On the question of providing the bearer token as a parameter, would it be
appropriate to just add support for reading the bearer token from the
header and let clients choose which method to use rather than adding
another configuration tickbox option? One use case for the token as a URL
parameter is the oauth2 module implementation of GeoServer's URLManager,
which injects the token into service URLs included in the OGC catalog
documents (GetCapabilities, etc.). This can enable integration between
GeoServer and desktop GIS clients that otherwise may not support OAuth or
configuring custom headers for the Authorization.
I have a fork that uses Spring's BearerTokenExtractor to extract the token
(see
https://github.com/sjudeng/geoserver/blob/4e0b929ae2c4b945599475744b0aac01881cd37a/src/community/security/oauth2/src/main/java/org/geoserver/security/oauth2/GeoServerOAuthAuthenticationFilter.java#L179).
The implementation in Spring's BearerTokenExtractor checks for the token in
both the header and in the URL parameters (see
https://github.com/spring-projects/spring-security-oauth/blob/master/spring-security-oauth2/src/main/java/org/springframework/security/oauth2/provider/authentication/BearerTokenExtractor.java
).
Also it's a bit off topic but the custom fork above is focused on adding a
generic OAuth2 implementation using Spring's RemoteTokenService directly
and I'd be interested in whether you think it's a good direction for a
possible PR or if it would conflict with any parallel updates being pursued
as part of the thread here.
https://github.com/sjudeng/geoserver/tree/default-oauth2
On Wed, Apr 18, 2018 at 7:20 AM, Alessio Fabiani <
alessio.fabi...@geo-solutions.it> wrote:
> A tickbox would be a great idea I guess.
>
> Currently on our use cases (GeoNode) we need things to be stateless, and
> therefore on that plugin I just ignore anything but query string
> access_token. For the gui I rely on JSESSION ID. This approach does not
> work for google and github unfortunately.
>
> Regards,
>
> Alessio Fabiani
>
> ==
> GeoServer Professional Services from the experts! Visit
> http://goo.gl/it488V for more information.
> ==
>
> Ing. Alessio Fabiani
>
> @alfa7691
> Founder/Technical Lead
>
>
> GeoSolutions S.A.S.
> Via di Montramito 3/A
> 55054 Massarosa (LU)
> Italy
> phone: +39 0584 962313
> fax: +39 0584 1660272
> mob: +39 331 6233686
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
> -------------------------------------------------------
>
> AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
>
> Le informazioni contenute in questo messaggio di posta elettronica e/o
> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
> darcene notizia via e-mail e di procedere alla distruzione del messaggio
> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
> principi dettati dal D.Lgs. 196/2003.
>
> The information in this message and/or attachments, is intended solely for
> the attention and use of the named addressee(s) and may be confidential or
> proprietary in nature or covered by the provisions of privacy act
> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
> Code).Any use not in accord with its purpose, any disclosure, reproduction,
> copying, distribution, or either dissemination, either whole or partial, is
> strictly forbidden except previous formal approval of the named
> addressee(s). If you are not the intended recipient, please contact
> immediately the sender by telephone, fax or e-mail and delete the
> information in this message that has been received in error. The sender
> does not give any warranty or accept liability as the content, accuracy or
> completeness of sent messages and accepts no responsibility for changes
> made after they were sent or for other risks which arise as a result of
> e-mail transmission, viruses, etc.
>
> 2018-04-18 10:17 GMT+02:00 Niels Charlier <ni...@scitus.be>:
>
>> We would like to disable passing the bearer token in the URL (including
>> query string), since this is not recommended, and in some security
>> standards is not allowed -
>>
>> Don't pass bearer tokens in page URLs: Bearer tokens SHOULD NOT be
>>> passed in page URLs (for example as query string parameters).
>>> Instead, bearer tokens SHOULD be passed in HTTP message headers or
>>> message bodies for which confidentiality measures are taken.
