+ getSecurityConfig().getConfigPasswordEncrypterName()); Catalog catalog = getCatalog(); List<StoreInfo> stores = catalog.getStores(StoreInfo.class); for (StoreInfo info : stores) { for (GeoServerSecurityProvider prov : lookupSecurityProviders()) { configClasses.addAll(prov.getFieldsForEncryption().keySet()); for (String name : listPasswordValidators()) { PasswordPolicyConfig config = passwordValidatorHelper.loadConfig(name); for (Class<?> classWithEncryption : configClasses) { for (String name : listRoleServices()) { SecurityNamedServiceConfig config = roleServiceHelper.loadConfig(name); for (Class<?> classWithEncryption : configClasses) { for (String name : listUserGroupServices()) { SecurityNamedServiceConfig config = userGroupServiceHelper.loadConfig(name); for (Class<?> classWithEncryption : configClasses) { for (String name : listAuthenticationProviders()) { SecurityNamedServiceConfig config = authProviderHelper.loadConfig(name); for (Class<?> classWithEncryption : configClasses) { for (String name : listFilters()) { SecurityNamedServiceConfig config = filterHelper.loadConfig(name); for (Class<?> classWithEncryption : configClasses) {
@Override public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException, DataAccessException { Matcher m = TOKEN_PATTERN.matcher(username); if (!m.matches()) { throw new UsernameNotFoundException("No delimiter '@' found in username: " + username); } String user = m.group(1).replace("\\@", "@"); String service = m.group(2); try { GeoServerUserGroupService ugService = securityManager.loadUserGroupService(service); return new RememberMeUserDetails(ugService.loadUserByUsername(user), service); } catch (IOException e) { throw new DataAccessException("Error loading user group service " + service, e) {}; } } }
/** * converts an 2.3.x security configuration to 2.4.x * * @return <code>true</code> if migration has taken place */ boolean migrateFrom23() throws Exception { SecurityManagerConfig config = loadSecurityConfig(); RequestFilterChain webChain = config.getFilterChain() .getRequestChainByName(GeoServerSecurityFilterChain.WEB_CHAIN_NAME); boolean migrated = false; List<String> patterns = webChain.getPatterns(); if (patterns.contains("/") == false) { patterns.add("/"); saveSecurityConfig(config); migrated |= true; } return migrated; }
String computeAndSaveMasterPasswordDigest(char[] passwd) throws IOException { GeoServerDigestPasswordEncoder pwEncoder = loadPasswordEncoder(GeoServerDigestPasswordEncoder.class); String masterPasswdDigest = pwEncoder.encodePassword(passwd, null); saveMasterPasswordDigest(masterPasswdDigest); return masterPasswdDigest; }
/** * Get master password for REST configuraton * * <p>The method inspects the stack trace to check for an authorized calling method. The * authenticated principal has to be an administrator * * <p>If authorization fails, an IOException is thrown * * @throws IOException */ public char[] getMasterPasswordForREST() throws IOException { if (checkAuthenticationForAdminRole() == false) { throw new IOException("Unauthorized user tries to read master password"); } String[][] allowedMethods = new String[][] { {"org.geoserver.rest.security.MasterPasswordController", "masterPasswordGet"} }; String result = checkStackTrace(10, allowedMethods); if (result != null) { throw new IOException("Unauthorized method wants to read master password\n" + result); } return getMasterPassword(); }
public SortedSet<String> listFilterCandidates(GeoServerSecurityManager m) throws IOException { SortedSet<String> result = new TreeSet<String>(); for (String filterName : m.listFilters(GeoServerAuthenticationFilter.class)) { GeoServerAuthenticationFilter filter = (GeoServerAuthenticationFilter) m.loadFilter(filterName); if (filter.applicableForHtml()) result.add(filterName); } return result; } }
