[Geoserver-devel] [JIRA] (GEOS-10209) login as root: is not working in geoserver

Fri, 20 Aug 2021 07:33:13 -0700 

Luca Pasquali ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=5fd766a9208dbf0107c411ad
 ) *created* an issue

GeoServer ( 
https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiM2ExOTgzZjZmYTk4NDg3NjhkNjIyYzYzYTE4OWM5NTkiLCJwIjoiaiJ9
 ) / Bug ( 
https://osgeo-org.atlassian.net/browse/GEOS-10209?atlOrigin=eyJpIjoiM2ExOTgzZjZmYTk4NDg3NjhkNjIyYzYzYTE4OWM5NTkiLCJwIjoiaiJ9
 ) GEOS-10209 ( 
https://osgeo-org.atlassian.net/browse/GEOS-10209?atlOrigin=eyJpIjoiM2ExOTgzZjZmYTk4NDg3NjhkNjIyYzYzYTE4OWM5NTkiLCJwIjoiaiJ9
 ) login as root:<masterpassword> is not working in geoserver ( 
https://osgeo-org.atlassian.net/browse/GEOS-10209?atlOrigin=eyJpIjoiM2ExOTgzZjZmYTk4NDg3NjhkNjIyYzYzYTE4OWM5NTkiLCJwIjoiaiJ9
 )

Issue Type: Bug Affects Versions: 2.18.5, 2.19.3 Assignee: Unassigned 
Components: Security Created: 20/Aug/21 4:32 PM Environment:

any verified in:

* platform independent binary
* docker image

Priority: Medium Reporter: Luca Pasquali ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=5fd766a9208dbf0107c411ad
 )

easily reproducible starting up a geoserver instance then:
0) I login in geoserver as admin
1) I dump master password in a file (it should be geoserver)
2) log out from geoserver as admin
3) I try to log in as user root with password "geoserver" - *it does not work*
4) I try to change master password to something else in the gui or by REST - 
all ok
5) I try log in again - it does not work either.
```log
2021-08-20 16:11:31,357 WARN [org.geoserver.security] - Failed login, user root 
from [0:0:0:0:0:0:0:1]
2021-08-20 16:11:31,357 INFO [org.geoserver.security] - Brute force attack 
prevention, delaying login for 1997ms
2021-08-20 16:11:33,354 DEBUG 
[org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationFilter$1] 
- Authentication request failed: 
org.springframework.security.authentication.ProviderNotFoundException: No 
AuthenticationProvider found for 
org.springframework.security.authentication.UsernamePasswordAuthenticationToken
org.springframework.security.authentication.ProviderNotFoundException: No 
AuthenticationProvider found for 
org.springframework.security.authentication.UsernamePasswordAuthenticationToken
at 
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:232)
at 
org.geoserver.security.GeoServerSecurityManager$1.authenticate(GeoServerSecurityManager.java:313)
at 
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
at 
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)
at 
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:74)
at 
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at 
org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationFilter.doFilter(GeoServerUserNamePasswordAuthenticationFilter.java:122)
at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at 
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:70)
at 
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
at 
org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:52)
at 
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:74)
at 
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:91)
at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:334)
at 
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:215)
at 
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:178)
at 
org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:142)
at 
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:358)
at 
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:271)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:101)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at 
org.geoserver.filters.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:77)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:47)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:46)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:42)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at 
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:201)
at 
org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)
at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
at 
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
at 
org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at 
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
at 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
at 
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
at 
org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at 
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at 
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:191)
at 
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
at 
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
at 
org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at 
org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at 
org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
at 
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)
at 
org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)
at java.base/java.lang.Thread.run(Thread.java:829)
2021-08-20 16:11:33,355 DEBUG 
[org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationFilter$1] 
- Updated SecurityContextHolder to contain null Authentication
2021-08-20 16:11:33,355 DEBUG 
[org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationFilter$1] 
- Delegating to authentication failure handler 
org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@7f445dda
2021-08-20 16:11:33,355 DEBUG 
[org.geoserver.security.rememberme.GeoServerTokenBasedRememberMeServices] - 
Interactive login attempt was unsuccessful.
2021-08-20 16:11:33,356 DEBUG 
[org.geoserver.security.rememberme.GeoServerTokenBasedRememberMeServices] - 
Cancelling cookie
2021-08-20 16:11:33,356 DEBUG 
[org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1] - 
SecurityContextHolder now cleared, as request processing completed
2021-08-20 16:11:33,359 DEBUG 
[org.geoserver.security.IncludeQueryStringAntPathRequestMatcher] - Checking 
match of request : 'Path: 
/web/wicket/bookmarkable/org.geoserver.web.geoserverloginpage, QueryString: 
error=true'; against '/web/**'
2021-08-20 16:11:33,359 DEBUG 
[org.geoserver.security.IncludeQueryStringAntPathRequestMatcher] - Matched 
Path: /web/wicket/bookmarkable/org.geoserver.web.geoserverloginpage, 
QueryString: error=true with /web/**
```

( 
https://osgeo-org.atlassian.net/browse/GEOS-10209#add-comment?atlOrigin=eyJpIjoiM2ExOTgzZjZmYTk4NDg3NjhkNjIyYzYzYTE4OWM5NTkiLCJwIjoiaiJ9
 ) Add Comment ( 
https://osgeo-org.atlassian.net/browse/GEOS-10209#add-comment?atlOrigin=eyJpIjoiM2ExOTgzZjZmYTk4NDg3NjhkNjIyYzYzYTE4OWM5NTkiLCJwIjoiaiJ9
 )

Get Jira notifications on your phone! Download the Jira Cloud app for Android ( 
https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail
 ) or iOS ( 
https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8
 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100174- 
sha1:8523140 )
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel














    











					Reply via email to