>>> Browsers, web servers, and other software may not adequately
>>> secure URLs in the browser history, web server logs, and other
>>> data structures. If bearer tokens are passed in page URLs,
>>> attackers might be able to steal them from the history data, logs,
>>> or other unsecured locations.
>>>
>>>
>> - https://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-16#section-4.3
>>
>> But if you need it, perhaps we can create a tickbox to allow/disallow it?
>>
>> I do want to make sure that whatever you need to work, still works, but
>> for that I should be able to reproduce the behaviour you need. Can you
>> suggest how I can configure it to let the access_token work without caching?
>>
>> Regards
>> Niels
>>
>> On 17-04-18 17:17, Alessio Fabiani wrote:
>>
>> Hi Niels,
>>
>> let's say... the work should be completed. The GUI should get the
>> access_token from the query string and do not cache the principal into the
>> JSESSION (which mean SecurityContext).
>>
>> At this time the situation is a sort of an hybrid. You should find a
>> compromise or customize ti for you specific use case.
>>
>>
>> Regards,
>>
>> Alessio Fabiani
>>
>> == GeoServer Professional Services from the experts! Visit
>> http://goo.gl/it488V for more information. == Ing. Alessio Fabiani
>>
>> @alfa7691 Founder/Technical Lead
>>
>> GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) Italy phone:
>> +39 0584 962313 fax: +39 0584 1660272 mob: +39 331 6233686
>> http://www.geo-solutions.it http://twitter.com/geosolutions_it
>> -------------------------------------------------------
>>
>> AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
>>
>> Le informazioni contenute in questo messaggio di posta elettronica e/o
>> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
>> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
>> darcene notizia via e-mail e di procedere alla distruzione del messaggio
>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
>> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
>> principi dettati dal D.Lgs. 196/2003.
>>
>> The information in this message and/or attachments, is intended solely
>> for the attention and use of the named addressee(s) and may be confidential
>> or proprietary in nature or covered by the provisions of privacy act
>> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
>> Code).Any use not in accord with its purpose, any disclosure, reproduction,
>> copying, distribution, or either dissemination, either whole or partial, is
>> strictly forbidden except previous formal approval of the named
>> addressee(s). If you are not the intended recipient, please contact
>> immediately the sender by telephone, fax or e-mail and delete the
>> information in this message that has been received in error. The sender
>> does not give any warranty or accept liability as the content, accuracy or
>> completeness of sent messages and accepts no responsibility for changes
>> made after they were sent or for other risks which arise as a result of
>> e-mail transmission, viruses, etc.
>>
>> 2018-04-17 17:10 GMT+02:00 Niels Charlier <ni...@scitus.be>:
>>
>>> Hello Alessio,
>>>
>>> Thank you for your answer. I am starting to get it. It turns out the
>>> client was using an older fork of geoserver and with the most recent
>>> commits you did, google and github do indeed work without the block of code
>>> being commented.
>>>
>>> However, I can also reproduce the problem you describe below with the
>>> latest version, despite the block of code not being commented.
>>>
>>> If I use access_token to read the capabilities, I must close my browser
>>> in order to be able to use the other access_token. Is this normal? Is this
>>> intended to work for google?
>>>
>>> Kind Regards
>>> Niels
>>>
>>>
>>> On 17-04-18 11:12, Alessio Fabiani wrote:
>>>
>>> Hello Niels,
>>>
>>> sorry for the late response. Unfortunately I had not much time to deeply
>>> inspect the issues you raised and therefore I'm going to send you some
>>> preliminary answers.
>>>
>>> 1) "Do you have any idea why this could be?" those services use
>>> cookies. On Google and GitHub I had a similar issue. I fixed that by
>>> checking for a session cookie (see https://github.com/geoser
>>> ver/geoserver/blob/master/src/community/security/oauth2-goog
>>> le/src/main/java/org/geoserver/security/oauth2/GoogleOAuthAu
>>> thenticationFilter.java#L30)
>>>
>>> 2) "How I can reproduce the problem". Generate two different
>>> access_tokens associated to different roles. Assign different resources to
>>> the roles. Then open a browser window and login into the GUI with one of
>>> them. Now try to do a GetCapabilities request by passing the access_token
>>> as query parameter. If the session is not cached, you should be able to see
>>> different resources by simply changing the access_token. Otherwise you will
>>> need to close the browser session (or cleanup the cookies).