if (role().getType() != Type.UNDEFINED) { Resource oldUserFile = security().get("users.properties.old"); if (oldUserFile.getType() != Type.UNDEFINED) { LOGGER.warning(oldUserFile.path() + " could be removed manually"); loadMasterPassswordProviderConfig("default"); if (mpProviderConfig == null) { mpProviderConfig = new URLMasterPasswordProviderConfig(); saveMasterPasswordProviderConfig(mpProviderConfig, false); loadMasterPasswordProvider(mpProviderConfig.getName()); Resource propFile = security().get("users.properties"); Properties userprops = null; if (propFile.getType() == Type.RESOURCE) userprops = Util.loadPropertyFile(propFile); mpProvider.setMasterPassword(extractMasterPasswordForMigration(userprops)); saveMasterPasswordConfig(mpConfig); Resource serviceFile = security().get("services.properties"); if (serviceFile.getType() == Type.UNDEFINED) { org.geoserver.util.IOUtils.copy( loadUserGroupService(XMLUserGroupService.DEFAULT_NAME); KeyStoreProvider keyStoreProvider = getKeyStoreProvider(); keyStoreProvider.reloadKeyStore(); keyStoreProvider.setUserGroupKey(
expect(secMgr.getApplicationContext()).andReturn(appContext).anyTimes(); .andReturn(MasterPasswordProvider.DEFAULT_NAME) .anyTimes(); expect(secMgr.listMasterPasswordProviders()) .andReturn(new TreeSet<String>(Arrays.asList(MasterPasswordProvider.DEFAULT_NAME))) .anyTimes(); expect(secMgr.masterPasswordProvider()).andReturn(Files.asResource(mrPwdFolder)).anyTimes(); expect(secMgr.loadPasswordValidator(PasswordValidator.DEFAULT_NAME)) .andReturn(passwdValidator) .anyTimes(); expect(secMgr.loadPasswordValidator(PasswordValidator.MASTERPASSWORD_NAME)) .andReturn(masterPasswdValidator) .anyTimes(); expect(secMgr.listPasswordValidators()) .andReturn( new TreeSet<String>( expect(secMgr.listUserGroupServices()) .andReturn(new TreeSet<String>(Arrays.asList(XMLUserGroupService.DEFAULT_NAME))) .anyTimes(); .andReturn(PasswordValidator.DEFAULT_NAME) .anyTimes(); expect(secMgr.loadUserGroupServiceConfig(XMLUserGroupService.DEFAULT_NAME)) .andReturn(ugConfig)
protected void prepareAuthProviders(String... authProviderNames) throws Exception { SecurityManagerConfig config = getSecurityManager().getSecurityConfig(); config.getAuthProviderNames().clear(); for (String n : authProviderNames) config.getAuthProviderNames().add(n); getSecurityManager().saveSecurityConfig(config); }
GeoServerSecurityFilter filter = loadFilter(filterName); filterRoot().get(GeoServerSecurityFilterChain.FORM_LOGOUT_FILTER); Resource oldLogoutFilterConfig = logoutFilterDir.get("config.xml.2.2.x"); Resource oldSecManagerConfig = security().get("config.xml.2.2.x"); GeoServerRoleFilter.DEFAULT_HEADER_ATTRIBUTE); rfConfig.setRoleConverterName(GeoServerRoleFilter.DEFAULT_ROLE_CONVERTER); saveFilter(rfConfig); sslConfig.setName(GeoServerSecurityFilterChain.SSL_FILTER); sslConfig.setSslPort(443); saveFilter(sslConfig); LogoutFilterConfig loConfig = (LogoutFilterConfig) loadFilterConfig(GeoServerSecurityFilterChain.FORM_LOGOUT_FILTER); loConfig.setRedirectURL(GeoServerLogoutFilter.URL_AFTER_LOGOUT); saveFilter(loConfig); security().get("config.xml").in(), oldSecManagerConfig.out()); SecurityManagerConfig config = loadSecurityConfig(); for (RequestFilterChain chain : config.getFilterChain().getRequestChains()) { if (chain.getFilterNames() removeFilter( loadFilterConfig(GeoServerSecurityFilterChain.GUI_EXCEPTION_TRANSLATION_FILTER)); saveSecurityConfig(config);
throws Exception { GeoServerSecurityManager secMgr = getSecurityManager(); GeoServerUserGroupService ugService = secMgr.loadUserGroupService("default"); GeoServerRoleService roleService = secMgr.getActiveRoleService(); GeoServerRoleStore roleStore = roleService.createStore(); for (String roleName : roles) {
@Test public void testActive() throws Exception { GeoServerSecurityManager secMgr = getSecurityManager(); UsernamePasswordAuthenticationProviderConfig config = new UsernamePasswordAuthenticationProviderConfig(); config.setName("custom"); config.setClassName(AuthProvider.class.getName()); secMgr.saveAuthenticationProvider(config); SecurityManagerConfig mgrConfig = secMgr.getSecurityConfig(); mgrConfig.getAuthProviderNames().add("custom"); mgrConfig.setConfigPasswordEncrypterName(getPlainTextPasswordEncoder().getName()); secMgr.saveSecurityConfig(mgrConfig); Authentication auth = new UsernamePasswordAuthenticationToken("foo", "bar"); auth = getSecurityManager().authenticationManager().authenticate(auth); assertTrue(auth.isAuthenticated()); }
