Ah ok I see, i misinterpreted "on-the fly". I think this is a bit confusing
to include in the user documentation which is what got me. All the user is
concerned with is disabling the filter, how the system does it internally
shouldn't really matter.
Anyways, +1 on the change (it would be nice to tweak the docs) and agree
with Ben's assessment of not including the backport in the upcoming
release, but waiting a month.
On Wed, Jun 12, 2013 at 1:11 AM, Christian Mueller <
[email protected]> wrote:
> Hi Justin
>
> No, its a one step process.
>
> 1) Disable the relevant filter chains --> finish
>
> The special flag is handled internally. As an example, if you disable
> security on the web filter chain, http://.../geoserver/web will show you
> the full admin GUI, no need to log in.
>
> Cheers
> Christian
>
>
>
>
> 2013/6/10 Justin Deoliveira <[email protected]>
>
>>
>>
>>
>> On Mon, Jun 10, 2013 at 8:56 AM, Christian Mueller <
>> [email protected]> wrote:
>>
>>> Hi Justin
>>>
>>> The idea is the following:
>>>
>>> You can disable security for each filter chain individually. Any filter
>>> chain protecting resources has a GeoServerPersistenceContextFilter at first
>>> position. Disabling security for a filter chain results in an empty filter
>>> chain.
>>>
>>> An incoming request is flagged with "security is off" using a servlet
>>> attribute. If a request travels through a disabled filter chain nothing
>>> happens. Traveling through an enabled filter chain requires that the
>>> request travels through a GeoServerPerstinceContextFilter . This filter
>>> flags the request "security on".
>>>
>>> Ok, i still don't quite understand. So disabling security is a two step
>> process?
>>
>> 1. Disable the relevant filter chains
>> 2. Make the request with with the special flag disabled
>>
>> ?
>>
>> The request itself is stored in a thread local variable and there is a
>>> static public method informing you if security is on/off for this
>>> particular request. All GeoServer code can query this information.
>>>
>>> The code checking for admin access checks if security is off. If it is
>>> off, access is allowed in any case. (For the admin, the logic is
>>> centralized in GeoServerSecurityManager).
>>>
>>> Concerning your questions
>>>
>>> 1) Authentication and authorization is disabled for the concrete filter
>>> chain
>>> 2) The http request parameter and GeoServerPersistenceContextFilter do
>>> the trick. If such a filter is on the chain --> security on, if not -->
>>> security off
>>>
>>>
>>> Hope this helps
>>>
>>> Christian
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> 2013/6/10 Justin Deoliveira <[email protected]>
>>>
>>>> Just looked over the patch. Code wise it looks ok, i made a few
>>>> comments about documentation. It is not clear to me what exactly gets
>>>> disabled? It is just the authentication system? Or authorization with data
>>>> and service security?
>>>>
>>>> And sorry if i am missing something obvious but what are
>>>> the prerequisites for disabling security other than the http request
>>>> parameter?
>>>>
>>>>
>>>>
>>>> On Sun, Jun 9, 2013 at 11:31 PM, Christian Mueller <
>>>> [email protected]> wrote:
>>>>
>>>>> The patch was triggered by the following thread on the mailing list
>>>>>
>>>>>
>>>>> http://sourceforge.net/mailarchive/forum.php?thread_name=CA%2BnxMTvfXH2%3DD7Dt_roHbU76OMw3WAiWmLLvqY7wENDt8MKGUw%40mail.gmail.com&forum_name=geoserver-users
>>>>>
>>>>> The user wants to protect the admin GUI with an ssh tunnel, no
>>>>> GoeServer security features are needed.
>>>>>
>>>>> I am fine with 2.3.5 and I am hoping for vote of Justin because he was
>>>>> involved in the new security architecture.
