Hi, still doing some experiments with geoserver 2.2.1, and i've found a strange behaviour with : - a workspace (nurc) being configured as accessible only to ROLE_AUTHENTICATED (nurc.*.r = ROLE_AUTHENTICATED in security/data) - a default filter using http headers first, sec-username & sec-roles for the list of roles, and then anonymous as a fallback filter.
Geoserver is behind a proxy (from georchestra), and that proxy sends sec-username:anonymousUser + sec-roles:ROLE_ANONYMOUS when the client is not authentified to georchestra. I'd expect geoserver to fail the access to getMap requests on that workspace with a 401 code, but the access is granted anyway. ie : http://localhost:8080/geoserver-private/nurc/wms?getMap -> 401 : normal, this is when bypassing the proxy. http://localhost:8080/geoserver/nurc/wms?getMap -> 200 : anonymousUser is authenticated by the headers sent by the proxy, while i'd expect it to have no access. I've noticed that the new security framework uses 'anonymous' for the anon user in security/impl/GeoServerUser.java, so i've tried using 'anonymousUser' there instead, but that didnt change the behaviour. From that point, two hypothesis : - the proxy shouldnt send headers when unauthenticated ? - anonymous(User) doesnt seem to be a special user anymore, at least the http header filter doesnt specifically checks for it. Apparently, the ROLE_ANONYMOUS sent by the proxy isnt taken into account, and is upgraded to ROLE_AUTHENTICATED since the http header filter finds the header it looks for ? So, on which side is the problem ? GeoServer or the proxy ? -- Landry Breuil Mouton a 5 pattes du CRAIG ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
