Hi all, been looking at GSIP 71. Wow, massive beast, the patch is 2.2MB!!! First part of the feedback is based on the new security subsystem docs, which I found easier to grok than the proposal itself: http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/index.html
Overall what I've seen looks quite good, comments below. http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/auth/web.html The way things look in the drawing and in the description it almost seems like form based authentication filter does not let the remember me filter do its job, or else, it knows the remember me filter is there and lets it do its job only if the remember me flag is raised, otherwise it cuts the filter chain short. It is really working like that? Afaik Spring own filter chains were traversed like normal servlet filters. Also, in the example titled "User returns after session time out (with “Remember Me”)" doesn't the session integration filter create a new session after the remember me one authenticated the request? http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/auth/providers.html The JDBC provider seems like a rather heavy approach, as it has to create a new database connection each time. Also, the documentation does not show how one switches from username/password to LDAP to JDBC. Finally, I'm not clear on one important bit: are we using Spring Security providers directly, wrap them in our own objects, or roll your own? How easy/hard it is to plug in a new authentication provider, say for CAS, Shibboleth, OpenID (and so on?) http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/passwd.html Aren't the strong encryption algorithms somehow limited in availability, like for examples people from certain states are not allowed to use them? If so I'd suggest to point that out in the documentation, since everything else in the core GeoServer can be used without restrictions (that I'm aware of, at least). How are password policies configured? So far I've read the GSIP itself and the updated documentation Justin provided. They both provide a nice introduction but left me wanting in terms of configuration and extensibility, as well as internal api (this thing introduces a number of new interfaces, they should be documented in the GSIP imho)... is there going to be some documentation in this respect, or the only way to get an overview is to actually ready 2.2MB of patch (or, put in other terms, read a patch file weighting 58000 lines?) Cheers Andrea -- ------------------------------------------------------- Ing. Andrea Aime GeoSolutions S.A.S. Tech lead Via Poggio alle Viti 1187 55054 Massarosa (LU) Italy phone: +39 0584 962313 fax: +39 0584 962313 mob: +39 339 8844549 http://www.geo-solutions.it http://geo-solutions.blogspot.com/ http://www.youtube.com/user/GeoSolutionsIT http://www.linkedin.com/in/andreaaime http://twitter.com/geowolf ------------------------------------------------------- ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
