|
If layers are protected and the catalog mode is mixed, a layer preview with an unauthorized user causes an access denied exception.
This happens in SecureCatalogImpl, method
public WrapperPolicy buildWrapperPolicy(Authentication user,
CatalogInfo info, String resourceName) { ...
line 855
Code Snippet:
=======================================
if (!canRead) {
// if in hide mode, we just hide the resource
if (mode == CatalogMode.HIDE)
{
return WrapperPolicy.hide(limits);
}
else if (mode == CatalogMode.MIXED)
{
// if request is a get capabilities and mixed, we hide again
Request request = Dispatcher.REQUEST.get();
if(request != null && "GetCapabilities".equalsIgnoreCase(request.getRequest()))
return WrapperPolicy.hide(limits);
// otherwise challenge the user for credentials
else
throw unauthorizedAccess(resourceName);
}
else
{
// for challenge mode we agree to show freely only the metadata, every
// other access will trigger a security exception
return WrapperPolicy.metadata(limits);
}
============================================
Not sure how to fix this. In this scenario we should decide for a behavior like mode HIDE or CHALLENGE, not sure what is the best.
AFAIK, Dispatcher.REQUEST is set only for OGC services, maybe it is possible to check if this thread local is null, but I am not sure about side effects.
|
