On 11/07/12 16:18, christian.muel...@nvoe.at wrote: > Hi Landry > > I wrote a tutorial about http proxy auth but I am still waiting for the > ok of a reviewer (native English speaker).
Fabrice (in cc) already wrote a nice one in the georchestra context : http://applis-bretagne.fr/redmine/projects/georchestra/wiki/GS22 > You have a relationship of trust between the proxy and GeoServer. If the > proxy send the header sec-uname the principal is considered as > authenticated and the role ROLE_AUTHENTICATED is assigned. If you send > sec-uname:anonymous the anonymous user is handled as any other user. That's what i understood from the code, i'll see what i can do on the proxy side to avoid sending headers in the anonymous case. I think it was something inherited from the geoserver 1.7 days... For reference, here's a (gross) hack that workarounds it (ie considers anonymousUser as a not-loggedin user) : index d06db0d..5dbc646 100644 --- a/src/main/src/main/java/org/geoserver/security/filter/GeoServerRequestHeaderAuthenticationFilter.java +++ b/src/main/src/main/java/org/geoserver/security/filter/GeoServerRequestHeaderAuthenticationFilter.java @@ -43,6 +43,8 @@ public class GeoServerRequestHeaderAuthenticationFilter extends GeoServerPreAuth @Override protected String getPreAuthenticatedPrincipalName(HttpServletRequest request) { + if (request.getHeader(getPrincipalHeaderAttribute()).equals("anonymousUser")) {return null;} return request.getHeader(getPrincipalHeaderAttribute()); } } With that, i correctly get 401 codes when unauthenticated and trying to access a protected layer behind my proxy. Landry > Zitat von Landry Breuil <bre...@craig.fr>: > >> Hi, >> >> still doing some experiments with geoserver 2.2.1, and i've found a >> strange behaviour with : >> - a workspace (nurc) being configured as accessible only to >> ROLE_AUTHENTICATED (nurc.*.r = ROLE_AUTHENTICATED in security/data) >> - a default filter using http headers first, sec-username & sec-roles >> for the list of roles, and then anonymous as a fallback filter. >> >> Geoserver is behind a proxy (from georchestra), and that proxy sends >> sec-username:anonymousUser + sec-roles:ROLE_ANONYMOUS when the client is >> not authentified to georchestra. >> I'd expect geoserver to fail the access to getMap requests on that >> workspace with a 401 code, but the access is granted anyway. ie : >> >> http://localhost:8080/geoserver-private/nurc/wms?getMap -> 401 : normal, >> this is when bypassing the proxy. >> http://localhost:8080/geoserver/nurc/wms?getMap -> 200 : anonymousUser >> is authenticated by the headers sent by the proxy, while i'd expect it >> to have no access. >> >> I've noticed that the new security framework uses 'anonymous' for the >> anon user in security/impl/GeoServerUser.java, so i've tried using >> 'anonymousUser' there instead, but that didnt change the behaviour. >> >> From that point, two hypothesis : >> - the proxy shouldnt send headers when unauthenticated ? >> - anonymous(User) doesnt seem to be a special user anymore, at least the >> http header filter doesnt specifically checks for it. Apparently, the >> ROLE_ANONYMOUS sent by the proxy isnt taken into account, and is >> upgraded to ROLE_AUTHENTICATED since the http header filter finds the >> header it looks for ? >> >> So, on which side is the problem ? GeoServer or the proxy ? >> >> -- >> Landry Breuil >> Mouton a 5 pattes du CRAIG >> >> ------------------------------------------------------------------------------ >> >> LogMeIn Central: Instant, anywhere, Remote PC access and management. >> Stay in control, update software, and manage PCs from one command center >> Diagnose problems and improve visibility into emerging IT issues >> Automate, monitor and manage. Do more in less time with Central >> http://p.sf.net/sfu/logmein12331_d2d >> _______________________________________________ >> Geoserver-users mailing list >> Geoserver-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-users >> > > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > -- Landry Breuil Mouton a 5 pattes du CRAIG ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
