[GeoNode-devel] GeoServer basic authentication not working anymore?

Paolo Corti pcorti at gmail.com
Tue Mar 7 07:28:12 PST 2017 

Confirmed, here is a recap of what is currently happening accessing
GeoServer with basic authentication (in my test GeoNode instance there
is 1 public and 1 private layer):

>>> import GeoNode
>>> GeoNode.__version__
(2, 7, 0, 'alpha', 0)

>>> from owslib.wms import WebMapService

# I correctly see only the public layer as anonymous user
>>> ows = WebMapService('http://localhost:8080/geoserver/ows?')
>>> len(ows.contents)
1

# I correctly see all of the two layers using an administrative
GeoServer user (for which basic authentication is enabled):
>>> ows = WebMapService('http://localhost:8080/geoserver/ows?', username='admin', password='geoserver')
>>> len(ows.contents)
2

# basic authentication does not work for any GeoNode user (including the admin)
>>> ows = WebMapService('http://localhost:8080/geoserver/ows?', username='admin', password='admin')
ServiceException: <html><head><meta http-equiv="Content-Type"
content="text/html; charset=ISO-8859-1"/>
<title>Error 401 No AuthenticationProvider found for
org.springframework.security.authentication.UsernamePasswordAuthenticationToken</title></head>
<body><h2>HTTP ERROR 401</h2>
<p>Problem accessing /geoserver/ows. Reason:
<pre>    No AuthenticationProvider found for
org.springframework.security.authentication.UsernamePasswordAuthenticationToken</pre></p><hr
/><i><small>Powered by Jetty://</small></i><br/>

For my use case I will create a GeoServer admin service user, and will
use that one to read all of the layers virtual services.
Though, note that this is breaking something very useful that once was
working: it will not be possible to authenticate with the GeoNode
credentials using external applications, such as QGIS and ArcGIS. This
was possible with GeoNode 2.4

