Alessio Fabiani ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A0027cfac-890c-48e1-8af0-974f12f7b9dc ) *created* an issue
GeoServer ( https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiOTlkN2MyMGM2MmE3NGZjNTgwZDMxZWRiYmM0MWYwMjgiLCJwIjoiaiJ9 ) / Bug ( https://osgeo-org.atlassian.net/browse/GEOS-11036?atlOrigin=eyJpIjoiOTlkN2MyMGM2MmE3NGZjNTgwZDMxZWRiYmM0MWYwMjgiLCJwIjoiaiJ9 ) GEOS-11036 ( https://osgeo-org.atlassian.net/browse/GEOS-11036?atlOrigin=eyJpIjoiOTlkN2MyMGM2MmE3NGZjNTgwZDMxZWRiYmM0MWYwMjgiLCJwIjoiaiJ9 ) The OAuth2*/OIDC security filters do not work as expected anymore after the spring-security-core depencency update to 5.7.8 ( https://osgeo-org.atlassian.net/browse/GEOS-11036?atlOrigin=eyJpIjoiOTlkN2MyMGM2MmE3NGZjNTgwZDMxZWRiYmM0MWYwMjgiLCJwIjoiaiJ9 ) Issue Type: Bug Assignee: Unassigned Created: 19/Jun/23 2:56 PM Priority: Medium Reporter: Alessio Fabiani ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A0027cfac-890c-48e1-8af0-974f12f7b9dc ) Recenty the sprinc-security-core dependency on GeoServer has been upgraded due to a security fix as per https://github.com/geoserver/geoserver/pull/6830 The upgrade introduced some issues into the Oauth2 security filter logic mainly due to the anonymous session token, which now is correctly valorized. The filter assumes that an anoymous user is always associated to a null security context authority, which is wrong. Now an anonymous user will be associated to an AnonymousAuthortyToken, which will be also recognized by the spring-oauth2 plugin in order to perform additional checks on the oauth2 resources. A simple change into the logic checks can allow us to easily fix this behavior and benefit of the new spring security core improvement. ( https://osgeo-org.atlassian.net/browse/GEOS-11036#add-comment?atlOrigin=eyJpIjoiOTlkN2MyMGM2MmE3NGZjNTgwZDMxZWRiYmM0MWYwMjgiLCJwIjoiaiJ9 ) Add Comment ( https://osgeo-org.atlassian.net/browse/GEOS-11036#add-comment?atlOrigin=eyJpIjoiOTlkN2MyMGM2MmE3NGZjNTgwZDMxZWRiYmM0MWYwMjgiLCJwIjoiaiJ9 ) Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100227- sha1:8ffa416 )
_______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
