Re: [Geoserver-users] Possible bug with Catalog Mode in Data Security

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello Andrea.

Thank you for the quick response. I have posted an issue in JIRA.

Kind regards,

On 11 September 2017 at 16:32, Andrea Aime <and...@ge...>
wrote:

> On Mon, Sep 11, 2017 at 3:51 PM, João Gouveia | Horus <jo...@ho...>
> wrote:
>
>> Hello.
>>
>> I am testing GeoServer with a client I am developing and I have a
>> question regarding security.
>> According to the documentation, setting the Catalog mode to Challenge
>> should expose the layers and make the server send a 401 error in case the
>> credentials are not sent. This is not what is happening with an insert or
>> update transactions. Only the delete transaction sends a 401. Both insert
>> and update send a 200 with an ExceptionReport xml. This is problematic
>> because it makes it hard to develop a client that will request
>> authentication. Especially because the exception code is simply a
>> "InvalidParameterValue".
>>
>> Is this a design decision or is it a bug?
>>
>
> It is not a design decision for sure, sounds more like an accident of
> implementation, likely happening
> because the code cannot even parse the XML in those conditions (the parser
> being driven by the schema,
> and likely not able to get to the schema) and the original security
> exception is
> somehow replaced. But it's just a guess.
>
> Feel free to open a ticket, with steps to reproduce.
>
> Cheers
> Andrea
>
> --
>
> Regards,
>
> Andrea Aime
>
> ==
> GeoServer Professional Services from the experts! Visit
> http://goo.gl/it488V for more information.
> ==
>
> Ing. Andrea Aime
> @geowolf
> Technical Lead
>
> GeoSolutions S.A.S.
> Via di Montramito 3/A
> 55054  Massarosa (LU)
> phone: +39 0584 962313 <+39%200584%20962313>
> fax: +39 0584 1660272 <+39%200584%20166%200272>
> mob: +39  339 8844549 <+39%20339%20884%204549>
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
> AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
>
> Le informazioni contenute in questo messaggio di posta elettronica e/o
> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
> darcene notizia via e-mail e di procedere alla distruzione del messaggio
> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
> principi dettati dal D.Lgs. 196/2003.
>
> The information in this message and/or attachments, is intended solely for
> the attention and use of the named addressee(s) and may be confidential or
> proprietary in nature or covered by the provisions of privacy act
> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
> Code).Any use not in accord with its purpose, any disclosure, reproduction,
> copying, distribution, or either dissemination, either whole or partial, is
> strictly forbidden except previous formal approval of the named
> addressee(s). If you are not the intended recipient, please contact
> immediately the sender by telephone, fax or e-mail and delete the
> information in this message that has been received in error. The sender
> does not give any warranty or accept liability as the content, accuracy or
> completeness of sent messages and accepts no responsibility  for changes
> made after they were sent or for other risks which arise as a result of
> e-mail transmission, viruses, etc.
>
>

-- 
Met vriendelijke groet,

João Gouveia
Software Engineer

  <http://www.horus.nu/>

j.g...@ho...
Horus View and Explore B.V.
+31 (0)50 309 62 14 | www.horus.nu
Verbindingsweg 18 | 9781 DA  Bedum | NL