Re: [Geoserver-devel] Keycloak-plugin: wrong role mapping

2020-11-06 Thread Alessio Fabiani 
Dear Paul,
many thanks for your investigation. That actually makes sense to me.

Can I ask to prepare a JIRA ticket and possibly a Pull Request to GeoServer
for that? We should include some tests also on the Pull Request.

If you don't have time or resources to do that, I can try to find some (not
sure when though).

Thanks,
Alessio.



Il giorno mer 4 nov 2020 alle ore 14:40 Biskup, Paul <
paul.bis...@fit.fichtner.de> ha scritto:

> Hi all,
>
>
>
> I was trying to setup GeoServer using the Keycloak-authentication-plugin
> following this documentation:
> https://docs.geoserver.org/latest/en/user/community/keycloak/index.html
>
> I was able to connect to my Keycloak and to set it up for the
> ADMINISTRATOR- and AUTHENTICATED-role, as described in the example.
>
>
>
> But when I tried to use own Keycloak-roles it wasn’t working and I was
> facing the same problems as the user in this
> GeoServer-User-mailinglist-post:
> http://osgeo-org.1560.x6.nabble.com/Keycloak-Roles-td5427804.html
>
> Running the GeoServer in debug-mode I found the problem, which is caused
> by the used authority-mapper-class, that is trying to map the rolenames
> from Keycloak against the rolenames in GeoServer:
>
>
> org.springframework.security.core.authority.mapping.SimpleAuthorityMapper
>
>
>
> This SimpleAuthorityMapper-class is setting the default prefix „ROLE_“ in
> front of every rolename coming from Keycloak:
>
> *public* *final* *class* SimpleAuthorityMapper *implements*
> GrantedAuthoritiesMapper,
>
> InitializingBean {
>
>   *private* GrantedAuthority defaultAuthority;
>
>   *private* String prefix = "ROLE_";
>
>
>
> This is why it was working for the ADMINISTRATOR- and AUTHENTICATED-roles
> which which are system-roles in GeoServer (ROLE_ADMINISTRATOR and
> ROLE_AUTHENTICATED:
> https://docs.geoserver.org/stable/en/user/security/usergrouprole/roles.html
> ).
>
>
>
> To get it working I had to add the prefix „ROLE_“ to the GeoServer-Roles.
>
> Example:
>
> Keycloak-role: „KC_GEOSERVER“
>
> the role in GeoServer had to be named like this:
> „ROLE_KC_GEOSERVER“
>
>
>
> In my opinion this is not the expected behaviour, at least for our
> use-case. We want to use exactly the same rolenames in GeoServer and
> Keycloak.
>
>
>
> I have found the place in the GeoServer-Keycloak-plugin-code to fix this:
>
>
> https://github.com/geoserver/geoserver/blob/master/src/community/security/keycloak/src/main/java/org/geoserver/security/keycloak/GeoServerKeycloakFilter.java#L63
>
>
>
> old code:
>
> public GeoServerKeycloakFilter() {
>
> this.adapterTokenStoreFactory = new
> SpringSecurityAdapterTokenStoreFactory();
>
> this.authenticationMapper = new KeycloakAuthenticationProvider();
>
> authenticationMapper.setGrantedAuthoritiesMapper(new
> SimpleAuthorityMapper());
>
> }
>
>
>
> new code:
>
> public GeoServerKeycloakFilter() {
>
> this.adapterTokenStoreFactory = new
> SpringSecurityAdapterTokenStoreFactory();
>
> this.authenticationMapper = new KeycloakAuthenticationProvider();
>
> SimpleAuthorityMapper simpleAuthMapper = new
> SimpleAuthorityMapper();
>
> simpleAuthMapper.setPrefix("");
>
> authenticationMapper.setGrantedAuthoritiesMapper(simpleAuthMapper
> );
>
>}
>
>
>
> Maybe you can add this fix to the master-branch.
>
>
>
> Best regards,
>
> Paul
> ___
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>


-- 

==

GeoServer Professional Services from the experts! Visit http://goo.gl/it488V
for more information.
==
Ing. Alessio Fabiani

@alfa7691
Founder/Technical Lead


GeoSolutions S.A.S.
Via di Montramito 3/A - 55054  Massarosa (LU) - Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob:   +39 331 6233686


http://www.geo-solutions.it
http://twitter.com/geosolutions_it
---

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE
2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
precisa che ogni circostanza inerente alla presente email (il suo
contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
operazione è illecita. Le sarei comunque grato se potesse darmene notizia.


