/** * Remove erroneous access denied page (HTTP) 403 (see GEOS-4943) The page /accessDeniedPage * does not exist and would not work if it exists. */ void removeErroneousAccessDeniedPage() throws Exception { ExceptionTranslationFilterConfig config = (ExceptionTranslationFilterConfig) loadFilterConfig( GeoServerSecurityFilterChain.DYNAMIC_EXCEPTION_TRANSLATION_FILTER); if (config != null && "/accessDenied.jsp".equals(config.getAccessDeniedErrorPage())) { config.setAccessDeniedErrorPage(null); saveFilter(config); } config = (ExceptionTranslationFilterConfig) loadFilterConfig( GeoServerSecurityFilterChain.GUI_EXCEPTION_TRANSLATION_FILTER); if (config != null && "/accessDenied.jsp".equals(config.getAccessDeniedErrorPage())) { config.setAccessDeniedErrorPage(null); saveFilter(config); } }
if (StringUtils.hasLength(authConfig.getAuthenticationFilterName())) { GeoServerSecurityFilter authFilter = getSecurityManager().loadFilter(authConfig.getAuthenticationFilterName()); ep.setEntryEntryPoint(authFilter.getAuthenticationEntryPoint()); if (StringUtils.hasLength(authConfig.getAccessDeniedErrorPage())) { if (GeoServerExtensions.file(authConfig.getAccessDeniedErrorPage()) != null) accessDeniedHandler.setErrorPage(authConfig.getAccessDeniedErrorPage()); else LOGGER.warning("Cannot find: " + authConfig.getAccessDeniedErrorPage());
filter = loadFilter(filterName); if (filter == null) { ExceptionTranslationFilterConfig bfConfig = new ExceptionTranslationFilterConfig(); bfConfig.setClassName(GeoServerExceptionTranslationFilter.class.getName()); bfConfig.setName(filterName); bfConfig.setAuthenticationFilterName(null); bfConfig.setAccessDeniedErrorPage("/accessDenied.jsp"); saveFilter(bfConfig); filter = loadFilter(filterName); if (filter == null) { ExceptionTranslationFilterConfig bfConfig = new ExceptionTranslationFilterConfig(); bfConfig.setClassName(GeoServerExceptionTranslationFilter.class.getName()); bfConfig.setName(filterName); bfConfig.setAuthenticationFilterName(GeoServerSecurityFilterChain.FORM_LOGIN_FILTER); bfConfig.setAccessDeniedErrorPage("/accessDenied.jsp"); saveFilter(bfConfig);
public void validateFilterConfig(ExceptionTranslationFilterConfig config) throws FilterConfigException { if (isNotEmpty(config.getAuthenticationFilterName())) { try { SecurityNamedServiceConfig filterConfig = manager.loadFilterConfig(config.getAuthenticationFilterName()); if (filterConfig == null) throw createFilterException( FilterConfigException.INVALID_ENTRY_POINT, config.getAuthenticationFilterName()); boolean valid = false; if (filterConfig instanceof SecurityFilterConfig) { if (((SecurityFilterConfig) filterConfig).providesAuthenticationEntryPoint()) valid = true; } if (!valid) { throw createFilterException( FilterConfigException.NO_AUTH_ENTRY_POINT, config.getAuthenticationFilterName()); } } catch (IOException ex) { throw new RuntimeException(ex); } } } }
@Test public void testExceptionTranslationFilterConfigValidation() throws Exception { ExceptionTranslationFilterConfig config = new ExceptionTranslationFilterConfig(); config.setClassName(GeoServerExceptionTranslationFilter.class.getName()); config.setName("testEx"); FilterConfigValidator validator = new FilterConfigValidator(getSecurityManager()); config.setAuthenticationFilterName("unknown"); try { validator.validateFilterConfig(config); fail("invalid entry point should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.INVALID_ENTRY_POINT, ex.getId()); assertEquals(1, ex.getArgs().length); assertEquals("unknown", ex.getArgs()[0]); } config.setAuthenticationFilterName( GeoServerSecurityFilterChain.FILTER_SECURITY_INTERCEPTOR); try { validator.validateFilterConfig(config); fail("no auth entry point should fail"); } catch (FilterConfigException ex) { assertEquals(FilterConfigException.NO_AUTH_ENTRY_POINT, ex.getId()); assertEquals(1, ex.getArgs().length); assertEquals(GeoServerSecurityFilterChain.FILTER_SECURITY_INTERCEPTOR, ex.getArgs()[0]); } config.setAuthenticationFilterName(null); validator.validateFilterConfig(config); }