Re: [Geoserver-devel] oauth2 core
I've added changes to 2.14.x to what is in master. My pull request is at https://github.com/geoserver/geoserver/pull/3289 Cheers ~Thomas On Thu, Dec 6, 2018 at 2:44 PM Andrea Aime wrote: > Yes, that's correct, within the limits of what "being in a release" means > for a community module, since they are only built along nightly builds, but > are not packaged along with official releases. > > Cheers > Andrea > > Il giorno mer 5 dic 2018, 23:51 Thomas ha > scritto: > >> Does this mean it won't it into 2.14.3 but will be in the 2.15.0 release >> in February? >> >> On Wed, Dec 5, 2018 at 1:25 PM Andrea Aime >> wrote: >> >>> I have no reason to backport them, they were done for a pilot project >>> that will never use the stable series. But you can backport, if you want of >>> course :-) >>> >>> Cheers >>> Andrea >>> >>> Il giorno mer 5 dic 2018, 18:49 Thomas ha >>> scritto: >>> I'm working on 2.14.x. The changes haven't made it into there yet. But I can see they are in master. When might the changes make it into 2.14.x? ~Thomas On Wed, Dec 5, 2018 at 12:24 AM Andrea Aime < andrea.a...@geo-solutions.it> wrote: > Hi Thomas, > some time ago I added some places extracting the bearer token from the > headers, > but believe that just landed on the developer branch (aka master). > There might be more places > that need that, but wondering if you might be looking at a different > branch. > > Mind, pull requests are accepted first on the master (developer) > branch, once that gets merged, > subsequent backports PR are welcomed too. > > Cheers > Andrea > > On Tue, Dec 4, 2018 at 10:48 PM Thomas > wrote: > >> I'm working with integrating my work's oauth service with geoserver. >> Upon testing the github extension as well as the oauth2 core, I think I >> may >> of found a bug. >> >> When a request is made, GeoServerOAuthAuthenticationFilter:doFilter >> is eventually called. The filter checks the request parameter for an >> access token and if it doesn't exist it checks the request for a bearer >> token in the Authorization header. If the token exists in one of those >> two >> places, doAuthenticate is called and it in turn >> calls getPreAuthenticatedPrincipal. >> >> The function getPreAuthenticatedPrincipal attempts to get the token >> from the query parameter but doesn't try to get it from the Authorization >> Header. According to the RFC for OAuth 2 Bearer Token usage, the >> resource >> server (Geoserver), should support this. A link and a snippet from this >> page is below. This causes an issue for our web client which sends the >> token in the Authorization Header. >> >> It looks like I could just extend the class >> GeoServerOAuthAuthenticationFilter and put my fixes in there. But it >> seems >> it would be more beneficial to submit a pull request. The changes would >> be >> about 3 lines. >> >> Is there any issue with me doing this? I realize the oauth2 and >> other community extensions aren't really maintained unless a volunteer >> does >> it. >> >> https://tools.ietf.org/html/rfc6750 >> section 2.1 Authorization Request Header Field says >> >> >> Clients SHOULD make authenticated requests with a bearer token using >>the "Authorization" request header field with the "Bearer" HTTP >>authorization scheme. Resource servers MUST support this method. >> >> ___ >> Geoserver-devel mailing list >> Geoserver-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >> > > > -- > > Regards, Andrea Aime == GeoServer Professional Services from the > experts! Visit http://goo.gl/it488V for more information. == Ing. > Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito > 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: > +39 339 8844549 http://www.geo-solutions.it > http://twitter.com/geosolutions_it > --- *Con > riferimento alla normativa sul trattamento dei dati personali (Reg. UE > 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si > precisa che ogni circostanza inerente alla presente email (il suo > contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è > riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il > messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra > operazione è illecita. Le sarei comunque grato se potesse darmene notizia. > This email is intended only for the person or entity to which it is > addressed and may contain information that is privileged,
Re: [Geoserver-devel] oauth2 core
Yes, that's correct, within the limits of what "being in a release" means for a community module, since they are only built along nightly builds, but are not packaged along with official releases. Cheers Andrea Il giorno mer 5 dic 2018, 23:51 Thomas ha scritto: > Does this mean it won't it into 2.14.3 but will be in the 2.15.0 release > in February? > > On Wed, Dec 5, 2018 at 1:25 PM Andrea Aime > wrote: > >> I have no reason to backport them, they were done for a pilot project >> that will never use the stable series. But you can backport, if you want of >> course :-) >> >> Cheers >> Andrea >> >> Il giorno mer 5 dic 2018, 18:49 Thomas ha >> scritto: >> >>> I'm working on 2.14.x. The changes haven't made it into there yet. But >>> I can see they are in master. >>> >>> When might the changes make it into 2.14.x? >>> >>> ~Thomas >>> >>> On Wed, Dec 5, 2018 at 12:24 AM Andrea Aime < >>> andrea.a...