/** * converts an 2.3.x security configuration to 2.4.x * * @return <code>true</code> if migration has taken place */ boolean migrateFrom23() throws Exception { SecurityManagerConfig config = loadSecurityConfig(); RequestFilterChain webChain = config.getFilterChain() .getRequestChainByName(GeoServerSecurityFilterChain.WEB_CHAIN_NAME); boolean migrated = false; List<String> patterns = webChain.getPatterns(); if (patterns.contains("/") == false) { patterns.add("/"); saveSecurityConfig(config); migrated |= true; } return migrated; }
public SecurityManagerConfig(SecurityManagerConfig config) { this.roleServiceName = config.getRoleServiceName(); this.authProviderNames = config.getAuthProviderNames() != null ? new ArrayList<String>(config.getAuthProviderNames()) : null; this.filterChain = config.getFilterChain() != null ? new GeoServerSecurityFilterChain(config.getFilterChain()) : null; this.rememberMeService = new RememberMeServicesConfig(config.getRememberMeService()); this.bruteForcePrevention = new BruteForcePreventionConfig(config.getBruteForcePrevention()); this.encryptingUrlParams = config.isEncryptingUrlParams(); this.configPasswordEncrypterName = config.getConfigPasswordEncrypterName(); // this.masterPasswordURL=config.getMasterPasswordURL(); // this.masterPasswordStrategy=config.getMasterPasswordStrategy(); }
@Override public SecurityConfig clone(boolean allowEnvParametrization) { final GeoServerEnvironment gsEnvironment = GeoServerExtensions.bean(GeoServerEnvironment.class); SecurityManagerConfig target = (SecurityManagerConfig) SerializationUtils.clone(this); if (target != null) { if (allowEnvParametrization && gsEnvironment != null && GeoServerEnvironment.ALLOW_ENV_PARAMETRIZATION) { target.setConfigPasswordEncrypterName( (String) gsEnvironment.resolveValue(configPasswordEncrypterName)); target.setRoleServiceName((String) gsEnvironment.resolveValue(roleServiceName)); } } return target; } }
public synchronized void saveSecurityConfig(SecurityManagerConfig config) throws Exception { SecurityManagerConfig oldConfig = new SecurityManagerConfig(this.securityConfig); SecurityConfigValidator validator = new SecurityConfigValidator(this); validator.validateManagerConfig( (SecurityManagerConfig) config.clone(true), (SecurityManagerConfig) oldConfig.clone(true)); // save the current config to fall back to // The whole try block should run as a transaction, unfortunately // this is not possible with files. try { // set the new configuration init(config); if (config.getConfigPasswordEncrypterName() .equals(oldConfig.getConfigPasswordEncrypterName()) == false) { updateConfigurationFilesWithEncryptedFields(); } // save out new configuration xStreamPersist(security().get(CONFIG_FILENAME), config, globalPersister()); } catch (IOException e) { // exception, revert back to known working config LOGGER.log(Level.SEVERE, "Error saving security config, reverting back to previous", e); init(oldConfig); return; } fireChanged(); }
List<RequestFilterChain> clones = new ArrayList<RequestFilterChain>(); for (RequestFilterChain chain : config.getFilterChain().getRequestChains()) { try { clones.add((RequestFilterChain)chain.clone()); config.setFilterChain(new GeoServerSecurityFilterChain(clones));
SecurityManagerConfig config = new SecurityManagerConfig(); config.setRoleServiceName(roleService.getName()); config.getAuthProviderNames().add(authProvider.getName()); config.setEncryptingUrlParams(false); config.setConfigPasswordEncrypterName( loadPasswordEncoder(GeoServerPBEPasswordEncoder.class, true, false).getName()); config.setRememberMeService(rememberMeConfig); config.setFilterChain(GeoServerSecurityFilterChain.createInitialChain()); saveSecurityConfig(config);
