[Geoserver-devel] [JIRA] (GEOS-11036) The OAuth2*/OIDC security filters do not work as expected anymore after the spring-security-core depencency update to 5.7.8

Mon, 19 Jun 2023 05:58:02 -0700 

Alessio Fabiani ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A0027cfac-890c-48e1-8af0-974f12f7b9dc
 ) *created* an issue

GeoServer ( 
https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiOTlkN2MyMGM2MmE3NGZjNTgwZDMxZWRiYmM0MWYwMjgiLCJwIjoiaiJ9
 ) / Bug ( 
https://osgeo-org.atlassian.net/browse/GEOS-11036?atlOrigin=eyJpIjoiOTlkN2MyMGM2MmE3NGZjNTgwZDMxZWRiYmM0MWYwMjgiLCJwIjoiaiJ9
 ) GEOS-11036 ( 
https://osgeo-org.atlassian.net/browse/GEOS-11036?atlOrigin=eyJpIjoiOTlkN2MyMGM2MmE3NGZjNTgwZDMxZWRiYmM0MWYwMjgiLCJwIjoiaiJ9
 ) The OAuth2*/OIDC security filters do not work as expected anymore after the 
spring-security-core depencency update to 5.7.8 ( 
https://osgeo-org.atlassian.net/browse/GEOS-11036?atlOrigin=eyJpIjoiOTlkN2MyMGM2MmE3NGZjNTgwZDMxZWRiYmM0MWYwMjgiLCJwIjoiaiJ9
 )

Issue Type: Bug Assignee: Unassigned Created: 19/Jun/23 2:56 PM Priority: 
Medium Reporter: Alessio Fabiani ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A0027cfac-890c-48e1-8af0-974f12f7b9dc
 )

Recenty the sprinc-security-core dependency on GeoServer has been upgraded due 
to a security fix as per https://github.com/geoserver/geoserver/pull/6830

The upgrade introduced some issues into the Oauth2 security filter logic mainly 
due to the anonymous session token, which now is correctly valorized.

The filter assumes that an anoymous user is always associated to a null 
security context authority, which is wrong. Now an anonymous user will be 
associated to an AnonymousAuthortyToken, which will be also recognized by the 
spring-oauth2 plugin in order to perform additional checks on the oauth2 
resources.

A simple change into the logic checks can allow us to easily fix this behavior 
and benefit of the new spring security core improvement.

( 
https://osgeo-org.atlassian.net/browse/GEOS-11036#add-comment?atlOrigin=eyJpIjoiOTlkN2MyMGM2MmE3NGZjNTgwZDMxZWRiYmM0MWYwMjgiLCJwIjoiaiJ9
 ) Add Comment ( 
https://osgeo-org.atlassian.net/browse/GEOS-11036#add-comment?atlOrigin=eyJpIjoiOTlkN2MyMGM2MmE3NGZjNTgwZDMxZWRiYmM0MWYwMjgiLCJwIjoiaiJ9
 )

Get Jira notifications on your phone! Download the Jira Cloud app for Android ( 
https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail
 ) or iOS ( 
https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8
 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100227- 
sha1:8ffa416 )
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel














    











					Reply via email to