Hi Michelle, all, yes and no:
Yes, thanks a lot, the suggested workaround works, switching the
catalogue mode to "challenge" helps.
No, this workaround is unfortunately not suitable. We use the "hide"
mode. We need to hide the layers that the user does not have access to
from the capabilities document, it would create a mess in our map
client.
Should I lodge a bug?
To repeat shortly the story:
The layer1 is secured:
ws.layer1.r=ROLE_READ_L1
but cannot be seen by user who DOES HAVE the ROLE_READ_L1 if
ws.*.r=OTHER _ROLE
or
*.*.r=OTHER_ROLE
is set.
It does appear in the LayerPreview list, but requesting the map results
in 404.
GeoServer 2.3.2 and 2.3.3. Log attached.
Kind Regards,
Michal
Dne 2013-07-09 11:55, Michele Beneventi napsal:
Hi Michal,
I don't know answer about your question but I tried the following:
-----
ws.*.r=ROLE_1
ws.*.w=ROLE_1
ws.*.a=ROLE_1
ws.layer1.r=ROLE_2
with catalogue mode turned to "challenge"
-----
as a result I got that ROLE_2 can see all the catalogues layers, but
it can access (Read) only layer1.
could it be a workaround?
Regards
Michele
On Tue, Jul 9, 2013 at 11:12 AM, <sr...@ccss.cz> wrote:
Hi all,
the following configuration does not allow a user with ROLE_2 only
to
read the layer1 from workspace ws:
ws.*.r=ROLE_1
ws.*.w=ROLE_1
ws.*.a=ROLE_1
ws.layer1.r=ROLE_1,ROLE_2
Is it a bug or is it an expected behaviour?
Kind regards,
Michal
Dne 04.07.2013 17:56, sr...@ccss.cz napsal:
Hi all,
the only way I see that works is to unsecure the whole workspace
and
secure every layer instead:
#hasici.*.r=ROLE_HASICI
#hasici.*.w=ROLE_HASICI
hasici.*.a=ROLE_HASICI
hasici.pest.r=ROLE_HASICI, ROLE_PEST
hasici.pest.w=ROLE_HASICI
hasici.chemicals.r=ROLE_HASICI
hasici.chemicals.w=ROLE_HASICI
...
This way I can secure all the layers of the workspace and
meanwhile
give the access rights to one layer to more people. I don't like
it
very much though, as it adds a lot of config lines and also, if
accidentally one layer of the workspace is forgotten, it is left
unsecured.
Is this the only solution that should work? If I uncomment the
first
two lines and secure the workspace, then a user with the
ROLE_PEST
and
without the ROLE_HASICI gets 404 when requesting the layer...
Using GeoServer 2.3.2.
Kind regards,
Michal
Dne 04.07.2013 10:03, sr...@ccss.cz napsal:
Hi Michele,
thank you for your answer. No, I am not using service security
at
all.
Of course I do ask for the layer through OWS (and that is what I
want to
do in the map application as well), but I don't use the service
security
to configure it. The file service.properties is present, but
contains
comments only.
The think is, when I try to restrict the access to one
particular
layer
more, (only to people who have the access to the whole ws and
have
some
additional rights) it works, but when I try to give the access
to
one
particular layer to more people, who don't have rights to the
whole
ws,
it fails. The layer is shown in the available preview list, but
404
is
returned.
Kind regards,
Michal
Dne 04.07.2013 09:12, Michele Beneventi napsal:
Hi Michal,
I'm not really involved in the geoserver security module, but I
think
the problem could be in some conflict between "layer security"
and
"service security": if I'm not wrong "layer preview" use WMS
service.
http://docs.geoserver.org/2.3.2/user/security/layer.html [1]
[3]
ciao
Michele
On Wed, Jul 3, 2013 at 7:03 PM, <sr...@ccss.cz> wrote:
Hi all,
I have a workspace with restricted access:
hasici.*.r=ROLE_HASICI
hasici.*.w=ROLE_HASICI
hasici.*.a=ROLE_HASICI
And I have one layer in the workspace, that should be
accessible
to
more people then the others:
hasici.pest.r=ROLE_HASICI,ROLE_PEST
Then I have a user, who does have ROLE_PEST assigned, and does
not
have the ROLE_HASICI assigned. I assume he should be able to
see
the
layer pest. He logs into geoserver web, and he can see the
layer
'hasici:pest' in the 'Layer Preview' list as expected. But
when he
clicks the 'OpenLayers' link, 404 is shown. The layer can be
seen
by
the users who have the ROLE_HASICI assigned.
Am I missing something? How this should be configured?
