Ok, I will do some enhancement in the docs and wait for 2.3.4
Christian
2013/6/12 Justin Deoliveira <[email protected]>
> Ah ok I see, i misinterpreted "on-the fly". I think this is a bit
> confusing to include in the user documentation which is what got me. All
> the user is concerned with is disabling the filter, how the system does it
> internally shouldn't really matter.
>
> Anyways, +1 on the change (it would be nice to tweak the docs) and agree
> with Ben's assessment of not including the backport in the upcoming
> release, but waiting a month.
>
>
>
> On Wed, Jun 12, 2013 at 1:11 AM, Christian Mueller <
> [email protected]> wrote:
>
>> Hi Justin
>>
>> No, its a one step process.
>>
>> 1) Disable the relevant filter chains --> finish
>>
>> The special flag is handled internally. As an example, if you disable
>> security on the web filter chain, http://.../geoserver/web will show you
>> the full admin GUI, no need to log in.
>>
>> Cheers
>> Christian
>>
>>
>>
>>
>> 2013/6/10 Justin Deoliveira <[email protected]>
>>
>>>
>>>
>>>
>>> On Mon, Jun 10, 2013 at 8:56 AM, Christian Mueller <
>>> [email protected]> wrote:
>>>
>>>> Hi Justin
>>>>
>>>> The idea is the following:
>>>>
>>>> You can disable security for each filter chain individually. Any filter
>>>> chain protecting resources has a GeoServerPersistenceContextFilter at first
>>>> position. Disabling security for a filter chain results in an empty filter
>>>> chain.
>>>>
>>>> An incoming request is flagged with "security is off" using a servlet
>>>> attribute. If a request travels through a disabled filter chain nothing
>>>> happens. Traveling through an enabled filter chain requires that the
>>>> request travels through a GeoServerPerstinceContextFilter . This filter
>>>> flags the request "security on".
>>>>
>>>> Ok, i still don't quite understand. So disabling security is a two step
>>> process?
>>>
>>> 1. Disable the relevant filter chains
>>> 2. Make the request with with the special flag disabled
>>>
>>> ?
>>>
>>> The request itself is stored in a thread local variable and there is a
>>>> static public method informing you if security is on/off for this
>>>> particular request. All GeoServer code can query this information.
>>>>
>>>> The code checking for admin access checks if security is off. If it is
>>>> off, access is allowed in any case. (For the admin, the logic is
>>>> centralized in GeoServerSecurityManager).
>>>>
>>>> Concerning your questions
>>>>
>>>> 1) Authentication and authorization is disabled for the concrete filter
>>>> chain
>>>> 2) The http request parameter and GeoServerPersistenceContextFilter do
>>>> the trick. If such a filter is on the chain --> security on, if not -->
>>>> security off
>>>>
>>>>
>>>> Hope this helps
>>>>
>>>> Christian
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2013/6/10 Justin Deoliveira <[email protected]>
>>>>
>>>>> Just looked over the patch. Code wise it looks ok, i made a few
>>>>> comments about documentation. It is not clear to me what exactly gets
>>>>> disabled? It is just the authentication system? Or authorization with data
>>>>> and service security?
>>>>>
>>>>> And sorry if i am missing something obvious but what are
>>>>> the prerequisites for disabling security other than the http request
>>>>> parameter?
>>>>>
>>>>>
>>>>>
>>>>> On Sun, Jun 9, 2013 at 11:31 PM, Christian Mueller <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> The patch was triggered by the following thread on the mailing list
>>>>>>
>>>>>>
>>>>>> http://sourceforge.net/mailarchive/forum.php?thread_name=CA%2BnxMTvfXH2%3DD7Dt_roHbU76OMw3WAiWmLLvqY7wENDt8MKGUw%40mail.gmail.com&forum_name=geoserver-users
>>>>>>
>>>>>> The user wants to protect the admin GUI with an ssh tunnel, no
>>>>>> GoeServer security features are needed.
>>>>>>
>>>>>> I am fine with 2.3.5 and I am hoping for vote of Justin because he
>>>>>> was involved in the new security architecture.
