Hi Justin
Yep, with talked about a constant system filter chain, but it is not
implemented yet. At the moment, each authentication filter has the burden
to handle the login for the root user.
Your understanding of the issue is correct.
I would be happy to have a constant URI for the root login and kick out all
the root login code and tests scattered over the security code.
Christian
On Wed, Aug 14, 2013 at 1:27 PM, Justin Deoliveira <jdeol...@opengeo.org>wrote:
> Hi Christian,
>
> I thought this issue was addressed previously with the idea of a constant
> filter chain, one that the user could not take away through
> misconfiguration. Is that not he case?
>
> The idea sounds reasonable but i want to make sure i understand the issue.
>
> -Justin
>
>
>
>
> On Thu, Aug 8, 2013 at 9:43 AM, Christian Mueller <
> christian.muel...@os-solutions.at> wrote:
>
>>
>> The issue is about disabling the login page if no form based login is
>> possible.
>>
>> https://jira.codehaus.org/browse/GEOS-5958
>>
>> All these security configuration issues may be dangerous if a
>> configuration error happens. At the end of the day, the admin can lock out
>> itself.
>>
>> IMHO, a dedicated login for the root user with the master password should
>> always be possible. (The "root" user has administrative privileges).
>>
>> My idea:
>>
>> - Add a special filter chain /web/rootlogin (checked before /web/**)
>> - Force digest authentication, no GUI needed, the browser pops up a login
>> box
>> - Upon success, redirect the the request to /web/
>>
>> This is quite a simple solution and helps fixing GEOS-5958.
>> Additionally, I can remove a lot of code concerning the root login in the
>> individual authentication filters and test cases.
>>
>> Opinions ?
>>
>>
>>
>> --
>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>> OSS Open Source Solutions GmbH
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Get 100% visibility into Java/.NET code with AppDynamics Lite!
>> It's a free troubleshooting tool designed for production.
>> Get down to code-level detail for bottlenecks, with <2% overhead.
>> Download for free and get started troubleshooting in minutes.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
>> _______________________________________________
>> GeoTools-Devel mailing list
>> GeoTools-Devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geotools-devel
>>
>>
>
>
> --
> Justin Deoliveira
> OpenGeo - http://opengeo.org
> Enterprise support for open source geospatial.
>
--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
GeoTools-Devel mailing list
GeoTools-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geotools-devel
