Hi Landry I wrote a tutorial about http proxy auth but I am still waiting for the ok of a reviewer (native English speaker).
You have a relationship of trust between the proxy and GeoServer. If the proxy send the header sec-uname the principal is considered as authenticated and the role ROLE_AUTHENTICATED is assigned. If you send sec-uname:anonymous the anonymous user is handled as any other user. If you want an anonymous Geoserver login, the proxy must not send the header attribute. Hope this helps Zitat von Landry Breuil <bre...@craig.fr>: > Hi, > > still doing some experiments with geoserver 2.2.1, and i've found a > strange behaviour with : > - a workspace (nurc) being configured as accessible only to > ROLE_AUTHENTICATED (nurc.*.r = ROLE_AUTHENTICATED in security/data) > - a default filter using http headers first, sec-username & sec-roles > for the list of roles, and then anonymous as a fallback filter. > > Geoserver is behind a proxy (from georchestra), and that proxy sends > sec-username:anonymousUser + sec-roles:ROLE_ANONYMOUS when the client is > not authentified to georchestra. > I'd expect geoserver to fail the access to getMap requests on that > workspace with a 401 code, but the access is granted anyway. ie : > > http://localhost:8080/geoserver-private/nurc/wms?getMap -> 401 : normal, > this is when bypassing the proxy. > http://localhost:8080/geoserver/nurc/wms?getMap -> 200 : anonymousUser > is authenticated by the headers sent by the proxy, while i'd expect it > to have no access. > > I've noticed that the new security framework uses 'anonymous' for the > anon user in security/impl/GeoServerUser.java, so i've tried using > 'anonymousUser' there instead, but that didnt change the behaviour. > > From that point, two hypothesis : > - the proxy shouldnt send headers when unauthenticated ? > - anonymous(User) doesnt seem to be a special user anymore, at least the > http header filter doesnt specifically checks for it. Apparently, the > ROLE_ANONYMOUS sent by the proxy isnt taken into account, and is > upgraded to ROLE_AUTHENTICATED since the http header filter finds the > header it looks for ? > > So, on which side is the problem ? GeoServer or the proxy ? > > -- > Landry Breuil > Mouton a 5 pattes du CRAIG > > ------------------------------------------------------------------------------ > LogMeIn Central: Instant, anywhere, Remote PC access and management. > Stay in control, update software, and manage PCs from one command center > Diagnose problems and improve visibility into emerging IT issues > Automate, monitor and manage. Do more in less time with Central > http://p.sf.net/sfu/logmein12331_d2d > _______________________________________________ > Geoserver-users mailing list > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ LogMeIn Central: Instant, anywhere, Remote PC access and management. Stay in control, update software, and manage PCs from one command center Diagnose problems and improve visibility into emerging IT issues Automate, monitor and manage. Do more in less time with Central http://p.sf.net/sfu/logmein12331_d2d _______________________________________________ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