>>>>>>
>>>>>> Cheers
>>>>>> Christian
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2013/6/10 Ben Caradoc-Davies <[email protected]>
>>>>>>
>>>>>>> -1 for backport to 2.3.x for inclusion in 2.3.4. We are too close,
>>>>>>> and in my view, living with this broken feature is better than a late
>>>>>>> change to stable.
>>>>>>>
>>>>>>> +0 for backport to 2.3.x for inclusion in 2.3.5. I am not sure how
>>>>>>> important the ability to disable a feature is. You are right, these are
>>>>>>> a
>>>>>>> lot of changes, with a significant risk of unintended side-effects.
>>>>>>>
>>>>>>> I am open to argument, particularly from our expert (you). :-)
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Ben.
>>>>>>>
>>>>>>>
>>>>>>> On 09/06/13 16:54, Christian Mueller wrote:
>>>>>>>
>>>>>>>> Disabling security does not work for 2.3.x and 2.4.x.
>>>>>>>>
>>>>>>>> The problem is described here
>>>>>>>>
>>>>>>>> https://jira.codehaus.org/**browse/GEOS-5820<https://jira.codehaus.org/browse/GEOS-5820>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> The fix is committed to master and the changes are here
>>>>>>>>
>>>>>>>>
>>>>>>>> https://github.com/mcrmcr/**geoserver-1/commit/**
>>>>>>>> eaf2de921028dc1e8dcb66d4547b83**5868b5cac0<https://github.com/mcrmcr/geoserver-1/commit/eaf2de921028dc1e8dcb66d4547b835868b5cac0>
>>>>>>>>
>>>>>>>>
>>>>>>>> This is not a trivial fix. We can stay with a broken feature on
>>>>>>>> 2.3.x
>>>>>>>> or we can decide to backport.
>>>>>>>>
>>>>>>>> Thanks for you votes in advance.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>>>>>>>> OSS Open Source Solutions GmbH
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------**------------------------------**
>>>>>>>> ------------------
>>>>>>>> How ServiceNow helps IT people transform IT departments:
>>>>>>>> 1. A cloud service to automate IT design, transition and operations
>>>>>>>> 2. Dashboards that offer high-level views of enterprise services
>>>>>>>> 3. A single system of record for all IT processes
>>>>>>>> http://p.sf.net/sfu/**servicenow-d2d-j<http://p.sf.net/sfu/servicenow-d2d-j>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ______________________________**_________________
>>>>>>>> Geoserver-devel mailing list
>>>>>>>> Geoserver-devel@lists.**sourceforge.net<[email protected]>
>>>>>>>> https://lists.sourceforge.net/**lists/listinfo/geoserver-devel<https://lists.sourceforge.net/lists/listinfo/geoserver-devel>
>>>>>>>>
>>>>>>>>
>>>>>>> --
>>>>>>> Ben Caradoc-Davies <[email protected]>
>>>>>>> Software Engineer
>>>>>>> CSIRO Earth Science and Resource Engineering
>>>>>>> Australian Resources Research Centre
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>>>>>> OSS Open Source Solutions GmbH
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> How ServiceNow helps IT people transform IT departments:
>>>>>> 1. A cloud service to automate IT design, transition and operations
>>>>>> 2. Dashboards that offer high-level views of enterprise services
>>>>>> 3. A single system of record for all IT processes
>>>>>> http://p.sf.net/sfu/servicenow-d2d-j
>>>>>> _______________________________________________
>>>>>> Geoserver-devel mailing list
>>>>>> [email protected]
>>>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Justin Deoliveira
>>>>> OpenGeo - http://opengeo.org
>>>>> Enterprise support for open source geospatial.
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>>>> OSS Open Source Solutions GmbH
>>>>
>>>>
>>>
>>>
>>> --
>>> Justin Deoliveira
>>> OpenGeo - http://opengeo.org
>>> Enterprise support for open source geospatial.
>>>
>>
>>
>>
>> --
>> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>> OSS Open Source Solutions GmbH
>>
>>
>
>
> --
> Justin Deoliveira
> OpenGeo - http://opengeo.org
> Enterprise support for open source geospatial.
>
--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