throws IOException { List<LogoutHandler> result = new ArrayList<LogoutHandler>(); SortedSet<String> logoutFilterNames = getSecurityManager().listFilters(LogoutHandler.class); logoutFilterNames.removeAll(Arrays.asList(skipHandlerName)); Set<String> handlerNames = new HashSet<String>(); getSecurityManager().getSecurityConfig().getFilterChain(); for (RequestFilterChain requestChain : chain.getRequestChains()) { for (String filterName : requestChain.getFilterNames()) { result.add((LogoutHandler) getSecurityManager().loadFilter(handlerName));
/** * Calculates roles from a {@link GeoServerRoleService} The default service is {@link * GeoServerSecurityManager#getActiveRoleService()} * * <p>The result contains all inherited roles, but no personalized roles * * @param request * @param principal * @throws IOException */ protected Collection<GeoServerRole> getRolesFromRoleService( HttpServletRequest request, String principal) throws IOException { boolean useActiveService = getRoleServiceName() == null || getRoleServiceName().trim().length() == 0; GeoServerRoleService service = useActiveService ? getSecurityManager().getActiveRoleService() : getSecurityManager().loadRoleService(getRoleServiceName()); RoleCalculator calc = new RoleCalculator(service); return calc.calculateRoles(principal); }
public void validateRemoveRoleService(SecurityRoleServiceConfig config) throws SecurityConfigException { validateRemoveNamedService(GeoServerRoleService.class, config); if (manager.getActiveRoleService().getName().equals(config.getName())) { throw createSecurityException(ROLE_SERVICE_ACTIVE_$1, config.getName()); } }
/** * Encrypts a parameter value. * * <p>If no encoder is configured then the value is returned as is. */ public String encode(String value) { String encoderName = securityManager.getSecurityConfig().getConfigPasswordEncrypterName(); if (encoderName != null) { GeoServerPasswordEncoder pwEncoder = securityManager.loadPasswordEncoder(encoderName); if (pwEncoder != null) { String prefix = pwEncoder.getPrefix(); if (value.startsWith(prefix + GeoServerPasswordEncoder.PREFIX_DELIMTER)) { throw new RuntimeException( "Cannot encode a password with prefix: " + prefix + GeoServerPasswordEncoder.PREFIX_DELIMTER); } value = pwEncoder.encodePassword(value, null); } } else { LOGGER.warning("Encryption disabled, no password encoder set"); } return value; }
private BruteForcePreventionConfig getConfig() { BruteForcePreventionConfig config = securityManager.getSecurityConfig().getBruteForcePrevention(); if (config == null) { return BruteForcePreventionConfig.DEFAULT; } else { return config; } }
/** * Checks if the currently authenticated user has the administrator role. * * <p>This method is shorthand for: <code> * <pre> * checkAuthenticationForAdminRole(SecurityContextHolder.getContext().getAuthentication()) * </pre> * </code> */ public boolean checkAuthenticationForAdminRole() { if (SecurityContextHolder.getContext() == null) return checkAuthenticationForAdminRole(null); else return checkAuthenticationForAdminRole( SecurityContextHolder.getContext().getAuthentication()); }
public void testAuthentificationWithRoleAssociation() throws Exception { GeoServerRoleService roleService = createRoleService("jdbc2"); JDBCConnectAuthProviderConfig config = createAuthConfg("jdbc2", null); getSecurityManager().saveAuthenticationProvider(config); GeoServerAuthenticationProvider provider = getSecurityManager().loadAuthenticationProvider("jdbc2"); roleStore.associateRoleToUser(GeoServerRole.ADMIN_ROLE, "sa"); roleStore.store(); getSecurityManager().setActiveRoleService(roleService);
void createFilterChain() { if (!securityManager.isInitialized()) { SecurityManagerConfig config = securityManager.getSecurityConfig(); GeoServerSecurityFilterChain filterChain = new GeoServerSecurityFilterChain(config.getFilterChain()); securityManager.getAuthenticationCache().removeAll();