It doesn't really depend on spring - just mostly via other GS classes like
GeoServerPreAuthenticatedUserNameFilter.  It uses a little spring to do
some JWT-parsing/manipulation, so it would be easy to move to another
library if the new spring doesn't support it.

So, it shouldn't be an issue to move to a later spring framework.  The
oauth2-* stuff will be a lot of work...

Dave

On Thu, Feb 22, 2024 at 5:10 PM Jody Garnett <jody.garn...@gmail.com> wrote:

> +1 although I am your co-worker, others may have questions 🙂
>
> I know you are aware the transition to spring-framework 6 is planned; so
> the community module will need to be rewritten before becoming an
> extension; or did you just stick to spring-security core?
>
> I would like to get your PR in promptly so the docs are picked up in
> mkdocs migration.
> --
> Jody Garnett
>
>
> On Feb 22, 2024 at 11:54:28 AM, David Blasby <dbla...@gmail.com> wrote:
>
>> Hi,
>>
>> This is a request to create a new community module.
>>
>> This is a fairly simple security module for header-based OAUTH2/OIDC type
>> authentication - for example Apache mod_auth_openid and robot-base-access
>> with JWT Access Tokens.
>>
>> New functionality:
>>
>> 1. Extract user name from a JSON header (including json path)
>> 2. Extract user name from an attached JWT token
>> 3. Extract Roles from JSON Header (including json path)
>> 4. Extract Roles from JWT Header (including json path)
>> 5. Role Translation from the external (IDP) names to internal GeoServer
>> role names
>> 6. Access Token Validation;
>>      + signature validation
>>      + expiry validation
>>      + IDP external endpoint validation (including subject validation)
>>      + audience validation
>>
>> Test coverage is about 90%.
>>
>> I will create a PR when approved.
>>
>> Code -
>> https://github.com/davidblasby/geoserver/tree/_jwtheaders/src/community/jwt-headers
>>
>> Doc -
>> https://github.com/davidblasby/geoserver/tree/_jwtheaders/doc/en/user/source/community/jwt-headers
>>
>> NOTE: I just put together the docs today - will be making them a bit
>> "nicer" next week.
>>
>> Some of the functionality is available in the very simple Headers
>> security extension and the oauth2-* community modules.  This module is much
>> simpler, much more complete, and MUCH easier to maintain/test/configure.
>>
>> In fact, if you want to use OIDC and are willing to put your geoserver
>> behind apache (with mod_auth_openid), this module makes it MUCH MUCH easier
>> to setup and maintain wrt the oauth2-* community modules.  If you want to
>> have GeoServer communicate DIRECTLY with your OIDC IDP, continue using the
>> oauth2-* community modules.
>>
>> NOTE: I am planning to add similar functionality to GeoNetwork.
>>
>> Thanks,
>> Dave
>> _______________________________________________
>> Geoserver-devel mailing list
>> Geoserver-devel@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>
> _______________________________________________
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Reply via email to