>>>
>>> 3) "why I get the names of java classes showing up next to the log-in
>>> form". This should happen only when running on Eclipse. Try to build the
>>> WAR. You should be able to get the icons. In general the issue should be
>>> related to the fact that Spring is not able to stream the icon resource.
>>>
>>> Sorry for the quick responses. Hope that those can be still be useful in
>>> order to allow you making further testing.
>>>
>>> Let me know if you have a specific use case I should try to reproduce
>>> somehow and feel free to propose a patch for the community module.
>>>
>>>
>>> Regards,
>>>
>>> Alessio Fabiani
>>>
>>> == GeoServer Professional Services from the experts! Visit
>>> http://goo.gl/it488V for more information. == Ing. Alessio Fabiani
>>>
>>> <https://maps.google.com/?q=Via+di+Montramito+3/A+%0A+55054+%C2%A0Massarosa&entry=gmail&source=g>
>>>
>>> @alfa7691 Founder/Technical Lead
>>>
>>> GeoSolutions S.A.S. Via di Montramito 3/A
>>> <https://maps.google.com/?q=Via+di+Montramito+3/A+%0A+55054+%C2%A0Massarosa&entry=gmail&source=g>
>>> 55054
>>> Massarosa
>>> <https://maps.google.com/?q=Via+di+Montramito+3/A+%0A+55054+%C2%A0Massarosa&entry=gmail&source=g>
>>> (LU) Italy phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39
>>> 331 6233686 http://www.geo-solutions.it http://twitter.com/geosolution
>>> s_it -------------------------------------------------------
>>>
>>> AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
>>>
>>> Le informazioni contenute in questo messaggio di posta elettronica e/o
>>> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
>>> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
>>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
>>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
>>> darcene notizia via e-mail e di procedere alla distruzione del messaggio
>>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
>>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
>>> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
>>> principi dettati dal D.Lgs. 196/2003.
>>>
>>> The information in this message and/or attachments, is intended solely
>>> for the attention and use of the named addressee(s) and may be confidential
>>> or proprietary in nature or covered by the provisions of privacy act
>>> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
>>> Code).Any use not in accord with its purpose, any disclosure, reproduction,
>>> copying, distribution, or either dissemination, either whole or partial, is
>>> strictly forbidden except previous formal approval of the named
>>> addressee(s). If you are not the intended recipient, please contact
>>> immediately the sender by telephone, fax or e-mail and delete the
>>> information in this message that has been received in error. The sender
>>> does not give any warranty or accept liability as the content, accuracy or
>>> completeness of sent messages and accepts no responsibility for changes
>>> made after they were sent or for other risks which arise as a result of
>>> e-mail transmission, viruses, etc.
>>>
>>> 2018-04-13 13:48 GMT+02:00 Niels Charlier <ni...@scitus.be>:
>>>
>>>> Hi Alessio,
>>>>
>>>> Thanks for your answer. It is strange, but I need to comment out this
>>>> code for it to work at all, just the same as my client. Otherwise geoserver
>>>> does not log me in (although the logging in process on google/github works
>>>> fine). Do you have any idea why this could be?
>>>>
>>>> Also, can you give me an example of how I can reproduce the problem you
>>>> have without that block of code, so I can figure out a solution that works
>>>> for both of us.
>>>>
>>>> Finally, do you know why I get the names of java classes showing up
>>>> next to the log-in form? (see attached photo)
>>>>
>>>> Thanks in advance!
>>>>
>>>> Kind Regards
>>>> Niels
>>>>
>>>>
>>>> On 09-04-18 12:49, Alessio Fabiani wrote:
>>>>
>>>> Hi Niels,
>>>> as far as I remember, this causes cache issues with requests.
