Re: [Geoserver-users] Possible bug with Catalog Mode in Data Security

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Mon, Sep 11, 2017 at 3:51 PM, João Gouveia | Horus <jo...@ho...> wrote:

> Hello.
>
> I am testing GeoServer with a client I am developing and I have a question
> regarding security.
> According to the documentation, setting the Catalog mode to Challenge
> should expose the layers and make the server send a 401 error in case the
> credentials are not sent. This is not what is happening with an insert or
> update transactions. Only the delete transaction sends a 401. Both insert
> and update send a 200 with an ExceptionReport xml. This is problematic
> because it makes it hard to develop a client that will request
> authentication. Especially because the exception code is simply a
> "InvalidParameterValue".
>
> Is this a design decision or is it a bug?
>

It is not a design decision for sure, sounds more like an accident of
implementation, likely happening
because the code cannot even parse the XML in those conditions (the parser
being driven by the schema,
and likely not able to get to the schema) and the original security
exception is
somehow replaced. But it's just a guess.

Feel free to open a ticket, with steps to reproduce.

Cheers
Andrea

-- 

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts! Visit http://goo.gl/it488V
for more information.
==

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39  339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility  for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.