geoserver-cloud icon indicating copy to clipboard operation
geoserver-cloud copied to clipboard

Published 20 hours ago verified publisher icon geoserver

Bring authentication and authorization to the front service (gateway)

Open groldan opened this issue 3 years ago • 1 comments

Currently, only the default security authN/authZ is available, and worse, all services got to perform auth on their own. With each service having its own keystore, you can only guess what a nightmare changing a password is.

Remove the default security chains from internal services, perform authN/Z at the gateway level, delegating to external services as required.

groldan avatar Apr 07 '21 18:04 groldan

GeoSever Cloud authentication & authorization

Unlike vanilla GeoServer, Cloud's security settings (authentication and configuration) shall not be configured through the Web UI nor the REST API, but through gs-cloud's externalized/centralized configuration for the gateway service.

Upstream: ideally, GeoServer main module, and hence the rest of it, should be able to work without any configured security settings at all. The amount of coupling in several places with the org.geoserver.security subsystem (also defined in gs-main) makes it impossible though. An effort to extract out the security subsystem to its own (gs-sec-core) module is feasible.

TODO:

  • [ ] Remove security config from webui
  • [ ] Remove security config from REST
  • [ ] Configure authentication in Gateway
  • [ ] Configure authorization in Gateway
  • [ ] Redirect to gateway provided auth in webui, rest, and catalog challenge mode

Web-UI security:

  • Config property geoserver.web-ui.security.enabled=false removed the security UI components regardless of the security subsystem being enabled or not.
  • If (geoserver.security.enabled=false), web-ui fails with
java.lang.NullPointerException: null
  at org.geoserver.web.DynamicCryptoMapper.getMapper(DynamicCryptoMapper.java:40) ~[gs-web-core-2.20-SNAPSHOT.jar:2.20-SNAPSHOT]
  at org.geoserver.web.DynamicCryptoMapper.mapRequest(DynamicCryptoMapper.java:49) ~[gs-web-core-2.20-SNAPSHOT.jar:2.20-SNAPSHOT]
  at org.apache.wicket.request.cycle.RequestCycle.resolveRequestHandler(RequestCycle.java:189) ~[wicket-core-7.6.0.jar:7.6.0]

Since GeoServerSecurityManager securityManager is null in DynamicCryptoMapper.

  • Provide an org.geoserver.web.LoginFormInfo bean that creates a log-in form to redirect to the gateway login mechanism. GeoServerBasePage looks for such beansh and appends a form for each one based on the information it provides. Removing the default log-in form (redirecting to j_spring_security_check) should be a matter of removing the org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationFilter bean, as of line 210:
                        for (String filterClassName : securityFilterClassNames) {
                            if (filterClassName.equals(info.getFilterClass().getName())) {
                                filterInChain = true;
                                break;
                            }
                        }
                        loginForm.setVisible(anonymous && filterInChain);

groldan avatar Apr 08 '21 13:04 groldan