GeoServer : GSIP 82 - Reworking security filter chains
This page last changed on Jan 20, 2013 by aaime.
Reworking security filter chains.
Choose one of: Under Discussion, In Progress, Completed, Rejected, Deferred
The current security filter chains are implemented using one class called RequestFilterChain. Unfortunately there are some different types of such chains, namely
It is cumbersome to add validation code and the admin GUI allows to put each filter on each chain which is not reasonable at all.
The new design should be prepared for adding Single Sign Out extensions like CAS.
The single class RequestFilterChains is replaced by a class hierarchy. The following properties are added:
An active authentication filter implementing the Spring LogoutHandler interface is called during the GeoServer log out process. The log out filter chain itself is a constant chain.
Included is a bug fix for the filter chain configuration on the GUI. If the user changes the configuration and switches to another chain (combo box), all modifications are lost.
The patch is here and was reviewed by Justin.
For a proof of concept, the CAS security extensions was completely rewritten to test proper integration. The current CAS implementation does not work well and it is not recommended to use it in production systems. The new implementation works better but is not yet finished.
During this proof of concept some improvements in the core code have happened. (e. g. avoid caching an authentication token if the system knows that an HTTP session will be created and the token will be stored in this session).
This section should contain feedback provided by PSC members who may have a problem with the proposal.
A migration (security directory) from 2.2.x is necessary since
|Document generated by Confluence on May 14, 2014 23:00|