Dear dev, dear Christian,
I'm struggling trying to create a prototype of an OAuth2 GeoServer Security
Provider and Filter and would like to ask you some questions in order to
better understand how the Security APIs work.
The Problem:
=========
The OAuth2 protocol needs several steps to fully perform the authentication
process.
Once we have created a "client_id" and "client_secret" on the OAuth2
Provider, in order to authenticate we need to:
1. Obtain a valid "code" from the provider
2. Use the "code" in order to get the final "access_token" which is used by
the filter to get the Principal
Now, the issue is the following: The order in which these filters execute
is very important.
we need two filters like this
<sec:custom-filter ref="oauth2ClientContextFilter"
after="EXCEPTION_TRANSLATION_FILTER"/>
<sec:custom-filter ref="oAuth2AuthenticationProcessingFilter"
before="FILTER_SECURITY_INTERCEPTOR"/>
- oauth2ClientContextFilter must be invoked before
oAuth2AuthenticationProcessingFilter, that's because when a redirect to the
OAuth2 Provider is required, oAuth2AuthenticationProcessingFilter throws a
UserRedirectException which the oauth2ClientContextFilter handles and
generates a redirect request to the Provider.
- Subsequently the response from the OAuth2 Provider is handled by the
oAuth2AuthenticationProcessingFilter to populate the Authentication object
and stored in the SecurityContext
My Question Are:
============
1. Which is the best approach to let the EXCEPTION_TRANSLATION_FILTER
being intercepted before the FILTER_SECURITY_INTERCEPTOR? Is it sufficient
to let our GeoServerOAuth2SecurityProvider make use of a custom
ExceptionTransactionFilterProvider? Or maybe we need to create a custom
composite Filter somehow?
2. How can I create a GeoServer end-point to intercept the response of
the redirect from the OAuth2 Provider allowing
the oAuth2AuthenticationProcessingFilter handling the request? I tried to
modify programmatically the filter-chain and (more-or-less) it seems
working, but then GeoServer keeps saying that the dispatcher cannot handle
the endpoint.
Any help/feedbak/hint is much appreciated and would be very very helpful.
Best Regards,
Alessio Fabiani.
==
GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information.
==
Ing. Alessio Fabiani
@alfa7691
Founder/Technical Lead
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 331 6233686
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.
---------------------------------------------------------------------
------------------------------------------------------------------------------
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