>>>>>
>>>>> Cheers
>>>>> Christian
>>>>>
>>>>>
>>>>>
>>>>> 2013/6/10 Ben Caradoc-Davies <[email protected]>
>>>>>
>>>>>> -1 for backport to 2.3.x for inclusion in 2.3.4. We are too close,
>>>>>> and in my view, living with this broken feature is better than a late
>>>>>> change to stable.
>>>>>>
>>>>>> +0 for backport to 2.3.x for inclusion in 2.3.5. I am not sure how
>>>>>> important the ability to disable a feature is. You are right, these are a
>>>>>> lot of changes, with a significant risk of unintended side-effects.
>>>>>>
>>>>>> I am open to argument, particularly from our expert (you). :-)
>>>>>>
>>>>>> Kind regards,
>>>>>> Ben.
>>>>>>
>>>>>>
>>>>>> On 09/06/13 16:54, Christian Mueller wrote:
>>>>>>
>>>>>>> Disabling security does not work for 2.3.x and 2.4.x.
>>>>>>>
>>>>>>> The problem is described here
>>>>>>>
>>>>>>> https://jira.codehaus.org/**browse/GEOS-5820<https://jira.codehaus.org/browse/GEOS-5820>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> The fix is committed to master and the changes are here
>>>>>>>
>>>>>>>
>>>>>>> https://github.com/mcrmcr/**geoserver-1/commit/**
>>>>>>> eaf2de921028dc1e8dcb66d4547b83**5868b5cac0<https://github.com/mcrmcr/geoserver-1/commit/eaf2de921028dc1e8dcb66d4547b835868b5cac0>
>>>>>>>
>>>>>>>
>>>>>>> This is not a trivial fix. We can stay with a broken feature on
>>>>>>> 2.3.x
>>>>>>> or we can decide to backport.
>>>>>>>
>>>>>>> Thanks for you votes in advance.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>>>>>>> OSS Open Source Solutions GmbH
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------**------------------------------**
>>>>>>> ------------------
>>>>>>> How ServiceNow helps IT people transform IT departments:
>>>>>>> 1. A cloud service to automate IT design, transition and operations
>>>>>>> 2. Dashboards that offer high-level views of enterprise services
>>>>>>> 3. A single system of record for all IT processes
>>>>>>> http://p.sf.net/sfu/**servicenow-d2d-j<http://p.sf.net/sfu/servicenow-d2d-j>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ______________________________**_________________
>>>>>>> Geoserver-devel mailing list
>>>>>>> Geoserver-devel@lists.**sourceforge.net<[email protected]>
>>>>>>> https://lists.sourceforge.net/**lists/listinfo/geoserver-devel<https://lists.sourceforge.net/lists/listinfo/geoserver-devel>
>>>>>>>
>>>>>>>
>>>>>> --
>>>>>> Ben Caradoc-Davies <[email protected]>
>>>>>> Software Engineer
>>>>>> CSIRO Earth Science and Resource Engineering
>>>>>> Australian Resources Research Centre
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>>>>> OSS Open Source Solutions GmbH
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> How ServiceNow helps IT people transform IT departments:
>>>>> 1. A cloud service to automate IT design, transition and operations
>>>>> 2. Dashboards that offer high-level views of enterprise services
>>>>> 3. A single system of record for all IT processes
>>>>> http://p.sf.net/sfu/servicenow-d2d-j
>>>>> _______________________________________________
>>>>> Geoserver-devel mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Justin Deoliveira
>>>> OpenGeo - http://opengeo.org
>>>> Enterprise support for open source geospatial.
>>>>
>>>
>>>
>>>
>>> --
>>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>>> OSS Open Source Solutions GmbH
>>>
>>>
>>
>>
>> --
>> Justin Deoliveira
>> OpenGeo - http://opengeo.org
>> Enterprise support for open source geospatial.
>>
>
>
>
> --
> DI Christian Mueller MSc (GIS), MSc (IT-Security)
> OSS Open Source Solutions GmbH
>
>
--
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
