Re: [Geoserver-devel] OAuth2

Tue, 17 Apr 2018 08:11:30 -0700 

Hello Alessio,
Thank you for your answer. I am starting to get it. It turns out the client was using an older fork of geoserver and with the most recent commits you did, google and github do indeed work without the block of code being commented. 


However, I can also reproduce the problem you describe below with the 
latest version, despite the block of code not being commented.



If I use access_token to read the capabilities, I must close my browser 
in order to be able to use the other access_token. Is this normal? Is 
this intended to work for google?


Kind Regards
Niels

On 17-04-18 11:12, Alessio Fabiani wrote:

Hello Niels,


sorry for the late response. Unfortunately I had not much time to 
deeply inspect the issues you raised and therefore I'm going to send 
you some preliminary answers.



1) "Do you have any idea why this could be?" those services use 
cookies. On Google and GitHub I had a similar issue. I fixed that by 
checking for a session cookie (see 
https://github.com/geoserver/geoserver/blob/master/src/community/security/oauth2-google/src/main/java/org/geoserver/security/oauth2/GoogleOAuthAuthenticationFilter.java#L30)



2) "How I can reproduce the problem". Generate two different 
access_tokens associated to different roles. Assign different 
resources to the roles. Then open a browser window and login into the 
GUI with one of them. Now try to do a GetCapabilities request by 
passing the access_token as query parameter. If the session is not 
cached, you should be able to see different resources by simply 
changing the access_token. Otherwise you will need to close the 
browser session (or cleanup the cookies).



3) "why I get the names of java classes showing up next to the log-in 
form". This should happen only when running on Eclipse. Try to build 
the WAR. You should be able to get the icons. In general the issue 
should be related to the fact that Spring is not able to stream the 
icon resource.



Sorry for the quick responses. Hope that those can be still be useful 
in order to allow you making further testing.



Let me know if you have a specific use case I should try to reproduce 
somehow and feel free to propose a patch for the community module.



Regards,

Alessio Fabiani


==GeoServer Professional Services from the experts! Visit 
http://goo.gl/it488V for more information.==Ing. Alessio Fabiani


@alfa7691Founder/Technical Lead


GeoSolutions S.A.S.Via di Montramito 3/A55054  Massarosa 
(LU)Italyphone: +39 0584 962313fax:     +39 0584 1660272mob:   +39 331 
6233686http://www.geo-solutions.ithttp://twitter.com/geosolutions_it-------------------------------------------------------


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003


Le informazioni contenute in questo messaggio di posta elettronica e/o 
nel/i file/s allegato/i sono da considerarsi strettamente riservate. 
Il loro utilizzo è consentito esclusivamente al destinatario del 
messaggio, per le finalità indicate nel messaggio stesso. Qualora 
riceviate questo messaggio senza esserne il destinatario, Vi preghiamo 
cortesemente di darcene notizia via e-mail e di procedere alla 
distruzione del messaggio stesso, cancellandolo dal Vostro sistema. 
Conservare il messaggio stesso, divulgarlo anche in parte, 
distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità 
diverse, costituisce comportamento contrario ai principi dettati dal 
D.Lgs. 196/2003.



The information in this message and/or attachments, is intended solely 
for the attention and use of the named addressee(s) and may be 
confidential or proprietary in nature or covered by the provisions of 
privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New 
Data Protection Code).Any use not in accord with its purpose, any 
disclosure, reproduction, copying, distribution, or either 
dissemination, either whole or partial, is strictly forbidden except 
previous formal approval of the named addressee(s). If you are not the 
intended recipient, please contact immediately the sender by 
telephone, fax or e-mail and delete the information in this message 
that has been received in error. The sender does not give any warranty 
or accept liability as the content, accuracy or completeness of sent 
messages and accepts no responsibility  for changes made after they 
were sent or for other risks which arise as a result of e-mail 
transmission, viruses, etc.




2018-04-13 13:48 GMT+02:00 Niels Charlier <ni...@scitus.be 
<mailto:ni...@scitus.be>>:


    Hi Alessio,

    Thanks for your answer. It is strange, but I need to comment out
    this code for it to work at all, just the same as my client.
    Otherwise geoserver does not log me in (although the logging in
    process on google/github works fine). Do you have any idea why
    this could be?

