Opened 12 years ago
Last modified 12 years ago
#1177 new defect
force sending credentials to geoserver REST api
| Reported by: | landry | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | v2.10.0 RC0 |
| Component: | General | Version: | v2.8.0RC2 |
| Keywords: | Cc: |
Description
I've experienced a strange issue with the geopublishing feature :
- my geoserver 2.2.2 is configured this way in security/rest.properties
/;GET=IS_AUTHENTICATED_ANONYMOUSLY /;POST,DELETE,PUT=ROLE_AUTHENTICATED
I want to be able to anonymously get layers/style, and all my users to be able to publish layers/styles.
In certain circumstances, the geopublishing fails. After PUT'ing the zip file, i correctly get a 201 code, but the next REST call is a GET on the layer, and since by default we only send the auth header if asked for credentials, for some reason geoserver returns a 404. If forcing the authentification, i correctly get a 200.
The problem can be reproduced with wget and curl. By default curl sends the auth in all cases, wget only send it if asked for it, or if --auth-no-challenge is used :
#curl -v http://localhost:8080/geoserver/rest/layers/CRAIG_201206_PCI.xml ... < HTTP/1.1 404 Not Found ... No such layer: CRAIG_201206_PCI
#curl -u admin:admin -v http://localhost:8080/geoserver/rest/layers/CRAIG_201206_PCI.xml ... < HTTP/1.1 200 OK ... <layer>
<name>CRAIG_201206_PCI</name>
#wget -d --user admin --password admin http://localhost:8080/geoserver/rest/layers/CRAIG_201206_PCI.xml ... Host `localhost' has not issued a general basic challenge. ... HTTP/1.1 404 Not Found
#wget -d --auth-no-challenge --user admin --password admin http://localhost:8080/geoserver/rest/layers/CRAIG_201206_PCI.xml ... Auth-without-challenge set, sending Basic credentials. ... HTTP/1.1 200 OK
I don't know if the problem lies in geoserver way of handling auth (for REST i'm using the http header auth filter first, then basic auth filter) or if the problem is in geonetwork itself. The thing is, if i force the Geopublisher to send the auth credentials 'preemptively' it fixes the issue i've been seeing.
--- a/web/src/main/java/org/fao/geonet/services/publisher/GeoServerRest.java +++ b/web/src/main/java/org/fao/geonet/services/publisher/GeoServerRest.java @@ -658,6 +658,7 @@ public class GeoServerRest {
}
m.setDoAuthentication(true);
+ c.getParams().setAuthenticationPreemptive(true);
If that 'fix' is acceptable i'll attach it as a proper git commit.
Change History (3)
comment:1 by , 12 years ago
comment:2 by , 12 years ago
Okay, that explains, thanks! Since originally i wanted to let some REST paths accessible to everyone i had let the anonymous filter in the list of filters. Now i'm facing other data acl issues, but i'll send them to the geoserver list :)
Maybe this could be added as an boolean option in geoserver-nodes.xml, letting the administrator decide if geonetwork needs to preemptively send the credentials or not ? I could wrap a patch for that.
comment:3 by , 12 years ago
If you like you can open a geoserver JIRA isssue (improvement). A possibility would be to configure the http request methods for each filter. If the the actual request method is not in the configured list, the filer does nothing.
To be fair, I have no time for implementing at the moment, but it would be a good reminder to cover such configurations.
Hi
I am one of the geoserver developers for authentication mechanisms. Which authentication filters do you have on the REST filter chain ?.
If the last filter is the anonymous filter, the client never gets a challenge. The order of the filters is important, the last filter is responsible for the challenge. As an example, if your order is
http header basic auth anonymous auth
you will never get a challenge. If you want to login a user, you have to send the credentials preemptive.
If you have
http header basic auth
the client will get a basic authentication challenge.
Hope that helps.