<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Arial","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--> gfidisc.scisys.co.uk {color:black; !important} </style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<meta name="application-name" content="gfidisc.scisys.co.uk "> </head>
<body lang="EN-GB" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Hi,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">I’m trying to manage access to a layer through a combination of geonode, geofence and geoserver. So for example if a user does a GetCapabilities request for a WMS in geoserver
they will only be shown layers which they have access to.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">I’ve setup geonode, geoserver and geofence as described in this tutorial -
<a href="http://docs.geonode.org/en/master/tutorials/admin/geoserver_geonode_security/">
http://docs.geonode.org/en/master/tutorials/admin/geoserver_geonode_security/</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">The link between geonode and geoserver appears to be working – that is to say that the geonode login button in geoserver works correctly and if I edit permissions for a layer
in geonode then geofence is updated with the correct data rules.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">The problem I encounter is when I do a request such as:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">http://localhost/geoserver/geonode/wms?request=getcapabilities<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">via postman and provide basic authentication details (username/password) of a geonode user I get a 401 error returned and the following exception in the geoserver logs:<o:p></o:p></span></p>
<div style="mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.0pt;padding:0cm 0cm 1.0pt 0cm">
<p class="MsoNormal" style="border:none;padding:0cm"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:16:05,659 DEBUG [security.IncludeQueryStringAntPathRequestMatcher] - Request matched by universal pattern '/**'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:16:05,659 DEBUG [security.IncludeQueryStringAntPathRequestMatcher] - Matched Path: /geonode/wms, QueryString: request=getcapabilities with /**<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:16:05,659 DEBUG [geoserver.security] - AuthenticationCache has no entry for basic, testuser:f67c8204540f095070dd7a462cb44948<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:16:05,660 DEBUG [geoserver.security] - Bad credentials<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">org.springframework.security.authentication.BadCredentialsException: Bad credentials<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:150)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.geoserver.security.auth.UsernamePasswordAuthenticationProvider.authenticate(UsernamePasswordAuthenticationProvider.java:82)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.geoserver.security.GeoServerAuthenticationProvider.authenticate(GeoServerAuthenticationProvider.java:58)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.geoserver.security.GeoServerSecurityManager$1.authenticate(GeoServerSecurityManager.java:323)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:178)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:73)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:92)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.geoserver.security.filter.GeoServerBasicAuthenticationFilter.doFilter(GeoServerBasicAuthenticationFilter.java:84)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:69)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:53)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:73)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:92)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:152)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:87)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:42)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:48)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:44)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:522)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1095)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:672)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1504)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1460)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""> at java.lang.Thread.run(Thread.java:748)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:16:05,661 DEBUG [auth.GeoFenceAuthenticationProvider] - Auth request with org.springframework.security.authentication.UsernamePasswordAuthenticationToken@f33db8a7:
Principal: testuser; Credentials: [PROTECTED]; Authenticated: false; Details: org.geoserver.security.filter.GeoServerWebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Not granted any authorities<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:16:05,661 DEBUG [geofence.cache] - Loading user 'testuser'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:16:05,666 WARN [geofence.cache] - org.geoserver.geofence.cache.CachedRuleReader$NoAuthException: Can't auth user [testuser]<o:p></o:p></span></p>
<div style="mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.0pt;padding:0cm 0cm 1.0pt 0cm">
<p class="MsoNormal" style="border:none;padding:0cm"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:16:05,670 INFO [auth.GeoFenceAuthenticationProvider] - User testuser NOT authenticated<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">Now I think this is because the filter chain for the /** is configured as:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">basic<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">geonode-oauth2<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">So it is doing the first basic filter and failing because this checks against geoserver users and I provided a geonode user. My understanding of these filters is that upon
failure it should progress to the next one, in this case the geonode-oauth2 filter which will call into geonode and authenticate the user. So my first question is why isn’t that happening?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">If I update the order of the default /** filter to place geonode-oauth2 first I get a capabilities document returned but it does not contain the layer that I have granted access
to for the geonode user, the geoserver logs show the following:<o:p></o:p></span></p>
<div style="mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.0pt;padding:0cm 0cm 1.0pt 0cm">
