First up thanks for testing, I am not aware of any security changes in 2.7
(it did not make the short list of features we asked for help testing).
You may be stuck on the difference between service and data security.
I would expect you to handle your story using one rule to turn off access
to topp.* and and then a second rule to enable access to top.states. My
understanding is that the most specific rule will end up defining access.
In your example you have provided one specific rule for top.states, but
have not provided any guidence on the rest of the workspace.
--
Jody Garnett
On 16 March 2015 at 10:01, Patric Hafner | geOps <[email protected]>
wrote:
> Dear List members,
>
> during some tests on data security with GeoServer 2.7-rc1 I discovered a
> strange behaviour that I could not understand:
>
> (All steps performed on a fresh installation)
>
>
> Test case 1
> ------------
> I created a new role and user and finally configured this single rule
> for data security (no other rule does exist!)
>
> "topp.*.r testrole"
>
> -> Behaves like expected: The user with role "testrole" can now access
> all layers of Workspace "topp" for example via WMS and all layers are
> shown in his Layer preview.
>
> -> Behaves like expected: Unauthorized access via WMS to layers of
> workspace "topp" gets HTTP response with status code 404
>
> but if I try to narrow the data security rule:
>
> Test case 2
> --------------
> I created a new role and user and finally configured this single rule
> for data security (no other rule does exist!)
>
> "topp.states.r testrole"
>
>
> -> Unexpected behaviour: The user with role "testrole" can now access
> all layers of Workspace "topp" for example via WMS and all layers are
> shown in his Layer preview! I expected only layer states.
>
> -> Unexpected behaviour: Access via WMS to all layers of workspace
> "topp" is also possible without any authorization! This data security
> rule does not seem to have any effect at all.
>
> Does somebody could explain this behaviour or is this a bug? I was not
> able to find a issue on this bug yet.
>
>
> Best regards,
> Patric Hafner
>
> --
> web www.geops.de
> rss www.geops.de/blog/feed
> follow www.twitter.com/geops
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Geoserver-devel mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