    Also, can you give me an example of how I can reproduce the
    problem you have without that block of code, so I can figure out a
    solution that works for both of us.

    Finally, do you know why I get the names of java classes showing
    up next to the log-in form? (see attached photo)

    Thanks in advance!

    Kind Regards
    Niels


    On 09-04-18 12:49, Alessio Fabiani wrote:

    Hi Niels,
    as far as I remember, this causes cache issues with requests.

    Basically if you are logged in on GeoServer GUI and you want to
    make OWS requests passing the access_token, the service will
    always get the in-memory Principal.

    The correct way to handle this would be to allow the GUI to get
    the "access_token" query parameter also from the address... not
    that easy using wicket unfortunately.



    Regards,

    Alessio Fabiani

    ==GeoServer Professional Services from the experts! Visit
    http://goo.gl/it488V for more information.==Ing. Alessio Fabiani

    
<https://maps.google.com/?q=Via+di+Montramito+3/A+%0A+55054+%C2%A0Massarosa&entry=gmail&source=g>


    @alfa7691Founder/Technical Lead

    GeoSolutions S.A.S.Via di Montramito 3/A
    
<https://maps.google.com/?q=Via+di+Montramito+3/A+%0A+55054+%C2%A0Massarosa&entry=gmail&source=g>55054
     Massarosa
    
<https://maps.google.com/?q=Via+di+Montramito+3/A+%0A+55054+%C2%A0Massarosa&entry=gmail&source=g>
    (LU)Italyphone: +39 0584 962313fax:     +39 0584 1660272mob:
      +39 331
    6233686http://www.geo-solutions.ithttp://twitter.com/geosolutions_it
    
<http://twitter.com/geosolutions_it>-------------------------------------------------------

    AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

    Le informazioni contenute in questo messaggio di posta
    elettronica e/o nel/i file/s allegato/i sono da considerarsi
    strettamente riservate. Il loro utilizzo è consentito
    esclusivamente al destinatario del messaggio, per le finalità
    indicate nel messaggio stesso. Qualora riceviate questo messaggio
    senza esserne il destinatario, Vi preghiamo cortesemente di
    darcene notizia via e-mail e di procedere alla distruzione del
    messaggio stesso, cancellandolo dal Vostro sistema. Conservare il
    messaggio stesso, divulgarlo anche in parte, distribuirlo ad
    altri soggetti, copiarlo, od utilizzarlo per finalità diverse,
    costituisce comportamento contrario ai principi dettati dal
    D.Lgs. 196/2003.

    The information in this message and/or attachments, is intended
    solely for the attention and use of the named addressee(s) and
    may be confidential or proprietary in nature or covered by the
    provisions of privacy act (Legislative Decree June, 30 2003,
    no.196 - Italy's New Data Protection Code).Any use not in accord
    with its purpose, any disclosure, reproduction, copying,
    distribution, or either dissemination, either whole or partial,
    is strictly forbidden except previous formal approval of the
    named addressee(s). If you are not the intended recipient, please
    contact immediately the sender by telephone, fax or e-mail and
    delete the information in this message that has been received in
    error. The sender does not give any warranty or accept liability
    as the content, accuracy or completeness of sent messages and
    accepts no responsibility  for changes made after they were sent
    or for other risks which arise as a result of e-mail
    transmission, viruses, etc.


    2018-04-09 11:50 GMT+02:00 Niels Charlier <ni...@scitus.be
    <mailto:ni...@scitus.be>>:

        Hello Alessio,

        I have a question about code in the OAuth2 community module
        which you have written.

        What was the reason for this block of code:
        
https://github.com/geoserver/geoserver/blob/master/src/community/security/oauth2/src/main/java/org/geoserver/security/oauth2/GeoServerOAuthAuthenticationFilter.java#L130
        
<https://github.com/geoserver/geoserver/blob/master/src/community/security/oauth2/src/main/java/org/geoserver/security/oauth2/GeoServerOAuthAuthenticationFilter.java#L130>

        that removes the access token and prevents the use of session
        cookies after establishing an OAuth2 based Session for the UI.

        We had to comment on this block of code for now. Can we make
        this a configurable option perhaps?

        Thanks in advance for your answer!

        Kind Regards

        Niels








------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel






















					Reply via email to