Dear List,
(I hope this won't be posted twice, as I sent it a few days ago but it
seems the mail didn't get through)
I'm trying to setup Geoserver to use a postgres user table from Django (the
people_profile table from Geonode). I was able to make everything work
except password encryption.
To give a bit of context, this is what I did so far) :
1/ Added a new JDBC "User Group Services" with database details in Geoserver
and added it to the authentication provider chain
2/ Created a view in postgres like this (to replace the "users" table that
Geoserver is expecting) :
CREATE VIEW public.users AS
SELECT "username" as "name",
'crypt2:' || split_part("password",'$',4) as "password", -- this extracts
the hash from the django passwords
CASE WHEN "is_active" THEN 'Y' ELSE 'N' END as enabled
FROM public.people_profile;
3/ Created a custom password hasher for Django that using the jasypt4py
python library (that supports "PBEWITHSHA256AND256BITAES-CBC")
from jasypt4py import StandardPBEStringEncryptor
class GeoserverLikePasswordHasher(BasePasswordHasher):
algorithm = "geoserver-strong-pbe"
iterations = 100000
def encode(self, password, salt, iterations=None):
cryptor = StandardPBEStringEncryptor('PBEWITHSHA256AND256BITAES-CBC')
from_keystore = "4F24227A565B3C743F7D4A69504E27
432C292D6E632C4A6B40384A4A60395F364743657969717076".decode("hex")
hash = cryptor.encrypt( from_keystore, password, iterations)
return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)
Problem is, when I try to connect with these logins, I get an exception
(see below[1]). The exception is not easy to debug as it's opaque on
prupose (to avoid revealing sensitive details).
When I fake the encryption (by hardcoding a hash that was generated by
Geoserver in the postgres view, or by using plain: and creating a
PlainPasswordHasher), I can log in, which means that the problem really is
at the encryption level.
I'm new to Java and Geoserver, so I'm not really sure what's going on.
I have two hypotheses :
1/ I'm using the wrong "password_key" (I'm using ug:django_key in my
geoserver.jceks that was created when I configured the user group service.
I also tried with config:password:key I could find there, but no more
luck). Am I correct trying to use that one ?
2/ There's a problem with the jasypt4py library. In the readme, they say
they only support "PBEWITHSHA256AND256BITAES-CBC" from Jasypt/Bouncycastle.
Is this what Geoserver uses ? Or are there several incompatible
implementations of Jasypt ? (again, I'm new to Java...)
Any idea of what to try next ? Has anyone been able to make such a setup
work ?
Thank you in advance for your help !!
Olivier
[1] This is the exception :
org.jasypt.exceptions.EncryptionOperationNotPossibleException
at
org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:981)
at
org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:717)
at
org.jasypt.spring.security3.PBEPasswordEncoder.isPasswordValid(PBEPasswordEncoder.java:218)
at
org.geoserver.security.password.AbstractGeoserverPasswordEncoder.isPasswordValid(AbstractGeoserverPasswordEncoder.java:142)
at
org.geoserver.security.password.GeoServerMultiplexingPasswordEncoder.isPasswordValid(GeoServerMultiplexingPasswordEncoder.java:91)
at
org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:94)
at
org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:165)
at
org.geoserver.security.auth.UsernamePasswordAuthenticationProvider.authenticate(UsernamePasswordAuthenticationProvider.java:82)
at
org.geoserver.security.GeoServerAuthenticationProvider.authenticate(GeoServerAuthenticationProvider.java:58)
at
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
at
org.geoserver.security.GeoServerSecurityManager$1.authenticate(GeoServerSecurityManager.java:323)
at
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:93)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:73)
at
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:92)
at
org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationFilter.doFilter(GeoServerUserNamePasswordAuthenticationFilter.java:116)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:69)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at
org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:53)
at
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:73)
at
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:92)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at
org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:152)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:88)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at
org.geoserver.filters.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:89)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:42)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at
org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:48)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at
org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:44)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
at
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
at
org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
at
org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
at
org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
at
org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at
org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
at
org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at
org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