@geo-solutions.it> wrote: >>> Hi Thomas, some time ago I added some places extracting the bearer token from the headers, but believe that just landed on the developer branch (aka master). There might be more places that need that, but wondering if you might be looking at a different branch. Mind, pull requests are accepted first on the master (developer) branch, once that gets merged, subsequent backports PR are welcomed too. Cheers Andrea On Tue, Dec 4, 2018 at 10:48 PM Thomas wrote: > I'm working with integrating my work's oauth service with geoserver. > Upon testing the github extension as well as the oauth2 core, I think I > may > of found a bug. > > When a request is made, GeoServerOAuthAuthenticationFilter:doFilter > is eventually called. The filter checks the request parameter for an > access token and if it doesn't exist it checks the request for a bearer > token in the Authorization header. If the token exists in one of those > two > places, doAuthenticate is called and it in turn > calls getPreAuthenticatedPrincipal. > > The function getPreAuthenticatedPrincipal attempts to get the token > from the query parameter but doesn't try to get it from the Authorization > Header. According to the RFC for OAuth 2 Bearer Token usage, the resource > server (Geoserver), should support this. A link and a snippet from this > page is below. This causes an issue for our web client which sends the > token in the Authorization Header. > > It looks like I could just extend the class > GeoServerOAuthAuthenticationFilter and put my fixes in there. But it > seems > it would be more beneficial to submit a pull request. The changes would > be > about 3 lines. > > Is there any issue with me doing this? I realize the oauth2 and other > community extensions aren't really maintained unless a volunteer does it. > > https://tools.ietf.org/html/rfc6750 > section 2.1 Authorization Request Header Field says > > > Clients SHOULD make authenticated requests with a bearer token using >the "Authorization" request header field with the "Bearer" HTTP >authorization scheme. Resource servers MUST support this method. > > ___ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > -- Regards, Andrea Aime == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it --- *Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us
Re: [Geoserver-devel] oauth2 core
Does this mean it won't it into 2.14.3 but will be in the 2.15.0 release in February? On Wed, Dec 5, 2018 at 1:25 PM Andrea Aime wrote: > I have no reason to backport them, they were done for a pilot project that > will never use the stable series. But you can backport, if you want of > course :-) > > Cheers > Andrea > > Il giorno mer 5 dic 2018, 18:49 Thomas ha > scritto: > >> I'm working on 2.14.x. The changes haven't made it into there yet. But >> I can see they are in master. >> >> When might the changes make it into 2.14.x? >> >> ~Thomas >> >> On Wed, Dec 5, 2018 at 12:24 AM Andrea Aime >> wrote: >> >>> Hi Thomas, >>> some time ago I added some places extracting the bearer token from the >>> headers, >>> but believe that just landed on the developer branch (aka master). There >>> might be more places >>> that need that, but wondering if you might be looking at a different >>> branch. >>> >>> Mind, pull requests are accepted first on the master (developer) branch, >>> once that gets merged, >>> subsequent backports PR are welcomed too. >>> >>> Cheers >>> Andrea >>> >>> On Tue, Dec 4, 2018 at 10:48 PM Thomas wrote: >>> I'm working with integrating my work's oauth service with geoserver. Upon testing the github extension as well as the oauth2 core, I think I may of found a bug. When a request is made, GeoServerOAuthAuthenticationFilter:doFilter is eventually called. The filter checks the request parameter for an access token and if it doesn't exist it checks the request for a bearer token in the Authorization header. If the token exists in one of those two places, doAuthenticate is called and it in turn calls getPreAuthenticatedPrincipal. The function getPreAuthenticatedPrincipal attempts to get the token from the query parameter but doesn't try to get it from the Authorization Header. According to the RFC for OAuth 2 Bearer Token usage, the resource server (Geoserver), should support this. A link and a snippet from this page is below. This causes an issue for our web client which sends the token in the Authorization Header. It looks like I could just extend the class GeoServerOAuthAuthenticationFilter and put my fixes in there. But it seems it would be more beneficial to submit a pull request. The changes would be about 3 lines. Is there any issue with me doing this? I realize the oauth2 and other community extensions aren't really maintained unless a volunteer does it. https://tools.ietf.org/html/rfc6750 section 2.1 Authorization Request Header Field says Clients SHOULD make authenticated requests with a bearer token using the "Authorization" request header field with the "Bearer" HTTP authorization scheme. Resource servers MUST support this method. ___ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel >>> >>> >>> -- >>> >>> Regards, Andrea Aime == GeoServer Professional Services from the >>> experts! Visit http://goo.gl/it488V for more information. == Ing. >>> Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito >>> 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: >>> +39 339 8844549 http://www.geo-solutions.it >>> http://twitter.com/geosolutions_it >>> --- *Con >>> riferimento alla normativa sul trattamento dei dati personali (Reg. UE >>> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si >>> precisa che ogni circostanza inerente alla presente email (il suo >>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è >>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il >>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra >>> operazione è illecita. Le sarei comunque grato se potesse darmene notizia. >>> This email is intended only for the person or entity to which it is >>> addressed and may contain information that is privileged, confidential or >>> otherwise protected from disclosure. We remind that - as provided by >>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this >>> e-mail or the information herein by anyone other than the intended >>> recipient is prohibited. If you have received this email by mistake, please >>> notify us immediately by telephone or e-mail.* >>> >> ___ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
Re: [Geoserver-devel] oauth2 core
I have no reason to backport them, they were done for a pilot project that will never use the stable series. But you can backport, if you want of course :-) Cheers Andrea Il giorno mer 5 dic 2018, 18:49 Thomas ha scritto: > I'm working on 2.14.x. The changes haven't made it into there yet. But I > can see they are in master. > > When might the changes make it into 2.14.x? > > ~Thomas > > On Wed, Dec 5, 2018 at 12:24 AM Andrea Aime > wrote: > >> Hi Thomas, >> some time ago I added some places extracting the bearer token from the >> headers, >> but believe that just landed on the developer branch (aka master). There >> might be more places >> that need that, but wondering if you might be looking at a different >> branch. >> >> Mind, pull requests are accepted first on the master (developer) branch, >> once that gets merged, >> subsequent backports PR are welcomed too. >> >> Cheers >> Andrea >> >> On Tue, Dec 4, 2018 at 10:48 PM Thomas wrote: >> >>> I'm working with integrating my work's oauth service with geoserver. >>> Upon testing the github extension as well as the oauth2 core, I think I may >>> of found a bug. >>> >>> When a request is made, GeoServerOAuthAuthenticationFilter:doFilter is >>> eventually called. The filter checks the request parameter for an access >>> token and if it doesn't exist it checks the request for a bearer token in >>> the Authorization header. If the token exists in one of those two >>> places, doAuthenticate is called and it in turn >>> calls getPreAuthenticatedPrincipal. >>> >>> The function getPreAuthenticatedPrincipal attempts to get the token >>> from the query parameter but doesn't try to get it from the Authorization >>> Header. According to the RFC for OAuth 2 Bearer Token usage, the resource >>> server (Geoserver), should support this. A link and a snippet from this >>> page is below. This causes an issue for our web client which sends the >>> token in the Authorization Header. >>> >>> It looks like I could just extend the class >>> GeoServerOAuthAuthenticationFilter and put my fixes in there. But it seems >>> it would be more beneficial to submit a pull request. The changes would be >>> about 3 lines. >>> >>> Is there any issue with me doing this? I realize the oauth2 and other >>> community extensions aren't really maintained unless a volunteer does it. >>> >>> https://tools.ietf.org/html/rfc6750 >>> section 2.1 Authorization Request Header Field says >>> >>> >>> Clients SHOULD make authenticated requests with a bearer token using >>>the "Authorization" request header field with the "Bearer" HTTP >>>authorization scheme. Resource servers MUST support this method. >>> >>> ___ >>> Geoserver-devel mailing list >>> Geoserver-devel@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >>> >> >> >> -- >> >> Regards, Andrea Aime == GeoServer Professional Services from the experts! >> Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime >> @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 >> Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 >> 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it >> --- *Con riferimento >> alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - >> Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni >> circostanza inerente alla presente email (il suo contenuto, gli eventuali >> allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i >> destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per >> errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le >> sarei comunque grato se potesse darmene notizia. This email is intended >> only for the person or entity to which it is addressed and may contain >> information that is privileged, confidential or otherwise protected from >> disclosure. We remind that - as provided by European Regulation 2016/679 >> “GDPR” - copying, dissemination or use of this e-mail or the information >> herein by anyone other than the intended recipient is prohibited. If you >> have received this email by mistake, please notify us immediately by >> telephone or e-mail.* >> > ___ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
