subject:"\[Geoserver\-devel\] oauth2 core"

Re: [Geoserver-devel] oauth2 core

2018-12-07 Thread Thomas

I've added changes to 2.14.x to what is in master.  My pull request is at
https://github.com/geoserver/geoserver/pull/3289

Cheers
~Thomas

On Thu, Dec 6, 2018 at 2:44 PM Andrea Aime 
wrote:

> Yes, that's correct, within the limits of what "being in a release" means
> for a community module, since they are only built along nightly builds, but
> are not packaged along with official releases.
>
> Cheers
> Andrea
>
> Il giorno mer 5 dic 2018, 23:51 Thomas  ha
> scritto:
>
>> Does this mean it won't it into 2.14.3 but will be in the 2.15.0 release
>> in February?
>>
>> On Wed, Dec 5, 2018 at 1:25 PM Andrea Aime 
>> wrote:
>>
>>> I have no reason to backport them, they were done for a pilot project
>>> that will never use the stable series. But you can backport, if you want of
>>> course :-)
>>>
>>> Cheers
>>> Andrea
>>>
>>> Il giorno mer 5 dic 2018, 18:49 Thomas  ha
>>> scritto:
>>>
 I'm working on 2.14.x.  The changes haven't made it into there yet.
 But I can see they are in master.

 When might the changes make it into 2.14.x?

 ~Thomas

 On Wed, Dec 5, 2018 at 12:24 AM Andrea Aime <
 andrea.a...@geo-solutions.it> wrote:

> Hi Thomas,
> some time ago I added some places extracting the bearer token from the
> headers,
> but believe that just landed on the developer branch (aka master).
> There might be more places
> that need that, but wondering if you might be looking at a different
> branch.
>
> Mind, pull requests are accepted first on the master (developer)
> branch, once that gets merged,
> subsequent backports PR are welcomed too.
>
> Cheers
> Andrea
>
> On Tue, Dec 4, 2018 at 10:48 PM Thomas 
> wrote:
>
>> I'm working with integrating my work's oauth service with geoserver.
>> Upon testing the github extension as well as the oauth2 core, I think I 
>> may
>> of found a bug.
>>
>> When a request is made,  GeoServerOAuthAuthenticationFilter:doFilter
>> is eventually called.  The filter checks the request parameter for an
>> access token and if it doesn't exist it checks the request for a bearer
>> token in the Authorization header.  If the token exists in one of those 
>> two
>> places, doAuthenticate is called and it in turn
>> calls getPreAuthenticatedPrincipal.
>>
>> The function getPreAuthenticatedPrincipal  attempts to get the token
>> from the query parameter but doesn't try to get it from the Authorization
>> Header.  According to the RFC for OAuth 2 Bearer Token usage, the 
>> resource
>> server (Geoserver), should support this.  A link and a snippet from this
>> page is below.  This causes an issue for our web client which sends the
>> token in the Authorization Header.
>>
>> It looks like I could just extend the class
>> GeoServerOAuthAuthenticationFilter and put my fixes in there.  But it 
>> seems
>> it would be more beneficial to submit a pull request.  The changes would 
>> be
>> about 3 lines.
>>
>> Is there any issue with me doing this?  I realize the oauth2 and
>> other community extensions aren't really maintained unless a volunteer 
>> does
>> it.
>>
>> https://tools.ietf.org/html/rfc6750
>> section 2.1 Authorization Request Header Field says
>>
>>
>> Clients SHOULD make authenticated requests with a bearer token using
>>the "Authorization" request header field with the "Bearer" HTTP
>>authorization scheme.  Resource servers MUST support this method.
>>
>> ___
>> Geoserver-devel mailing list
>> Geoserver-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>
>
>
> --
>
> Regards, Andrea Aime == GeoServer Professional Services from the
> experts! Visit http://goo.gl/it488V for more information. == Ing.
> Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito
> 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob:
> +39 339 8844549 http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
> --- *Con
> riferimento alla normativa sul trattamento dei dati personali (Reg. UE
> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
> precisa che ogni circostanza inerente alla presente email (il suo
> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
> operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
> This email is intended only for the person or entity to which it is
> addressed and may contain information that is privileged,

Re: [Geoserver-devel] oauth2 core

2018-12-06 Thread Andrea Aime

Yes, that's correct, within the limits of what "being in a release" means
for a community module, since they are only built along nightly builds, but
are not packaged along with official releases.

Cheers
Andrea

Il giorno mer 5 dic 2018, 23:51 Thomas  ha
scritto:

> Does this mean it won't it into 2.14.3 but will be in the 2.15.0 release
> in February?
>
> On Wed, Dec 5, 2018 at 1:25 PM Andrea Aime 
> wrote:
>
>> I have no reason to backport them, they were done for a pilot project
>> that will never use the stable series. But you can backport, if you want of
>> course :-)
>>
>> Cheers
>> Andrea
>>
>> Il giorno mer 5 dic 2018, 18:49 Thomas  ha
>> scritto:
>>
>>> I'm working on 2.14.x.  The changes haven't made it into there yet.  But
>>> I can see they are in master.
>>>
>>> When might the changes make it into 2.14.x?
>>>
>>> ~Thomas
>>>
>>> On Wed, Dec 5, 2018 at 12:24 AM Andrea Aime <
>>> andrea.a...@geo-solutions.it> wrote:
>>>
 Hi Thomas,
 some time ago I added some places extracting the bearer token from the
 headers,
 but believe that just landed on the developer branch (aka master).
 There might be more places
 that need that, but wondering if you might be looking at a different
 branch.

 Mind, pull requests are accepted first on the master (developer)
 branch, once that gets merged,
 subsequent backports PR are welcomed too.

 Cheers
 Andrea

 On Tue, Dec 4, 2018 at 10:48 PM Thomas 
 wrote:

> I'm working with integrating my work's oauth service with geoserver.
> Upon testing the github extension as well as the oauth2 core, I think I 
> may
> of found a bug.
>
> When a request is made,  GeoServerOAuthAuthenticationFilter:doFilter
> is eventually called.  The filter checks the request parameter for an
> access token and if it doesn't exist it checks the request for a bearer
> token in the Authorization header.  If the token exists in one of those 
> two
> places, doAuthenticate is called and it in turn
> calls getPreAuthenticatedPrincipal.
>
> The function getPreAuthenticatedPrincipal  attempts to get the token
> from the query parameter but doesn't try to get it from the Authorization
> Header.  According to the RFC for OAuth 2 Bearer Token usage, the resource
> server (Geoserver), should support this.  A link and a snippet from this
> page is below.  This causes an issue for our web client which sends the
> token in the Authorization Header.
>
> It looks like I could just extend the class
> GeoServerOAuthAuthenticationFilter and put my fixes in there.  But it 
> seems
> it would be more beneficial to submit a pull request.  The changes would 
> be
> about 3 lines.
>
> Is there any issue with me doing this?  I realize the oauth2 and other
> community extensions aren't really maintained unless a volunteer does it.
>
> https://tools.ietf.org/html/rfc6750
> section 2.1 Authorization Request Header Field says
>
>
> Clients SHOULD make authenticated requests with a bearer token using
>the "Authorization" request header field with the "Bearer" HTTP
>authorization scheme.  Resource servers MUST support this method.
>
> ___
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>


 --

 Regards, Andrea Aime == GeoServer Professional Services from the
 experts! Visit http://goo.gl/it488V for more information. == Ing.
 Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito
 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob:
 +39 339 8844549 http://www.geo-solutions.it
 http://twitter.com/geosolutions_it
 --- *Con
 riferimento alla normativa sul trattamento dei dati personali (Reg. UE
 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
 precisa che ogni circostanza inerente alla presente email (il suo
 contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
 riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
 messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
 operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
 This email is intended only for the person or entity to which it is
 addressed and may contain information that is privileged, confidential or
 otherwise protected from disclosure. We remind that - as provided by
 European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
 e-mail or the information herein by anyone other than the intended
 recipient is prohibited. If you have received this email by mistake, please
 notify us

Re: [Geoserver-devel] oauth2 core

2018-12-05 Thread Thomas

Does this mean it won't it into 2.14.3 but will be in the 2.15.0 release in
February?

On Wed, Dec 5, 2018 at 1:25 PM Andrea Aime 
wrote:

> I have no reason to backport them, they were done for a pilot project that
> will never use the stable series. But you can backport, if you want of
> course :-)
>
> Cheers
> Andrea
>
> Il giorno mer 5 dic 2018, 18:49 Thomas  ha
> scritto:
>
>> I'm working on 2.14.x.  The changes haven't made it into there yet.  But
>> I can see they are in master.
>>
>> When might the changes make it into 2.14.x?
>>
>> ~Thomas
>>
>> On Wed, Dec 5, 2018 at 12:24 AM Andrea Aime 
>> wrote:
>>
>>> Hi Thomas,
>>> some time ago I added some places extracting the bearer token from the
>>> headers,
>>> but believe that just landed on the developer branch (aka master). There
>>> might be more places
>>> that need that, but wondering if you might be looking at a different
>>> branch.
>>>
>>> Mind, pull requests are accepted first on the master (developer) branch,
>>> once that gets merged,
>>> subsequent backports PR are welcomed too.
>>>
>>> Cheers
>>> Andrea
>>>
>>> On Tue, Dec 4, 2018 at 10:48 PM Thomas  wrote:
>>>
 I'm working with integrating my work's oauth service with geoserver.
 Upon testing the github extension as well as the oauth2 core, I think I may
 of found a bug.

 When a request is made,  GeoServerOAuthAuthenticationFilter:doFilter is
 eventually called.  The filter checks the request parameter for an access
 token and if it doesn't exist it checks the request for a bearer token in
 the Authorization header.  If the token exists in one of those two
 places, doAuthenticate is called and it in turn
 calls getPreAuthenticatedPrincipal.

 The function getPreAuthenticatedPrincipal  attempts to get the token
 from the query parameter but doesn't try to get it from the Authorization
 Header.  According to the RFC for OAuth 2 Bearer Token usage, the resource
 server (Geoserver), should support this.  A link and a snippet from this
 page is below.  This causes an issue for our web client which sends the
 token in the Authorization Header.

 It looks like I could just extend the class
 GeoServerOAuthAuthenticationFilter and put my fixes in there.  But it seems
 it would be more beneficial to submit a pull request.  The changes would be
 about 3 lines.

 Is there any issue with me doing this?  I realize the oauth2 and other
 community extensions aren't really maintained unless a volunteer does it.

 https://tools.ietf.org/html/rfc6750
 section 2.1 Authorization Request Header Field says

 Clients SHOULD make authenticated requests with a bearer token using
the "Authorization" request header field with the "Bearer" HTTP
authorization scheme.  Resource servers MUST support this method.

 ___
 Geoserver-devel mailing list
 Geoserver-devel@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/geoserver-devel

>>>
>>>
>>> --
>>>
>>> Regards, Andrea Aime == GeoServer Professional Services from the
>>> experts! Visit http://goo.gl/it488V for more information. == Ing.
>>> Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito
>>> 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob:
>>> +39 339 8844549 http://www.geo-solutions.it
>>> http://twitter.com/geosolutions_it
>>> --- *Con
>>> riferimento alla normativa sul trattamento dei dati personali (Reg. UE
>>> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
>>> precisa che ogni circostanza inerente alla presente email (il suo
>>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
>>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
>>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
>>> operazione è illecita. Le sarei comunque grato se potesse darmene notizia.
>>> This email is intended only for the person or entity to which it is
>>> addressed and may contain information that is privileged, confidential or
>>> otherwise protected from disclosure. We remind that - as provided by
>>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
>>> e-mail or the information herein by anyone other than the intended
>>> recipient is prohibited. If you have received this email by mistake, please
>>> notify us immediately by telephone or e-mail.*
>>>
>>
___
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Re: [Geoserver-devel] oauth2 core

2018-12-05 Thread Andrea Aime

I have no reason to backport them, they were done for a pilot project that
will never use the stable series. But you can backport, if you want of
course :-)

Cheers
Andrea

Il giorno mer 5 dic 2018, 18:49 Thomas  ha
scritto:

> I'm working on 2.14.x.  The changes haven't made it into there yet.  But I
> can see they are in master.
>
> When might the changes make it into 2.14.x?
>
> ~Thomas
>
> On Wed, Dec 5, 2018 at 12:24 AM Andrea Aime 
> wrote:
>
>> Hi Thomas,
>> some time ago I added some places extracting the bearer token from the
>> headers,
>> but believe that just landed on the developer branch (aka master). There
>> might be more places
>> that need that, but wondering if you might be looking at a different
>> branch.
>>
>> Mind, pull requests are accepted first on the master (developer) branch,
>> once that gets merged,
>> subsequent backports PR are welcomed too.
>>
>> Cheers
>> Andrea
>>
>> On Tue, Dec 4, 2018 at 10:48 PM Thomas  wrote:
>>
>>> I'm working with integrating my work's oauth service with geoserver.
>>> Upon testing the github extension as well as the oauth2 core, I think I may
>>> of found a bug.
>>>
>>> When a request is made,  GeoServerOAuthAuthenticationFilter:doFilter is
>>> eventually called.  The filter checks the request parameter for an access
>>> token and if it doesn't exist it checks the request for a bearer token in
>>> the Authorization header.  If the token exists in one of those two
>>> places, doAuthenticate is called and it in turn
>>> calls getPreAuthenticatedPrincipal.
>>>
>>> The function getPreAuthenticatedPrincipal  attempts to get the token
>>> from the query parameter but doesn't try to get it from the Authorization
>>> Header.  According to the RFC for OAuth 2 Bearer Token usage, the resource
>>> server (Geoserver), should support this.  A link and a snippet from this
>>> page is below.  This causes an issue for our web client which sends the
>>> token in the Authorization Header.
>>>
>>> It looks like I could just extend the class
>>> GeoServerOAuthAuthenticationFilter and put my fixes in there.  But it seems
>>> it would be more beneficial to submit a pull request.  The changes would be
>>> about 3 lines.
>>>
>>> Is there any issue with me doing this?  I realize the oauth2 and other
>>> community extensions aren't really maintained unless a volunteer does it.
>>>
>>> https://tools.ietf.org/html/rfc6750
>>> section 2.1 Authorization Request Header Field says
>>>
>>>
>>> Clients SHOULD make authenticated requests with a bearer token using
>>>the "Authorization" request header field with the "Bearer" HTTP
>>>authorization scheme.  Resource servers MUST support this method.
>>>
>>> ___
>>> Geoserver-devel mailing list
>>> Geoserver-devel@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>>
>>
>>
>> --
>>
>> Regards, Andrea Aime == GeoServer Professional Services from the experts!
>> Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime
>> @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054
>> Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339
>> 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it
>> --- *Con riferimento
>> alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
>> Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
>> circostanza inerente alla presente email (il suo contenuto, gli eventuali
>> allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
>> destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
>> errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
>> sarei comunque grato se potesse darmene notizia. This email is intended
>> only for the person or entity to which it is addressed and may contain
>> information that is privileged, confidential or otherwise protected from
>> disclosure. We remind that - as provided by European Regulation 2016/679
>> “GDPR” - copying, dissemination or use of this e-mail or the information
>> herein by anyone other than the intended recipient is prohibited. If you
>> have received this email by mistake, please notify us immediately by
>> telephone or e-mail.*
>>
>
___
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Re: [Geoserver-devel] oauth2 core

2018-12-05 Thread Thomas

I'm working on 2.14.x.  The changes haven't made it into there yet.  But I
can see they are in master.

When might the changes make it into 2.14.x?

~Thomas

On Wed, Dec 5, 2018 at 12:24 AM Andrea Aime 
wrote:

> Hi Thomas,
> some time ago I added some places extracting the bearer token from the
> headers,
> but believe that just landed on the developer branch (aka master). There
> might be more places
> that need that, but wondering if you might be looking at a different
> branch.
>
> Mind, pull requests are accepted first on the master (developer) branch,
> once that gets merged,
> subsequent backports PR are welcomed too.
>
> Cheers
> Andrea
>
> On Tue, Dec 4, 2018 at 10:48 PM Thomas  wrote:
>
>> I'm working with integrating my work's oauth service with geoserver.
>> Upon testing the github extension as well as the oauth2 core, I think I may
>> of found a bug.
>>
>> When a request is made,  GeoServerOAuthAuthenticationFilter:doFilter is
>> eventually called.  The filter checks the request parameter for an access
>> token and if it doesn't exist it checks the request for a bearer token in
>> the Authorization header.  If the token exists in one of those two
>> places, doAuthenticate is called and it in turn
>> calls getPreAuthenticatedPrincipal.
>>
>> The function getPreAuthenticatedPrincipal  attempts to get the token from
>> the query parameter but doesn't try to get it from the Authorization
>> Header.  According to the RFC for OAuth 2 Bearer Token usage, the resource
>> server (Geoserver), should support this.  A link and a snippet from this
>> page is below.  This causes an issue for our web client which sends the
>> token in the Authorization Header.
>>
>> It looks like I could just extend the class
>> GeoServerOAuthAuthenticationFilter and put my fixes in there.  But it seems
>> it would be more beneficial to submit a pull request.  The changes would be
>> about 3 lines.
>>
>> Is there any issue with me doing this?  I realize the oauth2 and other
>> community extensions aren't really maintained unless a volunteer does it.
>>
>> https://tools.ietf.org/html/rfc6750
>> section 2.1 Authorization Request Header Field says
>>
>>
>> Clients SHOULD make authenticated requests with a bearer token using
>>the "Authorization" request header field with the "Bearer" HTTP
>>authorization scheme.  Resource servers MUST support this method.
>>
>> ___
>> Geoserver-devel mailing list
>> Geoserver-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>
>
>
> --
>
> Regards, Andrea Aime == GeoServer Professional Services from the experts!
> Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime
> @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054
> Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339
> 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it
> --- *Con riferimento
> alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
> Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
> circostanza inerente alla presente email (il suo contenuto, gli eventuali
> allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
> destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
> errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
> sarei comunque grato se potesse darmene notizia. This email is intended
> only for the person or entity to which it is addressed and may contain
> information that is privileged, confidential or otherwise protected from
> disclosure. We remind that - as provided by European Regulation 2016/679
> “GDPR” - copying, dissemination or use of this e-mail or the information
> herein by anyone other than the intended recipient is prohibited. If you
> have received this email by mistake, please notify us immediately by
> telephone or e-mail.*
>
___
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Re: [Geoserver-devel] oauth2 core

2018-12-05 Thread Andrea Aime

Hi Thomas,
some time ago I added some places extracting the bearer token from the
headers,
but believe that just landed on the developer branch (aka master). There
might be more places
that need that, but wondering if you might be looking at a different branch.

Mind, pull requests are accepted first on the master (developer) branch,
once that gets merged,
subsequent backports PR are welcomed too.

Cheers
Andrea

On Tue, Dec 4, 2018 at 10:48 PM Thomas  wrote:

> I'm working with integrating my work's oauth service with geoserver.  Upon
> testing the github extension as well as the oauth2 core, I think I may of
> found a bug.
>
> When a request is made,  GeoServerOAuthAuthenticationFilter:doFilter is
> eventually called.  The filter checks the request parameter for an access
> token and if it doesn't exist it checks the request for a bearer token in
> the Authorization header.  If the token exists in one of those two
> places, doAuthenticate is called and it in turn
> calls getPreAuthenticatedPrincipal.
>
> The function getPreAuthenticatedPrincipal  attempts to get the token from
> the query parameter but doesn't try to get it from the Authorization
> Header.  According to the RFC for OAuth 2 Bearer Token usage, the resource
> server (Geoserver), should support this.  A link and a snippet from this
> page is below.  This causes an issue for our web client which sends the
> token in the Authorization Header.
>
> It looks like I could just extend the class
> GeoServerOAuthAuthenticationFilter and put my fixes in there.  But it seems
> it would be more beneficial to submit a pull request.  The changes would be
> about 3 lines.
>
> Is there any issue with me doing this?  I realize the oauth2 and other
> community extensions aren't really maintained unless a volunteer does it.
>
> https://tools.ietf.org/html/rfc6750
> section 2.1 Authorization Request Header Field says
>
>
> Clients SHOULD make authenticated requests with a bearer token using
>the "Authorization" request header field with the "Bearer" HTTP
>authorization scheme.  Resource servers MUST support this method.
>
> ___
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>


-- 

Regards, Andrea Aime == GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime
@geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054
Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339
8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it
--- *Con riferimento
alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
circostanza inerente alla presente email (il suo contenuto, gli eventuali
allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
sarei comunque grato se potesse darmene notizia. This email is intended
only for the person or entity to which it is addressed and may contain
information that is privileged, confidential or otherwise protected from
disclosure. We remind that - as provided by European Regulation 2016/679
“GDPR” - copying, dissemination or use of this e-mail or the information
herein by anyone other than the intended recipient is prohibited. If you
have received this email by mistake, please notify us immediately by
telephone or e-mail.*
___
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Re: [Geoserver-devel] oauth2 core

2018-12-05 Thread Alessio Fabiani

Go ahead, I'll review it.

Thanks for your contribution.

