Alessio Fabiani ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A0027cfac-890c-48e1-8af0-974f12f7b9dc ) *created* an issue
GeoServer ( https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiMGI5YjZmNGJmYjE3NDhmZjhlYmUzMmVkZTEzNzU4MzUiLCJwIjoiaiJ9 ) / Improvement ( https://osgeo-org.atlassian.net/browse/GEOS-9836?atlOrigin=eyJpIjoiMGI5YjZmNGJmYjE3NDhmZjhlYmUzMmVkZTEzNzU4MzUiLCJwIjoiaiJ9 ) GEOS-9836 ( https://osgeo-org.atlassian.net/browse/GEOS-9836?atlOrigin=eyJpIjoiMGI5YjZmNGJmYjE3NDhmZjhlYmUzMmVkZTEzNzU4MzUiLCJwIjoiaiJ9 ) [OAUTH2] Mangler enabled by default exposes "access_token" to OWS URLs ( https://osgeo-org.atlassian.net/browse/GEOS-9836?atlOrigin=eyJpIjoiMGI5YjZmNGJmYjE3NDhmZjhlYmUzMmVkZTEzNzU4MzUiLCJwIjoiaiJ9 ) Issue Type: Improvement Assignee: Alessio Fabiani ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A0027cfac-890c-48e1-8af0-974f12f7b9dc ) Components: Community modules, OAuth2, Security Created: 21/Dec/20 2:49 PM Priority: Medium Reporter: Alessio Fabiani ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A0027cfac-890c-48e1-8af0-974f12f7b9dc ) Most of the OAUTH2 community plugins (GeoNode, Google, GitHub) currently enabled the OAUTH2 URL Mangler by default. The URL Mangler looks for an active session and injects the current "access_token" to the OWS output documents. This should be changed. The default behavior should not expose a valid "access_token" to stateless documents. My proposal is to change the default behavior of the URL mangler to *not* expose the tokens and introduce a simple check on the environment variables in order to allow the system administrator to decide whether enable it or not. ( https://osgeo-org.atlassian.net/browse/GEOS-9836#add-comment?atlOrigin=eyJpIjoiMGI5YjZmNGJmYjE3NDhmZjhlYmUzMmVkZTEzNzU4MzUiLCJwIjoiaiJ9 ) Add Comment ( https://osgeo-org.atlassian.net/browse/GEOS-9836#add-comment?atlOrigin=eyJpIjoiMGI5YjZmNGJmYjE3NDhmZjhlYmUzMmVkZTEzNzU4MzUiLCJwIjoiaiJ9 ) Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100153- sha1:55cb54c )
_______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
