GSIP-159 GeoWebCache data security API

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

GSIP-159 GeoWebCache data security API

Kevin Smith-3

https://github.com/geoserver/geoserver/wiki/GSIP-159

GeoServer currently uses a rather ugly and brittle mechanism to apply data security (Certain users should only be able to view certain layers or certain parts of layers) to the service endpoints of its internal GWC instance.

This proposal is to add an API to GeoWebCache to do security checks which GeoServer can extend to apply its own security rules deeper inside GWC, after the service endpoints have parsed the request into a universal Conveyor object.


Filter to check that the request is allowed.

interface SecurityFilter {
  public void checkSecurity(TileLayer layer, BoundingBox extent, SRS srs, Object securityContext) throws SecurityException;
}

Extension point that the GeoWebCacheDispatcher can call to generate appropriate security context object to be stored on the resulting Conveyor

interface SecurityContextProvider<Context> {
  public Context getSecurityContext(HttpRequest request)
}

Add accessors for a securityContext property to Conveyor. GeoWebCacheDispatcher calls Service.getConveyor to get a Conveyor, then handles it. The context would be attached in between those steps.

conv = service.getConveyor(request, response);
securityContext = securityContextProvider.getSecurityContext(request);
conv.setSecurityContext(securityContext);

Add a SecurityException class. Allow it to wrap another exception so it can wrap the GeoServer one, which might then be extracted if need be. Amend method signatures to allow throwing this exception.


-- 
Kevin Michael Smith
[hidden email]

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

signature.asc (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Geowebcache-devel] GSIP-159 GeoWebCache data security API

jody.garnett
If you would like to avoid creating another exception class AccessControlException (which extends SecurityException) may meet your needs.

+1 to the GSIP

--
Jody Garnett

On 15 June 2017 at 15:46, Kevin Smith <[hidden email]> wrote:

https://github.com/geoserver/geoserver/wiki/GSIP-159

GeoServer currently uses a rather ugly and brittle mechanism to apply data security (Certain users should only be able to view certain layers or certain parts of layers) to the service endpoints of its internal GWC instance.

This proposal is to add an API to GeoWebCache to do security checks which GeoServer can extend to apply its own security rules deeper inside GWC, after the service endpoints have parsed the request into a universal Conveyor object.


Filter to check that the request is allowed.

interface SecurityFilter {
  public void checkSecurity(TileLayer layer, BoundingBox extent, SRS srs, Object securityContext) throws SecurityException;
}

Extension point that the GeoWebCacheDispatcher can call to generate appropriate security context object to be stored on the resulting Conveyor

interface SecurityContextProvider<Context> {
  public Context getSecurityContext(HttpRequest request)
}

Add accessors for a securityContext property to Conveyor. GeoWebCacheDispatcher calls Service.getConveyor to get a Conveyor, then handles it. The context would be attached in between those steps.

conv = service.getConveyor(request, response);
securityContext = securityContextProvider.getSecurityContext(request);
conv.setSecurityContext(securityContext);

Add a SecurityException class. Allow it to wrap another exception so it can wrap the GeoServer one, which might then be extracted if need be. Amend method signatures to allow throwing this exception.


-- 
Kevin Michael Smith
[hidden email]

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geowebcache-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geowebcache-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Geowebcache-devel] GSIP-159 GeoWebCache data security API

geowolf
In reply to this post by Kevin Smith-3
Hi Kevin,
the current security mechanism in GeoServer work off an Authentication, this one
seems to be based on Spring own SecurityContext, but the API you shown says that's an Object....
Can you clarify how that fits toghether and the rationale behind the different approach?

Cheers
Andrea


On Fri, Jun 16, 2017 at 12:46 AM, Kevin Smith <[hidden email]> wrote:

https://github.com/geoserver/geoserver/wiki/GSIP-159

GeoServer currently uses a rather ugly and brittle mechanism to apply data security (Certain users should only be able to view certain layers or certain parts of layers) to the service endpoints of its internal GWC instance.

This proposal is to add an API to GeoWebCache to do security checks which GeoServer can extend to apply its own security rules deeper inside GWC, after the service endpoints have parsed the request into a universal Conveyor object.


