I think that code only handles the "basic" authentication whereas this bug
is related to authkey - so at some point someone writes authkey=xxxxx into
the URL, I just can't work out where.

Ian

On 15 April 2018 at 10:31, Andrea Aime <andrea.a...@geo-solutions.it> wrote:

> Hi Ian,
> I'm not too familiar with the code bases, but think that the
> authentication does not happen in the WMS/WMTS code, but
> in the HTTP client instead, e.g.:
>
> https://github.com/geotools/geotools/blob/master/modules/
> library/main/src/main/java/org/geotools/data/ows/
> SimpleHttpClient.java#L138
> https://github.com/geotools/geotools/blob/master/modules/
> extension/wms/src/main/java/org/geotools/data/ows/
> MultithreadedHttpClient.java#L144
>
> Hope this helps
>
> Cheers
> Andrea
>
>
>
> On Fri, Apr 13, 2018 at 1:25 PM, Ian Turton <ijtur...@gmail.com> wrote:
>
>> I've been looking at GEOS-8671
>> <https://osgeo-org.atlassian.net/browse/GEOS-8671> thinking it was a
>> simple find and replace issue in the WMTS code but it looks like all the
>> WMTS code does is take the URL from the getCapabilities response (or the
>> server URL if that fails) and makes a request to that. So I now suspect
>> that at some point the security code is adding the authentication code to
>> the URL - I guessed that SecuredWMTSLayer might be the place to look, but
>> that seems to nothing to the URL, tracking back I came to
>> SecuredWMTSStoreInfo which looks possible as it calls
>> SecuredObjects.secure(wms, policy) - but I can't for the life of me work
>> out what is going on in there.
>>
>> The worrying thing is that all that SecuredWMTS* code is a straight copy
>> and paste from SecuredWMS* so if this fails for WMTS I suspect it will fail
>> for WMS.
>>
>> Can any one point me to the code that actually rewrites the URL to insert
>> the authenicationkey?
>>
>> cheers
>>
>> Ian
>> --
>> Ian Turton
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Geoserver-devel mailing list
>> Geoserver-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>
>>
>
>
> --
>
> Regards,
>
> Andrea Aime
>
> ==
> GeoServer Professional Services from the experts! Visit
> http://goo.gl/it488V for more information.
> ==
>
> Ing. Andrea Aime
> @geowolf
> Technical Lead
>
> GeoSolutions S.A.S.
> Via di Montramito 3/A
> <https://maps.google.com/?q=Via+di+Montramito+3/A+55054+%C2%A0Massarosa&entry=gmail&source=g>
> 55054  Massarosa
> <https://maps.google.com/?q=Via+di+Montramito+3/A+55054+%C2%A0Massarosa&entry=gmail&source=g>
> (LU)
> phone: +39 0584 962313
> fax: +39 0584 1660272
> mob: +39  339 8844549
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
> AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
>
> Le informazioni contenute in questo messaggio di posta elettronica e/o
> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
> darcene notizia via e-mail e di procedere alla distruzione del messaggio
> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
> principi dettati dal D.Lgs. 196/2003.
>
> The information in this message and/or attachments, is intended solely for
> the attention and use of the named addressee(s) and may be confidential or
> proprietary in nature or covered by the provisions of privacy act
> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
> Code).Any use not in accord with its purpose, any disclosure, reproduction,
> copying, distribution, or either dissemination, either whole or partial, is
> strictly forbidden except previous formal approval of the named
> addressee(s). If you are not the intended recipient, please contact
> immediately the sender by telephone, fax or e-mail and delete the
> information in this message that has been received in error. The sender
> does not give any warranty or accept liability as the content, accuracy or
> completeness of sent messages and accepts no responsibility  for changes
> made after they were sent or for other risks which arise as a result of
> e-mail transmission, viruses, etc.
>
>


-- 
Ian Turton
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Reply via email to