Re: [Geoserver-users] Fwd: Geoserver encryption problem setting up user services on postgresql

[Christian Mueller]

Hi Oliver

try

cryptor = StandardPBEStringEncryptor()

instead of

cryptor = StandardPBEStringEncryptor('PBEWITHSHA256AND256BITAES-CBC')

On Sun, Jan 21, 2018 at 10:07 PM, Olivier Dalang <olivier.dal...@gmail.com>
wrote:

> Dear List,
>
> (I hope this won't be posted twice, as I sent it a few days ago but it
> seems the mail didn't get through)
>
> I'm trying to setup Geoserver to use a postgres user table from Django
> (the people_profile table from Geonode). I was able to make everything work
> except password encryption.
>
>
> To give a bit of context, this is what I did so far) :
>
> 1/ Added a new JDBC "User Group Services" with database details in Geoserver
> and added it to the authentication provider chain
>
> 2/ Created a view in postgres like this (to replace the "users" table that
> Geoserver is expecting) :
> CREATE VIEW public.users AS
> SELECT "username" as "name",
> 'crypt2:' || split_part("password",'$',4) as "password", -- this extracts
> the hash from the django passwords
> CASE WHEN "is_active" THEN 'Y' ELSE 'N' END as enabled
> FROM public.people_profile;
>
> 3/ Created a custom password hasher for Django that using the jasypt4py
> python library (that supports "PBEWITHSHA256AND256BITAES-CBC")
> from jasypt4py import StandardPBEStringEncryptor
> class GeoserverLikePasswordHasher(BasePasswordHasher):
> algorithm = "geoserver-strong-pbe"
> iterations = 100000
>
> def encode(self, password, salt, iterations=None):
> cryptor = StandardPBEStringEncryptor('PBEWITHSHA256AND256BITAES-CBC')
> from_keystore = "4F24227A565B3C743F7D4A69504E2
> 7432C292D6E632C4A6B40384A4A60395F364743657969717076".decode("hex")
> hash = cryptor.encrypt( from_keystore, password, iterations)
> return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)
>
> Problem is, when I try to connect with these logins, I get an exception
> (see below[1]). The exception is not easy to debug as it's opaque on
> prupose (to avoid revealing sensitive details).
>
> When I fake the encryption (by hardcoding a hash that was generated by
> Geoserver in the postgres view, or by using plain: and creating a
> PlainPasswordHasher), I can log in, which means that the problem really is
> at the encryption level.
>
> I'm new to Java and Geoserver, so I'm not really sure what's going on.
>
> I have two hypotheses :
>
> 1/ I'm using the wrong "password_key" (I'm using ug:django_key in my
> geoserver.jceks that was created when I configured the user group service.
> I also tried with config:password:key I could find there, but no more
> luck). Am I correct trying to use that one ?
> 2/ There's a problem with the jasypt4py library. In the readme, they say
> they only support "PBEWITHSHA256AND256BITAES-CBC" from
> Jasypt/Bouncycastle. Is this what Geoserver uses ? Or are there several
> incompatible implementations of Jasypt ? (again, I'm new to Java...)
>
> Any idea of what to try next ? Has anyone been able to make such a setup
> work ?
>
> Thank you in advance for your help !!
>
> Olivier
>
>
>
>
> [1] This is the exception :
>
> org.jasypt.exceptions.EncryptionOperationNotPossibleException
>       at 
> org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:981)
>       at 
> org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:717)
>       at 
> org.jasypt.spring.security3.PBEPasswordEncoder.isPasswordValid(PBEPasswordEncoder.java:218)
>       at 
> org.geoserver.security.password.AbstractGeoserverPasswordEncoder.isPasswordValid(AbstractGeoserverPasswordEncoder.java:142)
>       at 
> org.geoserver.security.password.GeoServerMultiplexingPasswordEncoder.isPasswordValid(GeoServerMultiplexingPasswordEncoder.java:91)
>       at 
> org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:94)
>       at 
> org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:165)
>       at 
> org.geoserver.security.auth.UsernamePasswordAuthenticationProvider.authenticate(UsernamePasswordAuthenticationProvider.java:82)
>       at 
> org.geoserver.security.GeoServerAuthenticationProvider.authenticate(GeoServerAuthenticationProvider.java:58)
>       at 
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
>       at 
> org.geoserver.security.GeoServerSecurityManager$1.authenticate(GeoServerSecurityManager.java:323)
>       at 
> org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:93)
>       at 
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
>       at 
> org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:73)
>       at 
> org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:92)
>       at 
> org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationFilter.doFilter(GeoServerUserNamePasswordAuthenticationFilter.java:116)
>       at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
>       at 
> org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:69)
>       at 
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
>       at 
> org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:53)
>       at 
> org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:73)
>       at 
> org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:92)
>       at 
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
>       at 
> org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
>       at 
> org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
>       at 
> org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:152)
>       at 
> org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
>       at 
> org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
>       at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
>       at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:88)
>       at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
>       at 
> org.geoserver.filters.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:89)
>       at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
>       at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:42)
>       at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
>       at 
> org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:48)
>       at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
>       at 
> org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:44)
>       at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
>       at 
> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
>       at 
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
>       at 
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
>       at 
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
>       at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
>       at 
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
>       at 
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
>       at 
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
>       at 
> org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
>       at 
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
>       at 
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
>       at 
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
>       at 
> org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
>       at 
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
>       at 
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
>       at org.eclipse.jetty.server.Server.handle(Server.java:499)
>       at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
>       at 
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
>       at 
> org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
>       at 
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
>       at 
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
>       at java.lang.Thread.run(Thread.java:745)
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines: http://geoserver.org/comm/
> userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-
> requesting-and-integrating-new-features-and-improvements-in-GeoServer
>
>
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
>


-- 
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users