Hi Justin
No, its a one step process.
1) Disable the relevant filter chains --> finish
The special flag is handled internally. As an example, if you disable
security on the web filter chain, http://.../geoserver/web will show you
the full admin GUI, no need to log in.
Cheers
Christian
2013/6/10 Justin Deoliveira <[email protected]>
>
>
>
> On Mon, Jun 10, 2013 at 8:56 AM, Christian Mueller <
> [email protected]> wrote:
>
>> Hi Justin
>>
>> The idea is the following:
>>
>> You can disable security for each filter chain individually. Any filter
>> chain protecting resources has a GeoServerPersistenceContextFilter at first
>> position. Disabling security for a filter chain results in an empty filter
>> chain.
>>
>> An incoming request is flagged with "security is off" using a servlet
>> attribute. If a request travels through a disabled filter chain nothing
>> happens. Traveling through an enabled filter chain requires that the
>> request travels through a GeoServerPerstinceContextFilter . This filter
>> flags the request "security on".
>>
>> Ok, i still don't quite understand. So disabling security is a two step
> process?
>
> 1. Disable the relevant filter chains
> 2. Make the request with with the special flag disabled
>
> ?
>
> The request itself is stored in a thread local variable and there is a
>> static public method informing you if security is on/off for this
>> particular request. All GeoServer code can query this information.
>>
>> The code checking for admin access checks if security is off. If it is
>> off, access is allowed in any case. (For the admin, the logic is
>> centralized in GeoServerSecurityManager).
>>
>> Concerning your questions
>>
>> 1) Authentication and authorization is disabled for the concrete filter
>> chain
>> 2) The http request parameter and GeoServerPersistenceContextFilter do
>> the trick. If such a filter is on the chain --> security on, if not -->
>> security off
>>
>>
>> Hope this helps
>>
>> Christian
>>
>>
>>
>>
>>
>>
>>
>>
>> 2013/6/10 Justin Deoliveira <[email protected]>
>>
>>> Just looked over the patch. Code wise it looks ok, i made a few comments
>>> about documentation. It is not clear to me what exactly gets disabled? It
>>> is just the authentication system? Or authorization with data and service
>>> security?
>>>
>>> And sorry if i am missing something obvious but what are
>>> the prerequisites for disabling security other than the http request
>>> parameter?
>>>
>>>
>>>
>>> On Sun, Jun 9, 2013 at 11:31 PM, Christian Mueller <
>>> [email protected]> wrote:
>>>
>>>> The patch was triggered by the following thread on the mailing list
>>>>
>>>>
>>>> http://sourceforge.net/mailarchive/forum.php?thread_name=CA%2BnxMTvfXH2%3DD7Dt_roHbU76OMw3WAiWmLLvqY7wENDt8MKGUw%40mail.gmail.com&forum_name=geoserver-users
>>>>
>>>> The user wants to protect the admin GUI with an ssh tunnel, no
>>>> GoeServer security features are needed.
>>>>
>>>> I am fine with 2.3.5 and I am hoping for vote of Justin because he was
>>>> involved in the new security architecture.
>>>>
>>>> Cheers
>>>> Christian
>>>>
>>>>
>>>>
>>>> 2013/6/10 Ben Caradoc-Davies <[email protected]>
>>>>
>>>>> -1 for backport to 2.3.x for inclusion in 2.3.4. We are too close, and
>>>>> in my view, living with this broken feature is better than a late change
>>>>> to
>>>>> stable.
>>>>>
>>>>> +0 for backport to 2.3.x for inclusion in 2.3.5. I am not sure how
>>>>> important the ability to disable a feature is. You are right, these are a
>>>>> lot of changes, with a significant risk of unintended side-effects.
>>>>>
>>>>> I am open to argument, particularly from our expert (you). :-)
>>>>>
>>>>> Kind regards,
>>>>> Ben.
>>>>>
>>>>>
>>>>> On 09/06/13 16:54, Christian Mueller wrote:
>>>>>
>>>>>> Disabling security does not work for 2.3.x and 2.4.x.
>>>>>>
>>>>>> The problem is described here
>>>>>>
>>>>>> https://jira.codehaus.org/**browse/GEOS-5820<https://jira.codehaus.org/browse/GEOS-5820>
>>>>>>
>>>>>>
>>>>>>
>>>>>> The fix is committed to master and the changes are here
>>>>>>
>>>>>>
>>>>>> https://github.com/mcrmcr/**geoserver-1/commit/**
>>>>>> eaf2de921028dc1e8dcb66d4547b83**5868b5cac0<https://github.com/mcrmcr/geoserver-1/commit/eaf2de921028dc1e8dcb66d4547b835868b5cac0>
>>>>>>
>>>>>>
>>>>>> This is not a trivial fix. We can stay with a broken feature on 2.3.x
>>>>>> or we can decide to backport.
>>>>>>
>>>>>> Thanks for you votes in advance.
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>>>>>> OSS Open Source Solutions GmbH
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------**------------------------------**
>>>>>> ------------------
>>>>>> How ServiceNow helps IT people transform IT departments:
>>>>>> 1. A cloud service to automate IT design, transition and operations
>>>>>> 2. Dashboards that offer high-level views of enterprise services
>>>>>> 3. A single system of record for all IT processes
>>>>>> http://p.sf.net/sfu/**servicenow-d2d-j<http://p.sf.net/sfu/servicenow-d2d-j>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ______________________________**_________________
>>>>>> Geoserver-devel mailing list
>>>>>> Geoserver-devel@lists.**sourceforge.net<[email protected]>
>>>>>> https://lists.sourceforge.net/**lists/listinfo/geoserver-devel<https://lists.sourceforge.net/lists/listinfo/geoserver-devel>
>>>>>>
>>>>>>
>>>>> --
>>>>> Ben Caradoc-Davies <[email protected]>
>>>>> Software Engineer
>>>>> CSIRO Earth Science and Resource Engineering
>>>>> Australian Resources Research Centre
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>>>> OSS Open Source Solutions GmbH
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> How ServiceNow helps IT people transform IT departments:
>>>> 1. A cloud service to automate IT design, transition and operations
>>>> 2. Dashboards that offer high-level views of enterprise services
>>>> 3. A single system of record for all IT processes
>>>> http://p.sf.net/sfu/servicenow-d2d-j
>>>> _______________________________________________
>>>> Geoserver-devel mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>>>
>>>>
>>>
>>>
>>> --
>>> Justin Deoliveira
>>> OpenGeo - http://opengeo.org
>>> Enterprise support for open source geospatial.
>>>
>>
>>
>>
>> --
>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>> OSS Open Source Solutions GmbH
>>
>>
>
>
> --
> Justin Deoliveira
> OpenGeo - http://opengeo.org
> Enterprise support for open source geospatial.
>
--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
