On Sun, Apr 10, 2011 at 3:21 AM, Gabriel Roldán <[email protected]> wrote: > I am far from an expert in the geoserver security system, but this > caught my attention. In main's applicationSecurityContext we have the > following path to security chain mapping : > .... > /wcs/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,anonymousProcessingFilter,owsExceptionTranslationFilter,filterInvocationInterceptor > /rest/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,anonymousProcessingFilter,owsExceptionTranslationFilter,restFilterInvocationInterceptor > /gwc/rest/web/**=anonymousProcessingFilter,consoleExceptionTranslationFilter,filterInvocationInterceptor > /gwc/rest/**=httpSessionContextIntegrationFilterWithASCFalse,basicProcessingFilter,anonymousProcessingFilter,owsExceptionTranslationFilter,restFilterInvocationInterceptor > /**=httpSessionContextIntegrationFilterWithASCTrue,logoutFilter,authenticationProcessingFilter,securityContextHolderAwareRequestFilter,rememberMeProcessingFilter,anonymousProcessingFilter,consoleExceptionTranslationFilter,filterInvocationInterceptor
Gabriel, you're probably right. The current layout of Spring Security filters dates back to the old GS UI (GS 1.7.x series) when the UI urls were not hosted under a single "web/**" root, but variably sprinkled under the main geoserver/ path. I guess that now we can turn tables and have the rest related paths use the special rest setup, "web/**" use the session integration, and have everything else use the service setup which does not do session integration. The only thing that is making me wonder is that, I believe, session integration is going to trigger only if there is an authentication to start with... is Robert client sending basic authentication headers around in every request to GWC? Generally speaking to actually see where the sessions are being created we should put a breakpoint in Tomcat/Jetty session creation mechanism and see what exactly is creating sessions. In the past we have had filters that unadvertedly accesses the sessions (I think it was the proxy or the compression filter, can't remember exactly which one) Cheers Andrea -- ------------------------------------------------------- Ing. Andrea Aime GeoSolutions S.A.S. Tech lead Via Poggio alle Viti 1187 55054 Massarosa (LU) Italy phone: +39 0584 962313 fax: +39 0584 962313 mob: +39 333 8128928 http://www.geo-solutions.it http://geo-solutions.blogspot.com/ http://www.youtube.com/user/GeoSolutionsIT http://www.linkedin.com/in/andreaaime http://twitter.com/geowolf ------------------------------------------------------- ------------------------------------------------------------------------------ Xperia(TM) PLAY It's a major breakthrough. An authentic gaming smartphone on the nation's most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev _______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