This email is intended only for the person or entity to which it is
addressed and may contain information that is privileged, confidential or
otherwise protected from disclosure. We remind that - as provided by
European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
e-mail or the information herein by anyone other than the intended
recipient is prohibited. If you have received this email by mistake, please
notify us immediately by telepho

[Geoserver-devel] [JIRA] (GEOS-9788) Keycloak-plugin wrong role mapping

2020-11-06 Thread Paul Biskup (JIRA) 
Paul Biskup ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A9bf17e12-ea76-46f0-ac1e-5adcaf96292a
 ) *created* an issue

GeoServer ( 
https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiNmZjYzc1YzI5MDE3NGYwOWE3YmJkM2ExZDA1OTcyN2EiLCJwIjoiaiJ9
 ) / Bug ( 
https://osgeo-org.atlassian.net/browse/GEOS-9788?atlOrigin=eyJpIjoiNmZjYzc1YzI5MDE3NGYwOWE3YmJkM2ExZDA1OTcyN2EiLCJwIjoiaiJ9
 ) GEOS-9788 ( 
https://osgeo-org.atlassian.net/browse/GEOS-9788?atlOrigin=eyJpIjoiNmZjYzc1YzI5MDE3NGYwOWE3YmJkM2ExZDA1OTcyN2EiLCJwIjoiaiJ9
 ) Keycloak-plugin wrong role mapping ( 
https://osgeo-org.atlassian.net/browse/GEOS-9788?atlOrigin=eyJpIjoiNmZjYzc1YzI5MDE3NGYwOWE3YmJkM2ExZDA1OTcyN2EiLCJwIjoiaiJ9
 )

Issue Type: Bug Affects Versions: 2.17.2 Assignee: Unassigned Components: 
Community modules, Security Created: 06/Nov/20 1:11 PM Priority: Low Reporter: 
Paul Biskup ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A9bf17e12-ea76-46f0-ac1e-5adcaf96292a
 )

This issue is referencing to this GeoServer-dev-mailing-list-post: 
http://osgeo-org.1560.x6.nabble.com/Keycloak-plugin-wrong-role-mapping-td5449169.html

I was trying to setup GeoServer using the Keycloak-authentication-plugin 
following this documentation: 
https://docs.geoserver.org/latest/en/user/community/keycloak/index.html
I was able to connect to my Keycloak and to set it up for the ADMINISTRATOR- 
and AUTHENTICATED-role, as described in the example.

But when I tried to use own Keycloak-roles it wasn’t working and I was facing 
the same problems as the user in this GeoServer-User-mailinglist-post: 
http://osgeo-org.1560.x6.nabble.com/Keycloak-Roles-td5427804.html
Running the GeoServer in debug-mode I found the problem, which is caused by the 
used authority-mapper-class, that is trying to map the rolenames from Keycloak 
against the rolenames in GeoServer:
*org.springframework.security.core.authority.mapping.SimpleAuthorityMapper*

This SimpleAuthorityMapper-class is setting the default prefix „ROLE_“ in front 
of every rolename coming from Keycloak:

_public final class SimpleAuthorityMapper implements GrantedAuthoritiesMapper,
InitializingBean {
private GrantedAuthority defaultAuthority;
private String prefix = "ROLE_";_

This is why it was working for the ADMINISTRATOR- and AUTHENTICATED-roles which 
which are system-roles in GeoServer (ROLE_ADMINISTRATOR and ROLE_AUTHENTICATED: 
https://docs.geoserver.org/stable/en/user/security/usergrouprole/roles.html ).

To get it working you had to add the prefix „ROLE_“ to the GeoServer-roles.
Example:
Keycloak-role: „KC_GEOSERVER“
the role in GeoServer had to be named like this: „ROLE_KC_GEOSERVER“

This is not the expected behaviour. Usually you want to use exactly the same 
rolenames in GeoServer and Keycloak.

I have found the place in the GeoServer-Keycloak-plugin-code to fix this:
https://github.com/geoserver/geoserver/blob/master/src/community/security/keycloak/src/main/java/org/geoserver/security/keycloak/GeoServerKeycloakFilter.java#L63

old code:
public GeoServerKeycloakFilter()

{ this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory(); 
this.authenticationMapper = new KeycloakAuthenticationProvider(); 
authenticationMapper.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper()); }

new code:
public GeoServerKeycloakFilter()

{ this.adapterTokenStoreFactory = new SpringSecurityAdapterTokenStoreFactory(); 
this.authenticationMapper = new KeycloakAuthenticationProvider(); 
SimpleAuthorityMapper simpleAuthMapper = new SimpleAuthorityMapper(); 
simpleAuthMapper.setPrefix(""); 
authenticationMapper.setGrantedAuthoritiesMapper(simpleAuthMapper); }

Additionally also the Keycloak-documentation should be updated.