Re: [Geoserver-devel] oauth2 core
I'm working on 2.14.x. The changes haven't made it into there yet. But I can see they are in master. When might the changes make it into 2.14.x? ~Thomas On Wed, Dec 5, 2018 at 12:24 AM Andrea Aime wrote: > Hi Thomas, > some time ago I added some places extracting the bearer token from the > headers, > but believe that just landed on the developer branch (aka master). There > might be more places > that need that, but wondering if you might be looking at a different > branch. > > Mind, pull requests are accepted first on the master (developer) branch, > once that gets merged, > subsequent backports PR are welcomed too. > > Cheers > Andrea > > On Tue, Dec 4, 2018 at 10:48 PM Thomas wrote: > >> I'm working with integrating my work's oauth service with geoserver. >> Upon testing the github extension as well as the oauth2 core, I think I may >> of found a bug. >> >> When a request is made, GeoServerOAuthAuthenticationFilter:doFilter is >> eventually called. The filter checks the request parameter for an access >> token and if it doesn't exist it checks the request for a bearer token in >> the Authorization header. If the token exists in one of those two >> places, doAuthenticate is called and it in turn >> calls getPreAuthenticatedPrincipal. >> >> The function getPreAuthenticatedPrincipal attempts to get the token from >> the query parameter but doesn't try to get it from the Authorization >> Header. According to the RFC for OAuth 2 Bearer Token usage, the resource >> server (Geoserver), should support this. A link and a snippet from this >> page is below. This causes an issue for our web client which sends the >> token in the Authorization Header. >> >> It looks like I could just extend the class >> GeoServerOAuthAuthenticationFilter and put my fixes in there. But it seems >> it would be more beneficial to submit a pull request. The changes would be >> about 3 lines. >> >> Is there any issue with me doing this? I realize the oauth2 and other >> community extensions aren't really maintained unless a volunteer does it. >> >> https://tools.ietf.org/html/rfc6750 >> section 2.1 Authorization Request Header Field says >> >> >> Clients SHOULD make authenticated requests with a bearer token using >>the "Authorization" request header field with the "Bearer" HTTP >>authorization scheme. Resource servers MUST support this method. >> >> ___ >> Geoserver-devel mailing list >> Geoserver-devel@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >> > > > -- > > Regards, Andrea Aime == GeoServer Professional Services from the experts! > Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime > @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 > Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 > 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it > --- *Con riferimento > alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - > Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni > circostanza inerente alla presente email (il suo contenuto, gli eventuali > allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i > destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per > errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le > sarei comunque grato se potesse darmene notizia. This email is intended > only for the person or entity to which it is addressed and may contain > information that is privileged, confidential or otherwise protected from > disclosure. We remind that - as provided by European Regulation 2016/679 > “GDPR” - copying, dissemination or use of this e-mail or the information > herein by anyone other than the intended recipient is prohibited. If you > have received this email by mistake, please notify us immediately by > telephone or e-mail.* > ___ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
Re: [Geoserver-devel] oauth2 core
Hi Thomas, some time ago I added some places extracting the bearer token from the headers, but believe that just landed on the developer branch (aka master). There might be more places that need that, but wondering if you might be looking at a different branch. Mind, pull requests are accepted first on the master (developer) branch, once that gets merged, subsequent backports PR are welcomed too. Cheers Andrea On Tue, Dec 4, 2018 at 10:48 PM Thomas wrote: > I'm working with integrating my work's oauth service with geoserver. Upon > testing the github extension as well as the oauth2 core, I think I may of > found a bug. > > When a request is made, GeoServerOAuthAuthenticationFilter:doFilter is > eventually called. The filter checks the request parameter for an access > token and if it doesn't exist it checks the request for a bearer token in > the Authorization header. If the token exists in one of those two > places, doAuthenticate is called and it in turn > calls getPreAuthenticatedPrincipal. > > The function getPreAuthenticatedPrincipal