Il giorno mar 4 dic 2018 alle ore 22:47 Thomas 
ha scritto:

> I'm working with integrating my work's oauth service with geoserver.  Upon
> testing the github extension as well as the oauth2 core, I think I may of
> found a bug.
>
> When a request is made,  GeoServerOAuthAuthenticationFilter:doFilter is
> eventually called.  The filter checks the request parameter for an access
> token and if it doesn't exist it checks the request for a bearer token in
> the Authorization header.  If the token exists in one of those two
> places, doAuthenticate is called and it in turn
> calls getPreAuthenticatedPrincipal.
>
> The function getPreAuthenticatedPrincipal  attempts to get the token from
> the query parameter but doesn't try to get it from the Authorization
> Header.  According to the RFC for OAuth 2 Bearer Token usage, the resource
> server (Geoserver), should support this.  A link and a snippet from this
> page is below.  This causes an issue for our web client which sends the
> token in the Authorization Header.
>
> It looks like I could just extend the class
> GeoServerOAuthAuthenticationFilter and put my fixes in there.  But it seems
> it would be more beneficial to submit a pull request.  The changes would be
> about 3 lines.
>
> Is there any issue with me doing this?  I realize the oauth2 and other
> community extensions aren't really maintained unless a volunteer does it.
>
> https://tools.ietf.org/html/rfc6750
> section 2.1 Authorization Request Header Field says
>
>
> Clients SHOULD make authenticated requests with a bearer token using
>the "Authorization" request header field with the "Bearer" HTTP
>authorization scheme.  Resource servers MUST support this method.
>
> ___
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>


-- 

==

GeoServer Professional Services from the experts! Visit http://goo.gl/it488V
for more information.
==
Ing. Alessio Fabiani

@alfa7691
Founder/Technical Lead


GeoSolutions S.A.S.
Via di Montramito 3/A - 55054  Massarosa (LU) - Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob:   +39 331 6233686


http://www.geo-solutions.it
http://twitter.com/geosolutions_it
---

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE
2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
precisa che ogni circostanza inerente alla presente email (il suo
contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
operazione è illecita. Le sarei comunque grato se potesse darmene notizia.


This email is intended only for the person or entity to which it is
addressed and may contain information that is privileged, confidential or
otherwise protected from disclosure. We remind that - as provided by
European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
e-mail or the information herein by anyone other than the intended
recipient is prohibited. If you have received this email by mistake, please
notify us immediately by telephone or e-mail.
___
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

[Geoserver-devel] oauth2 core

2018-12-04 Thread Thomas

I'm working with integrating my work's oauth service with geoserver.  Upon
testing the github extension as well as the oauth2 core, I think I may of
found a bug.

When a request is made,  GeoServerOAuthAuthenticationFilter:doFilter is
eventually called.  The filter checks the request parameter for an access
token and if it doesn't exist it checks the request for a bearer token in
the Authorization header.  If the token exists in one of those two
places, doAuthenticate is called and it in turn
calls getPreAuthenticatedPrincipal.

The function getPreAuthenticatedPrincipal  attempts to get the token from
the query parameter but doesn't try to get it from the Authorization
Header.  According to the RFC for OAuth 2 Bearer Token usage, the resource
server (Geoserver), should support this.  A link and a snippet from this
page is below.  This causes an issue for our web client which sends the
token in the Authorization Header.

It looks like I could just extend the class
GeoServerOAuthAuthenticationFilter and put my fixes in there.  But it seems
it would be more beneficial to submit a pull request.  The changes would be
about 3 lines.

Is there any issue with me doing this?  I realize the oauth2 and other
community extensions aren't really maintained unless a volunteer does it.

https://tools.ietf.org/html/rfc6750
section 2.1 Authorization Request Header Field says


Clients SHOULD make authenticated requests with a bearer token using
   the "Authorization" request header field with the "Bearer" HTTP
   authorization scheme.  Resource servers MUST support this method.
___
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Re: [Geoserver-devel] oauth2 core

Re: [Geoserver-devel] oauth2 core

Re: [Geoserver-devel] oauth2 core

Re: [Geoserver-devel] oauth2 core

Re: [Geoserver-devel] oauth2 core

Re: [Geoserver-devel] oauth2 core

Re: [Geoserver-devel] oauth2 core

[Geoserver-devel] oauth2 core

8 matches

Site Navigation

Mail list logo

Footer information