<p class="MsoNormal" style="border:none;padding:0cm"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,163 DEBUG [security.IncludeQueryStringAntPathRequestMatcher] - Request matched by universal pattern '/**'<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,163 DEBUG [security.IncludeQueryStringAntPathRequestMatcher] - Matched Path: /geonode/wms, QueryString: request=getcapabilities with /**<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,226 DEBUG [geoserver.security] - Inspecting the http request looking for the GeoNode Session ID.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,226 DEBUG [geoserver.security] - Found no cookies!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,226 DEBUG [geoserver.security] - preAuthenticatedPrincipal = null, trying to authenticate<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,227 DEBUG [geoserver.geofence] - Getting access limits for workspace geonode<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,227 DEBUG [geoserver.geofence] - Getting admin auth for Workspace geonode<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,227 DEBUG [geoserver.geofence] - AdminAuth filter: RuleFilter[user:(empty)+ role:ANY inst:name+:default-gs ip:"10.0.2.2"+ serv:ANY req:ANY ws:"geonode"+
layer:ANY]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,227 DEBUG [geofence.cache] - AdminAuth Request for RuleFilter[user:(empty)+ role:ANY inst:name+:default-gs ip:"10.0.2.2"+ serv:ANY req:ANY ws:"geonode"+
layer:ANY]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,228 DEBUG [geofence.cache] - Loading RuleFilter[user:(empty)+ role:ANY inst:name+:default-gs ip:"10.0.2.2"+ serv:ANY req:ANY ws:"geonode"+ layer:ANY]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,228 DEBUG [geofence.internal] - Getting Roles for User []<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,228 DEBUG [geofence.internal] - Checking UserGroupService [default]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,228 DEBUG [geofence.internal] - Checking RoleService [default]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,228 DEBUG [geofence.internal] - Checking RoleService [geonode REST role service]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,319 DEBUG [geoserver.security] - Setting ROLES for User [] to [ROLE_ANONYMOUS]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,392 DEBUG [geoserver.security] - Setting ROLES for User [] to [ROLE_ANONYMOUS]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,392 DEBUG [geofence.internal] - RoleService [geonode REST role service] matching for User []<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,446 DEBUG [geoserver.security] - Setting ROLES for User [] to [ROLE_ANONYMOUS]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,447 DEBUG [geofence.internal] - Checking Role [ROLE_ANONYMOUS] on ActiveRoleService [org.geoserver.security.GeoServerRestRoleService@1491bfb5]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,447 DEBUG [geofence.internal] - Checking UserGroupService [default]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,447 DEBUG [geofence.internal] - Matching Roles [[ROLE_ANONYMOUS]] for User []<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,494 DEBUG [geoserver.security] - Setting ROLES for User [] to [ROLE_ANONYMOUS]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,494 DEBUG [geofence.internal] - Checking Role [ROLE_ANONYMOUS] on ActiveRoleService [org.geoserver.security.GeoServerRestRoleService@1491bfb5]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,494 DEBUG [geofence.internal] - Checking UserGroupService [default]<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,494 DEBUG [geofence.internal] - Matching Roles [[ROLE_ANONYMOUS]] for User []<o:p></o:p></span></p>
<div style="mso-element:para-border-div;border:none;border-bottom:solid windowtext 1.0pt;padding:0cm 0cm 1.0pt 0cm">
<p class="MsoNormal" style="border:none;padding:0cm"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">2018-01-04 15:21:52,495 DEBUG [geoserver.geofence] - Admin auth for User: Workspace:geonode: false<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">I think the above is showing that the user failed authentication because the RuleFilter for geofence is being passed an empty username, which is why the layer isn’t being shown.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">My second question is why didn’t the authentication process throw any errors? I’ve taken a look at the GeoServerOAuthAuthenticationFilter class (<a href="https://github.com/geoserver/geoserver/blob/master/src/community/security/oauth2/src/main/java/org/geoserver/security/oauth2/GeoServerOAuthAuthenticationFilter.java">https://github.com/geoserver/geoserver/blob/master/src/community/security/oauth2/src/main/java/org/geoserver/security/oauth2/GeoServerOAuthAuthenticationFilter.java</a>)
and I wonder whether when it calls this line:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">authentication = filter.attemptAuthentication(req, null);<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">it is swallowing any IOException or ServletException that are thrown by the base Spring class?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif"">I’m also wondering whether I’ve just misunderstood how the security between geonode and geoserver should work. My high-level view is that when a geonode user requests to access
a resource directly via geoserver (for example a WMS service) then geoserver will call into geonode to check that the user is valid, retrieve the users’ roles and then pass these to geofence which will check the data rules to ensure the user has access to
the targeted resource.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";mso-fareast-language:EN-GB">Thanks,<br>
Pete</span><span style="mso-fareast-language:EN-GB"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="gfidisc.scisys.co.uk" id="gfidisc.scisys.co.uk" style="gfidisc.scisys.co.uk"></p><a id="gfidisc.scisys.co.uk" title="gfidisc.scisys.co.uk" href="gfidisc.scisys.co.uk" class="gfidisc.scisys.co.uk" style="text-decoration: none !important;"></a><gfidisc.scisys.co.uk/><h1 class="gfidisc.scisys.co.uk" style="gfidisc.scisys.co.uk"></h1><p><span style="color: #0000ff; font-family: Tahoma; font-size: small;"> </span></p>
<div align="left"><span style="color: #808080; font-family: Arial; font-size: small;">SCISYS UK Limited. Registered in England and Wales No. 4373530.</span></div>
<div align="left"><span style="color: #808080; font-family: Arial; font-size: small;">Registered Office: Methuen Park, Chippenham, Wiltshire SN14 0GB, UK.</span></div>
<div align="left"> </div>
<div align="left"><span class="400184714-12042007"><span style="color: #000000;"><span style="font-size: 7pt; font-family: Tahoma;"><span style="font-size: xx-small;"><span style="color: #008000;"><span style="font-family: Arial;">Before printing, <span class="296245114-12042007">please </span>think about the environment<span class="296245114-12042007">.</span></span></span></span></span></span></span></div><p class="gfidisc.scisys.co.uk" id="gfidisc.scisys.co.uk" style="gfidisc.scisys.co.uk"></p><a id="gfidisc.scisys.co.uk" title="gfidisc.scisys.co.uk" href="gfidisc.scisys.co.uk" class="gfidisc.scisys.co.uk" style="text-decoration: none !important;"></a><gfidisc.scisys.co.uk/><h1 class="gfidisc.scisys.co.uk" style="gfidisc.scisys.co.uk"></h1></body>
</html>