throws SecurityConfigException { String encrypterName = config.getConfigPasswordEncrypterName(); if (isNotEmpty(encrypterName) == false) { throw createSecurityException(PASSWORD_ENCODER_REQUIRED); encoder = manager.loadPasswordEncoder(config.getConfigPasswordEncrypterName()); } catch (NoSuchBeanDefinitionException ex) { throw createSecurityException(INVALID_PASSWORD_ENCODER_$1, encrypterName); String roleServiceName = config.getRoleServiceName(); if (roleServiceName == null) roleServiceName = ""; for (String authProvName : config.getAuthProviderNames()) { if (authProviders.contains(authProvName) == false) throw createSecurityException(AUTH_PROVIDER_NOT_FOUND_$1, authProvName); GeoServerSecurityFilterChain chain = config.getFilterChain(); GeoServerSecurityFilterChain oldChain = oldConfig.getFilterChain(); if (chain == null) { throw createSecurityException(SecurityConfigException.FILTER_CHAIN_NULL_ERROR);
@Override protected void onSetUp(SystemTestData testData) throws Exception { super.onSetUp(testData); // disable url parameter encoding for these tests SecurityManagerConfig config = getSecurityManager().getSecurityConfig(); config.setEncryptingUrlParams(false); getSecurityManager().saveSecurityConfig(config); }
void setupFilterEntry(Pos pos, String relativeTo, boolean assertSecurityContext) throws Exception { GeoServerSecurityManager secMgr = getSecurityManager(); FilterConfig config = new FilterConfig(); config.setName("custom"); config.setClassName(Filter.class.getName()); config.setAssertAuth(assertSecurityContext); secMgr.saveFilter(config); SecurityManagerConfig mgrConfig = secMgr.getSecurityConfig(); mgrConfig.setConfigPasswordEncrypterName(getPlainTextPasswordEncoder().getName()); mgrConfig.getFilterChain().remove("custom"); if (pos == Pos.FIRST) mgrConfig.getFilterChain().insertFirst("/**", "custom"); if (pos == Pos.LAST) mgrConfig.getFilterChain().insertLast("/**", "custom"); if (pos == Pos.BEFORE) mgrConfig.getFilterChain().insertBefore("/**", "custom", relativeTo); if (pos == Pos.AFTER) mgrConfig.getFilterChain().insertAfter("/**", "custom", relativeTo); secMgr.saveSecurityConfig(mgrConfig); }
@Test public void testMasterConfigValidation() throws Exception { SecurityManagerConfig config = new SecurityManagerConfig(); config.setRoleServiceName(XMLRoleService.DEFAULT_NAME); config.setConfigPasswordEncrypterName(getPBEPasswordEncoder().getName()); config.getAuthProviderNames().add(GeoServerAuthenticationProvider.DEFAULT_NAME); validator.validateManagerConfig(config, new SecurityManagerConfig()); config.setConfigPasswordEncrypterName("abc"); validator.validateManagerConfig(config, new SecurityManagerConfig()); fail("invalid password encoder should fail"); } catch (SecurityConfigException ex) { config.setConfigPasswordEncrypterName(null); validator.validateManagerConfig(config, new SecurityManagerConfig()); fail("no password encoder should fail"); } catch (SecurityConfigException ex) { config.setConfigPasswordEncrypterName(getStrongPBEPasswordEncoder().getName()); try { validator.validateManagerConfig(config, new SecurityManagerConfig()); fail("invalid strong password encoder should fail"); } catch (SecurityConfigException ex) { config.setConfigPasswordEncrypterName(getPBEPasswordEncoder().getName()); config.setRoleServiceName("XX"); validator.validateManagerConfig(config, new SecurityManagerConfig()); fail("unknown role service should fail");
String roleServiceName = config.getRoleServiceName(); GeoServerRoleService roleService = null; try { if (!config.getAuthProviderNames().isEmpty()) { for (String authProviderName : config.getAuthProviderNames()) { new RememberMeAuthenticationProvider(config.getRememberMeService().getKey()); rap.afterPropertiesSet(); allAuthProviders.add(rap); this.securityConfig = new SecurityManagerConfig(config); this.initialized = true;
@Test public void testGeoServerEnvParametrization() throws Exception { GeoServerSecurityManager secMgr = getSecurityManager(); SecurityManagerConfig config = secMgr.loadSecurityConfig(); String oldRoleServiceName = config.getRoleServiceName(); try { if (GeoServerEnvironment.ALLOW_ENV_PARAMETRIZATION) { System.setProperty("TEST_SYS_PROPERTY", oldRoleServiceName); config.setRoleServiceName("${TEST_SYS_PROPERTY}"); secMgr.saveSecurityConfig(config); SecurityManagerConfig config1 = secMgr.loadSecurityConfig(); assertEquals(config1.getRoleServiceName(), oldRoleServiceName); } } finally { config.setRoleServiceName(oldRoleServiceName); secMgr.saveSecurityConfig(config); System.clearProperty("TEST_SYS_PROPERTY"); } } }
@Test public void testActive() throws Exception { GeoServerSecurityManager secMgr = getSecurityManager(); UsernamePasswordAuthenticationProviderConfig config = new UsernamePasswordAuthenticationProviderConfig(); config.setName("custom"); config.setClassName(AuthProvider.class.getName()); secMgr.saveAuthenticationProvider(config); SecurityManagerConfig mgrConfig = secMgr.getSecurityConfig(); mgrConfig.getAuthProviderNames().add("custom"); mgrConfig.setConfigPasswordEncrypterName(getPlainTextPasswordEncoder().getName()); secMgr.saveSecurityConfig(mgrConfig); Authentication auth = new UsernamePasswordAuthenticationToken("foo", "bar"); auth = getSecurityManager().authenticationManager().authenticate(auth); assertTrue(auth.isAuthenticated()); }
protected void prepareAuthProviders(String... authProviderNames) throws Exception { SecurityManagerConfig config = getSecurityManager().getSecurityConfig(); config.getAuthProviderNames().clear(); for (String n : authProviderNames) config.getAuthProviderNames().add(n); getSecurityManager().saveSecurityConfig(config); }
protected void createServices() throws Exception { GeoServerRoleService rservice = createRoleService("rs1"); GeoServerRoleStore rstore = rservice.createStore(); GeoServerRole root, derived; rstore.addRole(root = rstore.createRoleObject(rootRole)); rstore.addRole(derived = rstore.createRoleObject(derivedRole)); rstore.setParentRole(derived, root); rstore.associateRoleToUser(derived, testUserName); rstore.associateRoleToUser(derived, "castest"); rstore.store(); SecurityManagerConfig mconfig = getSecurityManager().loadSecurityConfig(); mconfig.setRoleServiceName("rs1"); getSecurityManager().saveSecurityConfig(mconfig); GeoServerUserGroupService ugservice = createUserGroupService("ug1"); GeoServerUserGroupStore ugstore = ugservice.createStore(); GeoServerUser u1 = ugstore.createUserObject(testUserName, testPassword, true); ugstore.addUser(u1); GeoServerUser u2 = ugstore.createUserObject("abc@xyz.com", "abc", true); ugstore.addUser(u2); GeoServerUser u3 = ugstore.createUserObject("castest", "castest", true); ugstore.addUser(u3); ugstore.store(); GeoServerAuthenticationProvider prov = createAuthProvider(testProviderName, ugservice.getName()); prepareAuthProviders(prov.getName()); }
/** * Returns the current security configuration. * * <p>In order to make changes to the security configuration client code may make changes to * this object directly, but must call {@link #saveSecurityConfig(SecurityManagerConfig)} in * order to persist changes. */ public SecurityManagerConfig getSecurityConfig() { return new SecurityManagerConfig(this.securityConfig); }
List<RequestFilterChain> clones = new ArrayList<RequestFilterChain>(); for (RequestFilterChain chain : config.getFilterChain().getRequestChains()) { try { clones.add((RequestFilterChain) chain.clone()); config.setFilterChain(new GeoServerSecurityFilterChain(clones));
@Override protected void onSetUp(SystemTestData testData) throws Exception { super.onSetUp(testData); // disable url parameter encoding for these tests SecurityManagerConfig config = getSecurityManager().getSecurityConfig(); config.setEncryptingUrlParams(false); getSecurityManager().saveSecurityConfig(config); }
public void validateRemoveFilter(SecurityNamedServiceConfig config) throws SecurityConfigException { validateRemoveNamedService(GeoServerSecurityFilter.class, config); List<String> patterns = manager.getSecurityConfig() .getFilterChain() .patternsForFilter(config.getClassName(), false); if (patterns.isEmpty() == false) { throw createSecurityException( SecurityConfigException.FILTER_STILL_USED, config.getName(), StringUtils.arrayToCommaDelimitedString(patterns.toArray())); } }
@Override protected void setUpInternal() throws Exception { super.setUpInternal(); // disable url parameter encoding for these tests SecurityManagerConfig config = getSecurityManager().getSecurityConfig(); config.setEncryptingUrlParams(false); getSecurityManager().saveSecurityConfig(config); }