>>>>
>>>> Basically if you are logged in on GeoServer GUI and you want to make
>>>> OWS requests passing the access_token, the service will always get the
>>>> in-memory Principal.
>>>>
>>>> The correct way to handle this would be to allow the GUI to get the
>>>> "access_token" query parameter also from the address... not that easy using
>>>> wicket unfortunately.
>>>>
>>>>
>>>>
>>>> Regards,
>>>>
>>>> Alessio Fabiani
>>>>
>>>> == GeoServer Professional Services from the experts! Visit
>>>> http://goo.gl/it488V for more information. == Ing. Alessio Fabiani
>>>>
>>>> <https://maps.google.com/?q=Via+di+Montramito+3/A+%0A+55054+%C2%A0Massarosa&entry=gmail&source=g>
>>>>
>>>> @alfa7691
>>>> <https://maps.google.com/?q=Via+di+Montramito+3/A+%0A+55054+%C2%A0Massarosa&entry=gmail&source=g>Founder/Technical
>>>> Lead
>>>>
>>>> GeoSolutions S.A.S. Via di Montramito 3/A
>>>> <https://maps.google.com/?q=Via+di+Montramito+3/A+%0A+55054+%C2%A0Massarosa&entry=gmail&source=g>
>>>> 55054
>>>> Massarosa
>>>> <https://maps.google.com/?q=Via+di+Montramito+3/A+%0A+55054+%C2%A0Massarosa&entry=gmail&source=g>
>>>> (LU) Italy phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39
>>>> 331 6233686 http://www.geo-solutions.it http://twitter.com/geosolution
>>>> s_it -------------------------------------------------------
>>>>
>>>> AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
>>>>
>>>> Le informazioni contenute in questo messaggio di posta elettronica e/o
>>>> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
>>>> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
>>>> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
>>>> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
>>>> darcene notizia via e-mail e di procedere alla distruzione del messaggio
>>>> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
>>>> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
>>>> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
>>>> principi dettati dal D.Lgs. 196/2003.
>>>>
>>>> The information in this message and/or attachments, is intended solely
>>>> for the attention and use of the named addressee(s) and may be confidential
>>>> or proprietary in nature or covered by the provisions of privacy act
>>>> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
>>>> Code).Any use not in accord with its purpose, any disclosure, reproduction,
>>>> copying, distribution, or either dissemination, either whole or partial, is
>>>> strictly forbidden except previous formal approval of the named
>>>> addressee(s). If you are not the intended recipient, please contact
>>>> immediately the sender by telephone, fax or e-mail and delete the
>>>> information in this message that has been received in error. The sender
>>>> does not give any warranty or accept liability as the content, accuracy or
>>>> completeness of sent messages and accepts no responsibility for changes
>>>> made after they were sent or for other risks which arise as a result of
>>>> e-mail transmission, viruses, etc.
>>>>
>>>> 2018-04-09 11:50 GMT+02:00 Niels Charlier <ni...@scitus.be>:
>>>>
>>>>> Hello Alessio,
>>>>>
>>>>> I have a question about code in the OAuth2 community module which you
>>>>> have written.
>>>>>
>>>>> What was the reason for this block of code:
>>>>> https://github.com/geoserver/geoserver/blob/master/src/commu
>>>>> nity/security/oauth2/src/main/java/org/geoserver/security/oa
>>>>> uth2/GeoServerOAuthAuthenticationFilter.java#L130
>>>>>
>>>>> that removes the access token and prevents the use of session cookies
>>>>> after establishing an OAuth2 based Session for the UI.
>>>>>
>>>>> We had to comment on this block of code for now. Can we make this a
>>>>> configurable option perhaps?
>>>>>
>>>>> Thanks in advance for your answer!
>>>>>
>>>>> Kind Regards
>>>>>
>>>>> Niels
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Geoserver-devel mailing list
>> Geoserver-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>
>>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
