Hey Andrea,
Thanks again for the feedback, comments inline.
On Sun, Feb 26, 2012 at 10:09 AM, Andrea Aime
<[email protected]>wrote:
> Hi all,
> been looking at GSIP 71. Wow, massive beast, the patch is 2.2MB!!!
>
> First part of the feedback is based on the new security subsystem docs,
> which
> I found easier to grok than the proposal itself:
> http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/index.html
>
> Overall what I've seen looks quite good, comments below.
>
> http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/auth/web.html
> The way things look in the drawing and in the description
> it almost seems like form based authentication filter
> does not let the remember me filter do its job, or else, it knows the
> remember me filter is there and lets it do its job only if the remember me
> flag is raised, otherwise it cuts the filter chain short.
> It is really working like that?
> Afaik Spring own filter chains were traversed like normal servlet filters.
>
You are correct, in an attempt to make it more understandable for regular
users I simplified the concepts somewhat. Indeed it is as you mention and
all the filters get a chance to execute, in that case the remember me
filter recognizes the remember me flag and acts accordingly.
I tried to describe this in the following section.
http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/auth/web.html#user-logs-in-with-remember-me-flag-set
Probably a diagram there would be a good idea.
>
> Also, in the example titled
> "User returns after session time out (with “Remember Me”)"
> doesn't the session integration filter create a new session after the
> remember me
> one authenticated the request?
>
Indeed, again an over simplification of things that happen in the filters
"on the way out". Will add some text there explaining that happens.
>
>
> http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/auth/providers.html
>
> The JDBC provider seems like a rather heavy approach, as it has to create a
> new database connection each time.
>
> Also, the documentation does not show how one switches from
> username/password
> to LDAP to JDBC.
>
There is some stuff in the docs about how to interact via the ui. Some
stuff there about adding new auth providers.
http://echobase.opengeo.org/~jdeolive/geoserver_docs/webadmin/security/auth.html
But I agree... the current docs are pretty much a baseline and more of a
reference. What i would like to see is some good tutorial style docs in
order to tie things together and handle some of these common configuration
use cases.
> Finally, I'm not clear on one important bit: are we using Spring
> Security providers directly,
> wrap them in our own objects, or roll your own?
>
This is something Christian and i went back and forth on. In the end we
decided to go with a geoserver specific interface, providing wrappers to
make it easy to delegate fully to an existing spring security auth provider.
https://github.com/jdeolive/geoserver/blob/security/src/security/ldap/src/main/java/org/geoserver/security/ldap/LDAPAuthenticationProvider.java
It still kind of makes me think twice about the approach and not being able
to plug in a straight spring security class directly... but at the same
time the developer will still have to write an extension for new auth
providers so adding a simple wrapping class like this didn't seem too bad.
> How easy/hard it is to plug in a new authentication provider, say for
> CAS, Shibboleth,
> OpenID (and so on?)
>
> One that has an existing spring security auth provider is relatively
simple, the ldap security module adds a good template for that. Writing our
own from scratch is naturally potentially quite a bit more work, the jdbc
module provides a template of that.
https://github.com/jdeolive/geoserver/tree/security/src/security/ldap
https://github.com/jdeolive/geoserver/tree/security/src/security/jdbc
> http://echobase.opengeo.org/~jdeolive/geoserver_docs/security/passwd.html
>
> Aren't the strong encryption algorithms somehow limited in availability,
> like
> for examples people from certain states are not allowed to use them?
> If so I'd suggest to point that out in the documentation, since everything
> else
> in the core GeoServer can be used without restrictions (that I'm aware
> of, at least).
>
> Right, i am actually not sure, Christian will have a better idea. But I
will dig into this to try and find a better answer and update the docs
accordingly.
> How are password policies configured?
>
>
Some limited stuff in the web ui section of the security docs.
http://echobase.opengeo.org/~jdeolive/geoserver_docs/webadmin/security/passwords.html#password-policies
>
> So far I've read the GSIP itself and the updated documentation Justin
> provided.
> They both provide a nice introduction but left me wanting in terms of
> configuration
> and extensibility, as well as internal api (this thing introduces a
> number of new
> interfaces, they should be documented in the GSIP imho)...
> is there going to be some documentation in this respect, or
> the only way to get an overview is to actually ready 2.2MB of patch (or,
> put in
> other terms, read a patch file weighting 58000 lines?)
>
Haha, yeah. Certainly some developer docs are in order. I will throw it on
the todo list to add some stuff to the developer docs providing a better
walkthrough to the new security api.
>
> Cheers
> Andrea
>
>
>
>
>
>
>
> --
> -------------------------------------------------------
> Ing. Andrea Aime
> GeoSolutions S.A.S.
> Tech lead
>
> Via Poggio alle Viti 1187
> 55054 Massarosa (LU)
> Italy
>
> phone: +39 0584 962313
> fax: +39 0584 962313
> mob: +39 339 8844549
>
> http://www.geo-solutions.it
> http://geo-solutions.blogspot.com/
> http://www.youtube.com/user/GeoSolutionsIT
> http://www.linkedin.com/in/andreaaime
> http://twitter.com/geowolf
>
> -------------------------------------------------------
>
>
> ------------------------------------------------------------------------------
> Virtualization & Cloud Management Using Capacity Planning
> Cloud computing makes use of virtualization - but cloud computing
> also focuses on allowing computing to be delivered as a service.
> http://www.accelacomm.com/jaw/sfnl/114/51521223/
> _______________________________________________
> Geoserver-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>
--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