thanks again Alessio
cheers
p

On Tue, Mar 7, 2017 at 3:44 AM, Alessio Fabiani
<alessio.fabiani at geo-solutions.it> wrote:
> Well yes, right now creating the same user on GeoNode too and marking it as
> superuser (or assigning it to admin group) should work.
>
> Best Regards,
> Alessio Fabiani.
>
> ==
> GeoServer Professional Services from the experts!
> Visit http://goo.gl/it488V for more information.
> ==
>
> Ing. Alessio Fabiani
> @alfa7691
> github
> Founder/Technical Lead
>
> GeoSolutions S.A.S.
> Via di Montramito 3/A
> 55054  Massarosa (LU)
> Italy
> phone: +39 0584 962313
> fax:     +39 0584 1660272
> mob:   +39 331 6233686
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
> -------------------------------------------------------
>
> AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
>
> Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i
> file/s allegato/i sono da considerarsi strettamente riservate. Il loro
> utilizzo è consentito esclusivamente al destinatario del messaggio, per le
> finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio
> senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia
> via e-mail e di procedere alla distruzione del messaggio stesso,
> cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo
> anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per
> finalità diverse, costituisce comportamento contrario ai principi dettati
> dal D.Lgs. 196/2003.
>
>
>
> The information in this message and/or attachments, is intended solely for
> the attention and use of the named addressee(s) and may be confidential or
> proprietary in nature or covered by the provisions of privacy act
> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
> Code).Any use not in accord with its purpose, any disclosure, reproduction,
> copying, distribution, or either dissemination, either whole or partial, is
> strictly forbidden except previous formal approval of the named
> addressee(s). If you are not the intended recipient, please contact
> immediately the sender by telephone, fax or e-mail and delete the
> information in this message that has been received in error. The sender does
> not give any warranty or accept liability as the content, accuracy or
> completeness of sent messages and accepts no responsibility  for changes
> made after they were sent or for other risks which arise as a result of
> e-mail transmission, viruses, etc.
>
> ---------------------------------------------------------------------
>
>
> On Mon, Mar 6, 2017 at 8:16 PM, Paolo Corti <pcorti at gmail.com> wrote:
>>
>> Oh I see. Thanks Alessio for the detailed explanation.
>>
>> From what I can see, using the GeoServer administrative interface, I
>> can create a GeoServer user that can access GeoServer with basic
>> authentication: unfortunately, even assigning this user to the admin
>> groups (ADMIN, GROUP_ADMIN), this user is not able to access layers
>> marked as private in GeoNode.
>> Is there a way to accomplish this? I would basically need to have a
>> user that can read all of the virtual services of the layers (public
>> and private) using basic authentication.
>>
>> Thanks for helping :)
>>
>> p
>>
>>
>> On Mon, Mar 6, 2017 at 11:48 AM, Alessio Fabiani
>> <alessio.fabiani at geo-solutions.it> wrote:
>> > I see. Yes given this use case this is possible. GeoNode does not have
>> > code
>> > to create users on GeoServer side.
>> > While it allows you to login using oauth2 (through the admin group) it
>> > won't
>> > be possible to access bia Basic Auth since that user is not recognized
>> > by
>> > GeoServer.
>> >
>> > To add this functionality we could either:
>> >
>> > 1. Allow GeoNode to create users on GeoServer (those would be duplicated
>> > though)
>> >
>> > 2. Customize the Basic Auth Provider and GeoNode apis (most of the work
>> > has
>> > been already done for OAuth2) in order to enable Basic Auth on GeoServer
>> > too.
>> >
>> > We need to discuss this thgouh, and a GNIP is required IMHO, since it is
>> > not
>> > a trivial change.
>> >
>> > It is also worth trying to make the Basic Auth Provider using the
>> > "GeoNode
>> > REST Role Service", maybe this could be sufficient.
>> >
>> >
>> > Best Regards,
>> > Alessio Fabiani.
>> >
>> > ==
>> > GeoServer Professional Services from the experts!
>> > Visit http://goo.gl/it488V for more information.
>> > ==
>> >
>> > Ing. Alessio Fabiani
>> > @alfa7691
>> > github
>> > Founder/Technical Lead
>> >
>> > GeoSolutions S.A.S.
>> > Via di Montramito 3/A
>> > 55054  Massarosa (LU)
>> > Italy
>> > phone: +39 0584 962313
>> > fax:     +39 0584 1660272
>> > mob:   +39 331 6233686
>> >
>> > http://www.geo-solutions.it
>> > http://twitter.com/geosolutions_it
>> >
>> > -------------------------------------------------------
>> >
>> > AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
>> >
>> > Le informazioni contenute in questo messaggio di posta elettronica e/o
>> > nel/i
>> > file/s allegato/i sono da considerarsi strettamente riservate. Il loro
>> > utilizzo è consentito esclusivamente al destinatario del messaggio, per
>> > le
>> > finalità indicate nel messaggio stesso. Qualora riceviate questo
>> > messaggio
>> > senza esserne il destinatario, Vi preghiamo cortesemente di darcene
>> > notizia
>> > via e-mail e di procedere alla distruzione del messaggio stesso,
>> > cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
>> > divulgarlo
>> > anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo
>> > per
>> > finalità diverse, costituisce comportamento contrario ai principi
>> > dettati
>> > dal D.Lgs. 196/2003.
>> >
>> >
>> >
>> > The information in this message and/or attachments, is intended solely
>> > for
>> > the attention and use of the named addressee(s) and may be confidential
>> > or
>> > proprietary in nature or covered by the provisions of privacy act
>> > (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
>> > Code).Any use not in accord with its purpose, any disclosure,
>> > reproduction,
>> > copying, distribution, or either dissemination, either whole or partial,
>> > is
>> > strictly forbidden except previous formal approval of the named
>> > addressee(s). If you are not the intended recipient, please contact
>> > immediately the sender by telephone, fax or e-mail and delete the
>> > information in this message that has been received in error. The sender
>> > does
>> > not give any warranty or accept liability as the content, accuracy or
>> > completeness of sent messages and accepts no responsibility  for changes