Thank you very much for your advice,
Michal
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev [2] [1]
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
[3] [2]
Links:
------
[1] http://p.sf.net/sfu/windows-dev2dev [2]
[2]
https://lists.sourceforge.net/lists/listinfo/geoserver-users [3]
[3] http://docs.geoserver.org/2.3.2/user/security/layer.html
[1]
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev [2]
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users [3]
------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from
AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
[4]
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users [3]
Links:
------
[1] http://docs.geoserver.org/2.3.2/user/security/layer.html
[2] http://p.sf.net/sfu/windows-dev2dev
[3] https://lists.sourceforge.net/lists/listinfo/geoserver-users
[4]
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
05 Nov 16:41:01 TRACE [ows.OWSHandlerMapping] - No handler mapping found for
[/hasici/wms]
05 Nov 16:41:01 TRACE [ows.OWSHandlerMapping] - No handler mapping found for
[/hasici/wms]
05 Nov 16:41:01 TRACE [ows.OWSHandlerMapping] - No handler mapping found for
[/hasici/wms]
05 Nov 16:41:01 TRACE [ows.OWSHandlerMapping] - No handler mapping found for
[/hasici/wms]
05 Nov 16:41:01 TRACE [ows.OWSHandlerMapping] - No handler mapping found for
[/hasici/wms]
05 Nov 16:41:01 TRACE [ows.OWSHandlerMapping] - No handler mapping found for
[/hasici/wms]
05 Nov 16:41:01 TRACE [ows.OWSHandlerMapping] - No handler mapping found for
[/hasici/wms]
05 Nov 16:41:01 WARN [servlet.PageNotFound] - No mapping found for HTTP request
with URI [/geoserver/hasici/wms] in DispatcherServlet with name 'dispatcher'
05 Nov 16:41:01 DEBUG [filter.GeoServerSecurityContextPersistenceFilter$1] -
SecurityContextHolder now cleared, as request processing completed
05 Nov 16:41:04 TRACE [ows.OWSHandlerMapping] - No handler mapping found for
[/web/]
05 Nov 16:41:04 TRACE [ows.OWSHandlerMapping] - No handler mapping found for
[/web/]
05 Nov 16:41:04 TRACE [ows.OWSHandlerMapping] - No handler mapping found for
[/web/]
05 Nov 16:41:04 DEBUG [org.geoserver] - Thread 64 locking in mode WRITE
05 Nov 16:41:04 DEBUG [org.geoserver] - Thread 64 got the lock in mode WRITE
05 Nov 16:41:04 DEBUG [org.geoserver] - Thread 64 releasing the lock in mode
WRITE
05 Nov 16:41:04 DEBUG [filter.GeoServerSecurityContextPersistenceFilter$1] -
SecurityContextHolder now cleared, as request processing completed
05 Nov 16:41:04 TRACE [ows.OWSHandlerMapping] - No handler mapping found for
[/web/]
05 Nov 16:41:04 TRACE [ows.OWSHandlerMapping] - No handler mapping found for
[/web/]
05 Nov 16:41:04 TRACE [ows.OWSHandlerMapping] - No handler mapping found for
[/web/]
05 Nov 16:41:04 DEBUG [org.geoserver] - Thread 64 locking in mode WRITE
05 Nov 16:41:04 DEBUG [org.geoserver] - Thread 64 got the lock in mode WRITE
05 Nov 16:41:04 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/css/blueprint/screen.css
to file (URI is not hierarchical), falling back to the inputstream for polling
05 Nov 16:41:04 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/css/blueprint/print.css
to file (URI is not hierarchical), falling back to the inputstream for polling
05 Nov 16:41:04 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/css/geoserver.css
to file (URI is not hierarchical), falling back to the inputstream for polling
05 Nov 16:41:04 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/css/blueprint/ie.css
to file (URI is not hierarchical), falling back to the inputstream for polling
05 Nov 16:41:04 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/js/jquery-1.2.6.min.js
to file (URI is not hierarchical), falling back to the inputstream for polling
05 Nov 16:41:04 DEBUG [geoserver.web] - cannot convert url:
jar:file:/var/lib/tomcat6/webapps/geoserver/WEB-INF/lib/web-core-2.3.2.jar!/org/geoserver/web/js/jquery.inline-info.js
to file (URI is not hierarchical), falling back to the inputstream for polling
05 Nov 16:41:04 DEBUG [org.geoserver] - Thread 64 releasing the lock in mode
WRITE
05 Nov 16:41:04 DEBUG [geoserver.filters] - Compressing output for mimetype:
text/html;charset=UTF-8
05 Nov 16:41:04 DEBUG [filter.GeoServerSecurityContextPersistenceFilter$1] -
SecurityContextHolder now cleared, as request processing completed
------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
