Hi Niels,
as far as I remember, this causes cache issues with requests.

Basically if you are logged in on GeoServer GUI and you want to make OWS
requests passing the access_token, the service will always get the
in-memory Principal.

The correct way to handle this would be to allow the GUI to get the
"access_token" query parameter also from the address... not that easy using
wicket unfortunately.


Alessio Fabiani

GeoServer Professional Services from the experts! Visit http://goo.gl/it488V
for more information.

Ing. Alessio Fabiani

Founder/Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
phone: +39 0584 962313
fax:     +39 0584 1660272
mob:   +39 331 6233686




Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility  for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

2018-04-09 11:50 GMT+02:00 Niels Charlier <ni...@scitus.be>:

> Hello Alessio,
> I have a question about code in the OAuth2 community module which you have
> written.
> What was the reason for this block of code: https://github.com/geoserver/
> geoserver/blob/master/src/community/security/oauth2/src/
> main/java/org/geoserver/security/oauth2/GeoServerOAuthAuthenticationFi
> lter.java#L130
> that removes the access token and prevents the use of session cookies
> after establishing an OAuth2 based Session for the UI.
> We had to comment on this block of code for now. Can we make this a
> configurable option perhaps?
> Thanks in advance for your answer!
> Kind Regards
> Niels
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Geoserver-devel mailing list

Reply via email to