>> > made after they were sent or for other risks which arise as a result of
>> > e-mail transmission, viruses, etc.
>> >
>> > ---------------------------------------------------------------------
>> >
>> >
>> > On Mon, Mar 6, 2017 at 5:41 PM, Paolo Corti <pcorti at gmail.com> wrote:
>> >>
>> >> Hi Alessio
>> >> I did not change anything in GeoServer, I am using the one that comes
>> >> with GeoNode.
>> >> If I create a superuser right now, using the Django administrative
>> >> interface, I cannot login to the GeoServer admin interface using the
>> >> credentials for this superuser.
>> >> Which I believe it should be possible, if basic auth would be in place,
>> >> no?
>> >> I can use the default administrative GeoServer account though (the one
>> >> with credentials: admin, geoserver).
>> >> Same thing using owslib: I can't login with my new superuser, but I
>> >> can using the administrative account.
>> >> Thanks a lot
>> >> p
>> >>
>> >> On Mon, Mar 6, 2017 at 11:17 AM, Alessio Fabiani
>> >> <alessio.fabiani at geo-solutions.it> wrote:
>> >> > Hi Paolo,
>> >> > the basic auth works since otherwise it would not be possible to
>> >> > upload
>> >> > layers neither.
>> >> >
>> >> > Maybe the order of authentication providers is wrong on GeoServer or
>> >> > your
>> >> > user somehow has a different password and/or removed.
>> >> >
>> >> > Another possibility when accessing a layer could be that the security
>> >> > settings on GeoFence do not allow you to access the latter.
>> >> >
>> >> > If possible rise up the log level of GeoServer and see what happens
>> >> > on
>> >> > $GS_DATA_DIR/logs/geoserver.log
>> >> >
>> >> >
>> >> >
>> >> > Best Regards,
>> >> > Alessio Fabiani.
>> >> >
>> >> > ==
>> >> > GeoServer Professional Services from the experts!
>> >> > Visit http://goo.gl/it488V for more information.
>> >> > ==
>> >> >
>> >> > Ing. Alessio Fabiani
>> >> > @alfa7691
>> >> > github
>> >> > Founder/Technical Lead
>> >> >
>> >> > GeoSolutions S.A.S.
>> >> > Via di Montramito 3/A
>> >> > 55054  Massarosa (LU)
>> >> > Italy
>> >> > phone: +39 0584 962313
>> >> > fax:     +39 0584 1660272
>> >> > mob:   +39 331 6233686
>> >> >
>> >> > http://www.geo-solutions.it
>> >> > http://twitter.com/geosolutions_it
>> >> >
>> >> > -------------------------------------------------------
>> >> >
>> >> > AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
>> >> >
>> >> > Le informazioni contenute in questo messaggio di posta elettronica
>> >> > e/o
>> >> > nel/i
>> >> > file/s allegato/i sono da considerarsi strettamente riservate. Il
>> >> > loro
>> >> > utilizzo è consentito esclusivamente al destinatario del messaggio,
>> >> > per
>> >> > le
>> >> > finalità indicate nel messaggio stesso. Qualora riceviate questo
>> >> > messaggio
>> >> > senza esserne il destinatario, Vi preghiamo cortesemente di darcene
>> >> > notizia
>> >> > via e-mail e di procedere alla distruzione del messaggio stesso,
>> >> > cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
>> >> > divulgarlo
>> >> > anche in parte, distribuirlo ad altri soggetti, copiarlo, od
>> >> > utilizzarlo
>> >> > per
>> >> > finalità diverse, costituisce comportamento contrario ai principi
>> >> > dettati
>> >> > dal D.Lgs. 196/2003.
>> >> >
>> >> >
>> >> >
>> >> > The information in this message and/or attachments, is intended
>> >> > solely
>> >> > for
>> >> > the attention and use of the named addressee(s) and may be
>> >> > confidential
>> >> > or
>> >> > proprietary in nature or covered by the provisions of privacy act
>> >> > (Legislative Decree June, 30 2003, no.196 - Italy's New Data
>> >> > Protection
>> >> > Code).Any use not in accord with its purpose, any disclosure,
>> >> > reproduction,
>> >> > copying, distribution, or either dissemination, either whole or
>> >> > partial,
>> >> > is
>> >> > strictly forbidden except previous formal approval of the named
>> >> > addressee(s). If you are not the intended recipient, please contact
>> >> > immediately the sender by telephone, fax or e-mail and delete the
>> >> > information in this message that has been received in error. The
>> >> > sender
>> >> > does
>> >> > not give any warranty or accept liability as the content, accuracy or
>> >> > completeness of sent messages and accepts no responsibility  for
>> >> > changes
>> >> > made after they were sent or for other risks which arise as a result
>> >> > of
>> >> > e-mail transmission, viruses, etc.
>> >> >
>> >> > ---------------------------------------------------------------------
>> >> >
>> >> >
>> >> > On Mon, Mar 6, 2017 at 4:52 PM, Paolo Corti <pcorti at gmail.com> wrote:
>> >> >>
>> >> >> Hi devs
>> >> >>
>> >> >> I am testing the trunk version of GeoNode, and I need to run some
>> >> >> script on layers using basic authentication and owslib.
>> >> >> This was working well with the old GeoServer authentication system
>> >> >> of
>> >> >> GeoNode (without GeoFence).
>> >> >>
>> >> >> It should still working now as well, as I can see basic
>> >> >> authentication
>> >> >> is the first authentication provider in the authentication providers
>> >> >> chain, followed by geofence and geonodeauthprovider.
>> >> >>
>> >> >> Unfortunately basic authentication does not seem to work. I cannot
>> >> >> login in the GeoServer admin interface with my credentials, and if I
>> >> >> try to make requests using owslib and my credentials I get this
>> >> >> error:
>> >> >>
>> >> >> No AuthenticationProvider found for
>> >> >>
>> >> >>
>> >> >>
>> >> >> org.springframework.security.authentication.UsernamePasswordAuthenticationToken
>> >> >>
>> >> >> Any idea here? Thanks in advance
>> >> >> p
>> >> >>
>> >> >> --
>> >> >> Paolo Corti
>> >> >> Geospatial software developer
>> >> >> web: http://www.paolocorti.net
>> >> >> twitter: @capooti
>> >> >> skype: capooti
>> >> >> _______________________________________________
>> >> >> geonode-devel mailing list
>> >> >> geonode-devel at lists.osgeo.org
>> >> >> https://lists.osgeo.org/mailman/listinfo/geonode-devel
>> >> >
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Paolo Corti
>> >> Geospatial software developer
>> >> web: http://www.paolocorti.net
>> >> twitter: @capooti
>> >> skype: capooti
>> >
>> >
>>
>>
>>
>> --
>> Paolo Corti
>> Geospatial software developer
>> web: http://www.paolocorti.net
>> twitter: @capooti
>> skype: capooti
>
>



-- 
Paolo Corti
Geospatial software developer
web: http://www.paolocorti.net
twitter: @capooti
skype: capooti

More information about the geonode-devel mailing list