);
>>
>> if (session !=null &&
>> session.getAttribute(GeoServer
>> CasConstants.CAS_ASSERTION_KEY)!=null && singleSignOut) {
>> handler.process(httpReq, httpRes);
>>
>> if (LOGGER.isLoggable(Level.INFO))
>> LOGGER.info("Record HTTP Session "+session.getId()+ "
>> for CAS single sign out");
>> }
>> }
>>
>> The patch proposes to remove this piece of code, but in my opinion this
>> is not correct, since then the single sign out procedure would not be able
>> to find the token when needed.
>>
>> My idea would be to apply only the first patch, and I will prepare a pull
>> request for that. Is there any CAS expert out there that can give me
>> advices on this?
>>
>> Thanks
>> Mauro
>>
>> --
>> ==
>> GeoServer Professional Services from the experts! Visit
>> http://goo.gl/it488V for more information.
>> ==
>>
>> Dott. Mauro Bartolomeoli
>> @mauro_bart
>> Senior Software Engineer
>>
>> GeoSolutions S.A.S.
>> Via di Montramito 3/A
>> 55054 Massarosa (LU)
>> Italy
>> phone: +39 0584 962313
>> fax: +39 0584 1660272
>>
>> http://www.geo-solutions.it
>> http://twitter.com/geosolutions_it
>>
>> -------------------------------------------------------
>>
>> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>>
>> Le informazioni contenute in questo messaggio di posta elettronica e/o
>> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
>> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
>> darcene notizia via e-mail e di procedere alla distruzione del messaggio
>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
>> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
>> principi dettati dal D.Lgs. 196/2003.
>>
>>
>>
>> The information in this message and/or attachments, is intended solely
>> for the attention and use of the named addressee(s) and may be confidential
>> or proprietary in nature or covered by the provisions of privacy act
>> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
>> Code).Any use not in accord with its purpose, any disclosure, reproduction,
>> copying, distribution, or either dissemination, either whole or partial, is
>> strictly forbidden except previous formal approval of the named
>> addressee(s). If you are not the intended recipient, please contact
>> immediately the sender by telephone, fax or e-mail and delete the
>> information in this message that has been received in error. The sender
>> does not give any warranty or accept liability as the content, accuracy or
>> completeness of sent messages and accepts no responsibility for changes
>> made after they were sent or for other risks which arise as a result of
>> e-mail transmission, viruses, etc.
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Geoserver-devel mailing list
>> Geoserver-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>
>>
>
>
> --
> DI Christian Mueller MSc (GIS), MSc (IT-Security)
> OSS Open Source Solutions GmbH
>
>
--
==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.
==
Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