attempts to get the token from > the query parameter but doesn't try to get it from the Authorization > Header. According to the RFC for OAuth 2 Bearer Token usage, the resource > server (Geoserver), should support this. A link and a snippet from this > page is below. This causes an issue for our web client which sends the > token in the Authorization Header. > > It looks like I could just extend the class > GeoServerOAuthAuthenticationFilter and put my fixes in there. But it seems > it would be more beneficial to submit a pull request. The changes would be > about 3 lines. > > Is there any issue with me doing this? I realize the oauth2 and other > community extensions aren't really maintained unless a volunteer does it. > > https://tools.ietf.org/html/rfc6750 > section 2.1 Authorization Request Header Field says > > > Clients SHOULD make authenticated requests with a bearer token using >the "Authorization" request header field with the "Bearer" HTTP >authorization scheme. Resource servers MUST support this method. > > ___ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > -- Regards, Andrea Aime == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it --- *Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.* ___ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
Re: [Geoserver-devel] oauth2 core
Go ahead, I'll review it. Thanks for your contribution. Il giorno mar 4 dic 2018 alle ore 22:47 Thomas ha scritto: > I'm working with integrating my work's oauth service with geoserver. Upon > testing the github extension as well as the oauth2 core, I think I may of > found a bug. > > When a request is made, GeoServerOAuthAuthenticationFilter:doFilter is > eventually called. The filter checks the request parameter for an access > token and if it doesn't exist it checks the request for a bearer token in > the Authorization header. If the token exists in one of those two > places, doAuthenticate is called and it in turn > calls getPreAuthenticatedPrincipal. > > The function getPreAuthenticatedPrincipal attempts to get the token from > the query parameter but doesn't try to get it from the Authorization > Header. According to the RFC for OAuth 2 Bearer Token usage, the resource > server (Geoserver), should support this. A link and a snippet from this > page is below. This causes an issue for our web client which sends the > token in the Authorization Header. > > It looks like I could just extend the class > GeoServerOAuthAuthenticationFilter and put my fixes in there. But it seems > it would be more beneficial to submit a pull request. The changes would be > about 3 lines. > > Is there any issue with me doing this? I realize the oauth2 and other > community extensions aren't really maintained unless a volunteer does it. > > https://tools.ietf.org/html/rfc6750 > section 2.1 Authorization Request Header Field says > > > Clients SHOULD make authenticated requests with a bearer token using >the "Authorization" request header field with the "Bearer" HTTP >authorization scheme. Resource servers MUST support this method. > > ___ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel > -- == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Alessio Fabiani @alfa7691 Founder/Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A - 55054 Massarosa (LU) - Italy phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 331 6233686 http://www.geo-solutions.it http://twitter.com/geosolutions_it --- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail. ___ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
[Geoserver-devel] oauth2 core
I'm working with integrating my work's oauth service with geoserver. Upon testing the github extension as well as the oauth2 core, I think I may of found a bug. When a request is made, GeoServerOAuthAuthenticationFilter:doFilter is eventually called. The filter checks the request parameter for an access token and if it doesn't exist it checks the request for a bearer token in the Authorization header. If the token exists in one of those two places, doAuthenticate is called and it in turn calls getPreAuthenticatedPrincipal. The function getPreAuthenticatedPrincipal attempts to get the token from the query parameter but doesn't try to get it from the Authorization Header. According to the RFC for OAuth 2 Bearer Token usage, the resource server (Geoserver), should support this. A link and a snippet from this page is below. This causes an issue for our web client which sends the token in the Authorization Header. It looks like I could just extend the class GeoServerOAuthAuthenticationFilter and put my fixes in there. But it seems it would be more beneficial to submit a pull request. The changes would be about 3 lines. Is there any issue with me doing this? I realize the oauth2 and other community extensions aren't really maintained unless a volunteer does it. https://tools.ietf.org/html/rfc6750 section 2.1 Authorization Request Header Field says Clients SHOULD make authenticated requests with a bearer token using the "Authorization" request header field with the "Bearer" HTTP authorization scheme. Resource servers MUST support this method. ___ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel