Hi Alessio I think a look at the CAS module would help. CAS also handles callbacks from the CAS Server
question 1) The CAS filter handles handles all different requests (from clients and the CAS server). If this is not possible a would try to create a composite filter. question 2) The CAS module registers a special endpoint for incoming CAS Server reqeusts during geoserver startup. Hope this helps. Cheers Christian On Wed, Aug 3, 2016 at 10:32 AM, Alessio Fabiani < [email protected]> wrote: > Dear dev, dear Christian, > > I'm struggling trying to create a prototype of an OAuth2 GeoServer > Security Provider and Filter and would like to ask you some questions in > order to better understand how the Security APIs work. > > The Problem: > ========= > The OAuth2 protocol needs several steps to fully perform the > authentication process. > > Once we have created a "client_id" and "client_secret" on the OAuth2 > Provider, in order to authenticate we need to: > > 1. Obtain a valid "code" from the provider > 2. Use the "code" in order to get the final "access_token" which is used > by the filter to get the Principal > > Now, the issue is the following: The order in which these filters execute > is very important. > > we need two filters like this > > <sec:custom-filter ref="oauth2ClientContextFilter" > after="EXCEPTION_TRANSLATION_FILTER"/> > <sec:custom-filter ref="oAuth2AuthenticationProcessingFilter" > before="FILTER_SECURITY_INTERCEPTOR"/> > > > - oauth2ClientContextFilter must be invoked before > oAuth2AuthenticationProcessingFilter, that's because when a redirect to the > OAuth2 Provider is required, oAuth2AuthenticationProcessingFilter throws a > UserRedirectException which the oauth2ClientContextFilter handles and > generates a redirect request to the Provider. > - Subsequently the response from the OAuth2 Provider is handled by the > oAuth2AuthenticationProcessingFilter to populate the Authentication object > and stored in the SecurityContext > > My Question Are: > ============ > > > 1. Which is the best approach to let the EXCEPTION_TRANSLATION_FILTER > being intercepted before the FILTER_SECURITY_INTERCEPTOR? Is it sufficient > to let our GeoServerOAuth2SecurityProvider make use of a custom > ExceptionTransactionFilterProvider? Or maybe we need to create a custom > composite Filter somehow? > 2. How can I create a GeoServer end-point to intercept the response of > the redirect from the OAuth2 Provider allowing > the oAuth2AuthenticationProcessingFilter handling the request? I tried to > modify programmatically the filter-chain and (more-or-less) it seems > working, but then GeoServer keeps saying that the dispatcher cannot handle > the endpoint. > > Any help/feedbak/hint is much appreciated and would be very very helpful. > > Best Regards, > Alessio Fabiani. > > == > GeoServer Professional Services from the experts! > Visit http://goo.gl/it488V for more information. > == > > Ing. Alessio Fabiani > @alfa7691 > Founder/Technical Lead > > GeoSolutions S.A.S. > Via di Montramito 3/A > 55054 Massarosa (LU) > Italy > phone: +39 0584 962313 > fax: +39 0584 1660272 > mob: +39 331 6233686 > > http://www.geo-solutions.it > http://twitter.com/geosolutions_it > > ------------------------------------------------------- > > *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003* > > Le informazioni contenute in questo messaggio di posta elettronica e/o > nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il > loro utilizzo è consentito esclusivamente al destinatario del messaggio, > per le finalità indicate nel messaggio stesso. Qualora riceviate questo > messaggio senza esserne il destinatario, Vi preghiamo cortesemente di > darcene notizia via e-mail e di procedere alla distruzione del messaggio > stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, > divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od > utilizzarlo per finalità diverse, costituisce comportamento contrario ai > principi dettati dal D.Lgs. 196/2003. > > > > The information in this message and/or attachments, is intended solely for > the attention and use of the named addressee(s) and may be confidential or > proprietary in nature or covered by the provisions of privacy act > (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection > Code).Any use not in accord with its purpose, any disclosure, reproduction, > copying, distribution, or either dissemination, either whole or partial, is > strictly forbidden except previous formal approval of the named > addressee(s). If you are not the intended recipient, please contact > immediately the sender by telephone, fax or e-mail and delete the > information in this message that has been received in error. The sender > does not give any warranty or accept liability as the content, accuracy or > completeness of sent messages and accepts no responsibility for changes > made after they were sent or for other risks which arise as a result of > e-mail transmission, viruses, etc. > > --------------------------------------------------------------------- > -- DI Christian Mueller MSc (GIS), MSc (IT-Security) OSS Open Source Solutions GmbH
------------------------------------------------------------------------------
_______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
