<div dir="ltr"><div><div>If I change the rest configuration for GeoServer (<data_dir>/security/rest.<wbr>properties) to this:<br><br>/**;GET=IS_AUTHENTICATED_<wbr>ANONYMOUSLY<br>/**;POST,DELETE,PUT=ROLE_<wbr>ADMINISTRATOR<br><br></div>the auth dialog does not appear. The only problem with that solution is that then all GET requests to the REST API are available to anyone. For example, an anonymous user could get a package (<a href="http://mygeonode/geoserver/rest/process/batchDownload/download/1" target="_blank">http://mygeonode/geoserver/<wbr>rest/process/batchDownload/<wbr>download/1</a>) even if that has been created for an authenticated user.<br><br></div><div>In case you want to take a look at the real instance:<br><br><a href="http://geoserver-test.dainst.org/maps/976/download" target="_blank">http://geoserver-test.dainst.<wbr>org/maps/976/download</a><br></div><div><br></div>Any ideas on this?<br><div class="gmail_extra"><br><div class="gmail_quote">2016-11-18 15:37 GMT+01:00 Víctor González <span dir="ltr"><<a href="mailto:victor.gonzalez@geomati.co" target="_blank">victor.gonzalez@geomati.co</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><div><div>Hi,<br><br></div>I have a GeoNode instance installed from packages in a Ubuntu 14.04 [1].<br><br></div>Authentication between GeoNode and GeoServer seems to be working; if I log into GeoNode and go to <a href="http://mygeonode/geoserver" target="_blank">http://mygeonode/geoserver</a> I am successfully logged in as the GeoNode user.<br><br></div>The problem comes when I try to download a map as an anonymous user: <a href="http://mygeonode/maps/976/download" target="_blank">http://mygeonode/maps/976/down<wbr>load</a>. <br><br>After clicking the download button and waiting a bit, I get a Basic HTTP auth dialog because of a 401 response from <a href="http://mygeonode/geoserver/rest/process/batchDownload/download/3" target="_blank">http://mygeonode/geoserver/res<wbr>t/process/batchDownload/downlo<wbr>ad/3</a><br><br></div><div>The map is configured for viewing and downloading by anyone and it works as expected if I'm logged into GeoNode.<br></div><br></div>I've seen that the rest filter chain in GeoServer uses the geonodeCookieFilter chain filter, which I think expects a valid "sessionid" cookie. That cookie is being sent in my anonymous requests together with csrftoken, both unexpired with path=/.<br><br></div>I tried to compare the behavior and requests with <a href="http://demo.geonode.org" target="_blank">demo.geonode.org</a> but <a href="http://demo.geonode.org/geoserver" target="_blank">http://demo.geonode.org/geoser<wbr>ver</a> is unresponsive right now.<br><br></div><div>Find here a section of geoserver.log in case it sheds some light:<br><br>2016-11-18 15:28:01,628 DEBUG [geoserver.security] - AuthenticationCache found an entry for basic, admin:bfa584f5598433a3c1fe16b0<wbr>0acc9c43<br>2016-11-18 15:28:01,628 DEBUG [security.RESTfulPathBasedFilt<wbr>erInvocationDefinitionMap] - Converted URL to lowercase, from: '/rest/process/batchdownload/s<wbr>tatus/3'; to: '/rest/process/batchdownload/s<wbr>tatus/3'  and httpMethod= GET<br>2016-11-18 15:28:01,628 DEBUG [security.RESTfulPathBasedFilt<wbr>erInvocationDefinitionMap] - ~~~~~~~~~~ antPath= /** methodList= [GET]<br>2016-11-18 15:28:01,628 DEBUG [security.RESTfulPathBasedFilt<wbr>erInvocationDefinitionMap] - Candidate is: '/rest/process/batchdownload/s<wbr>tatus/3'; antPath is /**; matchedPath=true; matchedMethods=true<br>2016-11-18 15:28:01,628 DEBUG [security.RESTfulPathBasedFilt<wbr>erInvocationDefinitionMap] - returning ROLE_ADMINISTRATOR<br>2016-11-18 15:28:01,629 DEBUG [ows.OWSHandlerMapping] - No handler mapping found for [/rest/process/batchDownload/s<wbr>tatus/3]<br>2016-11-18 15:28:01,629 DEBUG [ows.OWSHandlerMapping] - No handler mapping found for [/rest/process/batchDownload/s<wbr>tatus/3]<br>2016-11-18 15:28:01,629 DEBUG [ows.OWSHandlerMapping] - No handler mapping found for [/rest/process/batchDownload/s<wbr>tatus/3]<br>2016-11-18 15:28:01,630 DEBUG [geoserver.filters] - Compressing output for mimetype: application/json;charset=ISO-8<wbr>859-1<br>2016-11-18 15:28:01,630 DEBUG [filter.GeoServerSecurityConte<wbr>xtPersistenceFilter$1] - SecurityContextHolder now cleared, as request processing completed<br>2016-11-18 15:28:01,775 DEBUG [security.RESTfulPathBasedFilt<wbr>erInvocationDefinitionMap] - Converted URL to lowercase, from: '/rest/process/batchdownload/d<wbr>ownload/3'; to: '/rest/process/batchdownload/d<wbr>ownload/3'  and httpMethod= GET<br>2016-11-18 15:28:01,775 DEBUG [security.RESTfulPathBasedFilt<wbr>erInvocationDefinitionMap] - ~~~~~~~~~~ antPath= /** methodList= [GET]<br>2016-11-18 15:28:01,775 DEBUG [security.RESTfulPathBasedFilt<wbr>erInvocationDefinitionMap] - Candidate is: '/rest/process/batchdownload/d<wbr>ownload/3'; antPath is /**; matchedPath=true; matchedMethods=true<br>2016-11-18 15:28:01,775 DEBUG [security.RESTfulPathBasedFilt<wbr>erInvocationDefinitionMap] - returning ROLE_ADMINISTRATOR<br>2016-11-18 15:28:01,776 DEBUG [filter.GeoServerSecurityConte<wbr>xtPersistenceFilter$1] - SecurityContextHolder now cleared, as request processing completed<br></div><div><br></div>Is this a bug? Misconfiguration in my instance? The expected behavior? <br><br></div>Thanks in advance.<br><div><div><div><div><div><div><div><div><div><br>[1] <a href="http://docs.geonode.org/en/master/tutorials/install_and_admin/quick_install.html#ubuntu" target="_blank">http://docs.geonode.org/en/mas<wbr>ter/tutorials/install_and_admi<wbr>n/quick_install.html#ubuntu</a><span class="m_-9178622129958421015HOEnZb"><font color="#888888"><br><br><div><div>-- <br><div class="m_-9178622129958421015m_1300777871580905134gmail_signature"><div dir="ltr"><div>Víctor González<br></div><a href="http://geomati.co" target="_blank">http://geomati.co</a><br></div></div>
</div></div></font></span></div></div></div></div></div></div></div></div></div></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="m_-9178622129958421015gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div>Víctor González<br></div><a href="http://geomati.co" target="_blank">http://geomati.co</a><br></div></div>
</div></div>