( 
https://osgeo-org.atlassian.net/browse/GEOS-9788#add-comment?atlOrigin=eyJpIjoiNmZjYzc1YzI5MDE3NGYwOWE3YmJkM2ExZDA1OTcyN2EiLCJwIjoiaiJ9
 ) Add Comment ( 
https://osgeo-org.atlassian.net/browse/GEOS-9788#add-comment?atlOrigin=eyJpIjoiNmZjYzc1YzI5MDE3NGYwOWE3YmJkM2ExZDA1OTcyN2EiLCJwIjoiaiJ9
 )

Get Jira notifications on your phone! Download the Jira Cloud app for Android ( 
https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail
 ) or iOS ( 
https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8
 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100149- 
sha1:a9f85c2 )
___
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Re: [Geoserver-devel] Keycloak-plugin: wrong role mapping

2020-11-06 Thread Biskup, Paul 
Hi Alessio,

thank you for your answer!
I have create a JIRA ticket for this issue:
https://osgeo-org.atlassian.net/browse/GEOS-9788

But unfortunately I have currently no time to create the pull request including 
tests. So it would be great if you could take care of this part.
I think that additionally also the Keycloak-documentation should be updated:
https://docs.geoserver.org/latest/en/user/community/keycloak/index.html
Best regards,
Paul


Von: Alessio Fabiani 
Gesendet: Freitag, 6. November 2020 11:59
An: Biskup, Paul 
Cc: geoserver-devel@lists.sourceforge.net
Betreff: Re: [Geoserver-devel] Keycloak-plugin: wrong role mapping

Dear Paul,
many thanks for your investigation. That actually makes sense to me.

Can I ask to prepare a JIRA ticket and possibly a Pull Request to GeoServer for 
that? We should include some tests also on the Pull Request.

If you don't have time or resources to do that, I can try to find some (not 
sure when though).

Thanks,
Alessio.



Il giorno mer 4 nov 2020 alle ore 14:40 Biskup, Paul 
mailto:paul.bis...@fit.fichtner.de>> ha scritto:
Hi all,

I was trying to setup GeoServer using the Keycloak-authentication-plugin 
following this documentation: 
https://docs.geoserver.org/latest/en/user/community/keycloak/index.html
I was able to connect to my Keycloak and to set it up for the ADMINISTRATOR- 
and AUTHENTICATED-role, as described in the example.

But when I tried to use own Keycloak-roles it wasn’t working and I was facing 
the same problems as the user in this GeoServer-User-mailinglist-post: 
http://osgeo-org.1560.x6.nabble.com/Keycloak-Roles-td5427804.html
Running the GeoServer in debug-mode I found the problem, which is caused by the 
used authority-mapper-class, that is trying to map the rolenames from Keycloak 
against the rolenames in GeoServer:
 
org.springframework.security.core.authority.mapping.SimpleAuthorityMapper

This SimpleAuthorityMapper-class is setting the default prefix „ROLE_“ in front 
of every rolename coming from Keycloak:
public final class SimpleAuthorityMapper implements GrantedAuthoritiesMapper,
InitializingBean {
  private GrantedAuthority defaultAuthority;
  private String prefix = "ROLE_";

This is why it was working for the ADMINISTRATOR- and AUTHENTICATED-roles which 
which are system-roles in GeoServer (ROLE_ADMINISTRATOR and ROLE_AUTHENTICATED: 
https://docs.geoserver.org/stable/en/user/security/usergrouprole/roles.html).

To get it working I had to add the prefix „ROLE_“ to the GeoServer-Roles.
Example:
Keycloak-role: „KC_GEOSERVER“
the role in GeoServer had to be named like this:
„ROLE_KC_GEOSERVER“

In my opinion this is not the expected behaviour, at least for our use-case. We 
want to use exactly the same rolenames in GeoServer and Keycloak.

I have found the place in the GeoServer-Keycloak-plugin-code to fix this:
https://github.com/geoserver/geoserver/blob/master/src/community/security/keycloak/src/main/java/org/geoserver/security/keycloak/GeoServerKeycloakFilter.java#L63

old code:
public GeoServerKeycloakFilter() {
this.adapterTokenStoreFactory = new 
SpringSecurityAdapterTokenStoreF