2.7.RC1 Security Regression

Description

Thanks to Patric Hafner for some last moment 2.7-RC1 testing:

Dear List members,

during some tests on data security with GeoServer 2.7-rc1 I discovered a
strange behaviour that I could not understand:

(All steps performed on a fresh installation)

Test case 1
------------ I created a new role and user and finally configured this single rule
for data security (no other rule does exist!)

"topp.*.r testrole"

-> Behaves like expected: The user with role "testrole" can now access
all layers of Workspace "topp" for example via WMS and all layers are
shown in his Layer preview.

-> Behaves like expected: Unauthorized access via WMS to layers of
workspace "topp" gets HTTP response with status code 404

but if I try to narrow the data security rule:

Test case 2
-------------- I created a new role and user and finally configured this single rule
for data security (no other rule does exist!)

"topp.states.r testrole"

-> Unexpected behaviour: The user with role "testrole" can now access
all layers of Workspace "topp" for example via WMS and all layers are
shown in his Layer preview! I expected only layer states.

-> Unexpected behaviour: Access via WMS to all layers of workspace
"topp" is also possible without any authorization! This data security
rule does not seem to have any effect at all.

Does somebody could explain this behaviour or is this a bug? I was not
able to find a issue on this bug yet.

<hr />

Check 1: Deletion of default data security rules

..r *
..w *

GeoServer 2.6.2: Not possible, they are getting re-created automatically

GeoServer 2.7-rc1: Not possible, they are getting re-created automatically

Check 2: Limitation of layer access

Adding:

topp.states.r testrole

GeoServer 2.6.2: OK: Layer "states" only readable for role "testrole"

GeoServer 2.7-rc1: OK: Layer "states" only readable for role "testrole"

after adding the new rule, I am able to remove both default rules on both versions. As expected, this has no effect on security

And this is where the differences occurs:

GeoServer 2.6.2: All layers except layer "topp.states" are shown in layer preview and are accessible via WMS for unauthorized users
(Like I expected)

GeoServer 2.7-rc1: All layers except all layers of workspace topp are shown in layer preview. This is not what I have expected.

To summarize:

  • I was confused by the fact, that deletion of both default security rules does not has any effect. The still remain active but are invisible.
    I expected the deletion to make them inactive. Maybe it should be really be impossible to remove them from the GUI or the removal should have an effect

  • Maybe a minor issue: Contents shown in layer preview for unprivileged users differ between GeoServer 2.6.2 and 2.7-rc1 in my testcase

Best regards,
Patric

&#8211;
web www.geops.de
rss www.geops.de/blog/feed
follow www.twitter.com/geops

Further clarification from Torbien:

Detailed test procedure and results follows. Results where 2.7-RC1 and 2.6.2 differ are marked with a star <img class="emoticon" src="https://jira.codehaus.org/images/icons/emoticons/star_yellow.gif" height="16" width="16" align="absmiddle" alt="" border="0"/>. Ultimately, I got the same results as Patric:

Initial setup:
--------------
Security &gt; Users, Groups, and Roles &gt; Roles

  • Create Role "testrole"

Security &gt; Users, Groups, and Roles &gt; Users

  • Create User/Pass test/test with role testrole

Test case 1
------------
Security &gt; Data

  • Add new rule "topp.*.r"

  • Assigned to role "testrole"

  • Deleted default "..r" and "..w" rules. (Only have the one rule)

Results
------- GeoServer-2.7-RC1
----------------- When logged in as test:
&gt; All layers listed in layer preview
&gt; All layers accessible from layer preview

When logged out:
&gt; All layers not in topp listed in layer preview
&gt; All layers not in topp accessible from layer preview. topp layers give 404.

GeoServer-2.6.2
--------------- When logged in as test:
&gt; All layers listed in layer preview
&gt; All layers accessible from layer preview

When logged out:
&gt; All layers not in topp listed in layer preview
&gt; All layers not in topp accessible from layer preview. topp layers give 404.

Test case 2
--------------
Security &gt; Data

  • Add new rule "topp.states.r".

  • Assigned to role "testrole"

  • Deleted default "..r" and "..w" rules. (Only have the one rule)

Results
------- GeoServer-2.7-RC1
----------------- When logged in as test:
&gt; All layers listed in layer preview
&gt; All layers accessible from layer preview

When logged out:

  • All layers not in topp listed in layer preview

  • All layers not in topp accessible from layer preview. topp layers give 404.

GeoServer-2.6.2
--------------- When logged in as test:
&gt; All layers listed in layer preview
&gt; All layers accessible from layer preview

When logged out:

  • All layers except topp.states listed in layer preview

  • All layers except topp.states accessible from layer preview. topp.states gives WMS error: Could not find layer topp:states

Environment

None

Activity

Show:
codehaus
April 10, 2015, 3:51 PM

CodeHaus Comment From: jgarnett - Time: Thu, 19 Mar 2015 13:01:34 -0500
---------------------
<p>Niels has provided the following fix:</p>

<ul>
<li><a href="https://github.com/NielsCharlier/geoserver/commit/933f3c64c9fff980352eb89fc703f73e71f4398e" class="external-link" rel="nofollow">https://github.com/NielsCharlier/geoserver/commit/933f3c64c9fff980352eb89fc703f73e71f4398e</a></li>
</ul>

<p>Nicola has packaged this up with a test case:</p>

<ul>
<li><a href="https://github.com/geoserver/geoserver/pull/980" class="external-link" rel="nofollow">https://github.com/geoserver/geoserver/pull/980</a></li>
</ul>

Andrea Aime
February 15, 2017, 11:47 AM

Mass closing all resolved issues not modified in the last 4 weeks

Assignee

Nicola Lagomarsini

Reporter

codehaus

Triage

None

Fix versions

Affects versions

Priority

Medium
Configure