Filter to check that the request is allowed.

interface SecurityFilter {
  public void checkSecurity(TileLayer layer, BoundingBox extent, SRS srs, Object securityContext) throws SecurityException;
}

Extension point that the GeoWebCacheDispatcher can call to generate appropriate security context object to be stored on the resulting Conveyor

interface SecurityContextProvider<Context> {
  public Context getSecurityContext(HttpRequest request)
}

Add accessors for a securityContext property to Conveyor. GeoWebCacheDispatcher calls Service.getConveyor to get a Conveyor, then handles it. The context would be attached in between those steps.

conv = service.getConveyor(request, response);
securityContext = securityContextProvider.getSecurityContext(request);
conv.setSecurityContext(securityContext);

Add a SecurityException class. Allow it to wrap another exception so it can wrap the GeoServer one, which might then be extracted if need be. Amend method signatures to allow throwing this exception.


-- 
Kevin Michael Smith
[hidden email]

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geowebcache-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geowebcache-devel




--
==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.
==

Ing. Andrea Aime 
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39  339 8844549


AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

 

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility  for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


-------------------------------------------------------

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Geowebcache-devel] GSIP-159 GeoWebCache data security API

Kevin Smith-3
On 6/17/17 10:53 AM, Andrea Aime wrote:
> Hi Kevin,
> the current security mechanism in GeoServer work off an
> Authentication, this one
> seems to be based on Spring own SecurityContext, but the API you shown
> says that's an Object....
> Can you clarify how that fits toghether and the rationale behind the
> different approach?
>

This is the API for upstream GeoWebCache and I didn't want to unduly
restrict future development there.   I'm happy to consider making Spring
Security part of the GWC API, but being flexible seemed like a better
starting point for discussion.

--
Kevin Michael Smith
<[hidden email]>



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

signature.asc (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Geowebcache-devel] GSIP-159 GeoWebCache data security API

jody.garnett
Kevin do you want to take this opportunity to make use of spring security?
This proposal has been held open for a while now and I want to make sure you are not stuck.

--
Jody Garnett

On 19 June 2017 at 14:29, Kevin Smith <[hidden email]> wrote:
On 6/17/17 10:53 AM, Andrea Aime wrote:
> Hi Kevin,
> the current security mechanism in GeoServer work off an
> Authentication, this one
> seems to be based on Spring own SecurityContext, but the API you shown
> says that's an Object....
> Can you clarify how that fits toghether and the rationale behind the
> different approach?
>

This is the API for upstream GeoWebCache and I didn't want to unduly
restrict future development there.   I'm happy to consider making Spring
Security part of the GWC API, but being flexible seemed like a better
starting point for discussion.

--
Kevin Michael Smith
<[hidden email]>



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geowebcache-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geowebcache-devel



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Geowebcache-devel] GSIP-159 GeoWebCache data security API

Kevin Smith-3

I've updated the proposal with Andrea's suggestion of not passing the context as a parameter and using out of band context like a thread local from Spring Security)

At this point there's not a lot of API change left.  Just adding the new interface and expanding which exceptions are thrown. 

Using AcessControlException as Jody suggested bothers me a bit as the Javadocs tie it to specific other components.  I do like the idea of existing exception classes, although a subclass of GeoWebCacheException would probably be less disruptive.

On 6/26/17 10:48 AM, Jody Garnett wrote:
Kevin do you want to take this opportunity to make use of spring security?
This proposal has been held open for a while now and I want to make sure you are not stuck.

--
Jody Garnett

On 19 June 2017 at 14:29, Kevin Smith <[hidden email]> wrote:
On 6/17/17 10:53 AM, Andrea Aime wrote:
> Hi Kevin,
> the current security mechanism in GeoServer work off an
> Authentication, this one
> seems to be based on Spring own SecurityContext, but the API you shown
> says that's an Object....
> Can you clarify how that fits toghether and the rationale behind the
> different approach?
>

This is the API for upstream GeoWebCache and I didn't want to unduly
restrict future development there.   I'm happy to consider making Spring
Security part of the GWC API, but being flexible seemed like a better
starting point for discussion.

--
Kevin Michael Smith
<[hidden email]>



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geowebcache-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geowebcache-devel



-- 
Kevin Michael Smith
[hidden email]

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

signature.asc (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Geowebcache-devel] GSIP-159 GeoWebCache data security API

jody.garnett
Thanks Kevin, I have added my +1

--
Jody Garnett

On 14 July 2017 at 16:43, Kevin Smith <[hidden email]> wrote:

I've updated the proposal with Andrea's suggestion of not passing the context as a parameter and using out of band context like a thread local from Spring Security)

At this point there's not a lot of API change left.  Just adding the new interface and expanding which exceptions are thrown. 

Using AcessControlException as Jody suggested bothers me a bit as the Javadocs tie it to specific other components.  I do like the idea of existing exception classes, although a subclass of GeoWebCacheException would probably be less disruptive.


On 6/26/17 10:48 AM, Jody Garnett wrote:
Kevin do you want to take this opportunity to make use of spring security?
This proposal has been held open for a while now and I want to make sure you are not stuck.

--
Jody Garnett

On 19 June 2017 at 14:29, Kevin Smith <[hidden email]> wrote:
On 6/17/17 10:53 AM, Andrea Aime wrote:
> Hi Kevin,
> the current security mechanism in GeoServer work off an
> Authentication, this one
> seems to be based on Spring own SecurityContext, but the API you shown
> says that's an Object....
> Can you clarify how that fits toghether and the rationale behind the
> different approach?
>

This is the API for upstream GeoWebCache and I didn't want to unduly
restrict future development there.   I'm happy to consider making Spring
Security part of the GWC API, but being flexible seemed like a better
starting point for discussion.

--
Kevin Michael Smith
<[hidden email]>



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geowebcache-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geowebcache-devel



-- 
Kevin Michael Smith
[hidden email]


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
Reply | Threaded
Open this post in threaded view
|

Re: [Geowebcache-devel] GSIP-159 GeoWebCache data security API

Ben Caradoc-Davies-2
In reply to this post by Kevin Smith-3
+1.

Kind regards,
Ben.

On 15/07/17 11:43, Kevin Smith wrote:

> I've updated the proposal with Andrea's suggestion of not passing the
> context as a parameter and using out of band context like a thread local
> from Spring Security)
>
> At this point there's not a lot of API change left.  Just adding the new
> interface and expanding which exceptions are thrown.
>
> Using AcessControlException as Jody suggested bothers me a bit as the
> Javadocs tie it to specific other components.  I do like the idea of
> existing exception classes, although a subclass of GeoWebCacheException
> would probably be less disruptive.
>
> On 6/26/17 10:48 AM, Jody Garnett wrote:
>> Kevin do you want to take this opportunity to make use of spring security?
>> This proposal has been held open for a while now and I want to make
>> sure you are not stuck.
>>
>> --
>> Jody Garnett
>>
>> On 19 June 2017 at 14:29, Kevin Smith <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>>      On 6/17/17 10:53 AM, Andrea Aime wrote:
>>      > Hi Kevin,
>>      > the current security mechanism in GeoServer work off an
>>      > Authentication, this one
>>      > seems to be based on Spring own SecurityContext, but the API you
>>      shown
>>      > says that's an Object....
>>      > Can you clarify how that fits toghether and the rationale behind the
>>      > different approach?
>>      >
>>
>>      This is the API for upstream GeoWebCache and I didn't want to unduly
>>      restrict future development there.   I'm happy to consider making
>>      Spring
>>      Security part of the GWC API, but being flexible seemed like a better
>>      starting point for discussion.
>>
>>      --
>>      Kevin Michael Smith
>>      <[hidden email] <mailto:[hidden email]>>
>>
>>
>>
>>      ------------------------------------------------------------------------------
>>      Check out the vibrant tech community on one of the world's most
>>      engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>      _______________________________________________
>>      Geowebcache-devel mailing list
>>      [hidden email]
>>      <mailto:[hidden email]>
>>      https://lists.sourceforge.net/lists/listinfo/geowebcache-devel
>>      <https://lists.sourceforge.net/lists/listinfo/geowebcache-devel>
>>
>>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Geoserver-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>

--
Ben Caradoc-Davies <[hidden email]>
Director
Transient Software Limited <http://transient.nz/>
New Zealand

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel