[GeoNode-users] Failed to download layers as anonymous user

Fri Nov 18 06:37:48 PST 2016

Hi,

I have a GeoNode instance installed from packages in a Ubuntu 14.04 [1].

Authentication between GeoNode and GeoServer seems to be working; if I log
into GeoNode and go to http://mygeonode/geoserver I am successfully logged
in as the GeoNode user.

The problem comes when I try to download a map as an anonymous user:
http://mygeonode/maps/976/download.

After clicking the download button and waiting a bit, I get a Basic HTTP
auth dialog because of a 401 response from
http://mygeonode/geoserver/rest/process/batchDownload/download/3

The map is configured for viewing and downloading by anyone and it works as
expected if I'm logged into GeoNode.

I've seen that the rest filter chain in GeoServer uses the
geonodeCookieFilter chain filter, which I think expects a valid "sessionid"
cookie. That cookie is being sent in my anonymous requests together with
csrftoken, both unexpired with path=/.

I tried to compare the behavior and requests with demo.geonode.org but
http://demo.geonode.org/geoserver is unresponsive right now.

Find here a section of geoserver.log in case it sheds some light:

2016-11-18 15:28:01,628 DEBUG [geoserver.security] - AuthenticationCache
found an entry for basic, admin:bfa584f5598433a3c1fe16b00acc9c43
2016-11-18 15:28:01,628 DEBUG
[security.RESTfulPathBasedFilterInvocationDefinitionMap] - Converted URL to
lowercase, from: '/rest/process/batchdownload/status/3'; to:
'/rest/process/batchdownload/status/3'  and httpMethod= GET
2016-11-18 15:28:01,628 DEBUG
[security.RESTfulPathBasedFilterInvocationDefinitionMap] - ~~~~~~~~~~
antPath= /** methodList= [GET]
2016-11-18 15:28:01,628 DEBUG
[security.RESTfulPathBasedFilterInvocationDefinitionMap] - Candidate is:
'/rest/process/batchdownload/status/3'; antPath is /**; matchedPath=true;
matchedMethods=true
2016-11-18 15:28:01,628 DEBUG
[security.RESTfulPathBasedFilterInvocationDefinitionMap] - returning
ROLE_ADMINISTRATOR
2016-11-18 15:28:01,629 DEBUG [ows.OWSHandlerMapping] - No handler mapping
found for [/rest/process/batchDownload/status/3]
2016-11-18 15:28:01,629 DEBUG [ows.OWSHandlerMapping] - No handler mapping
found for [/rest/process/batchDownload/status/3]
2016-11-18 15:28:01,629 DEBUG [ows.OWSHandlerMapping] - No handler mapping
found for [/rest/process/batchDownload/status/3]
2016-11-18 15:28:01,630 DEBUG [geoserver.filters] - Compressing output for
mimetype: application/json;charset=ISO-8859-1
2016-11-18 15:28:01,630 DEBUG
[filter.GeoServerSecurityContextPersistenceFilter$1] -
SecurityContextHolder now cleared, as request processing completed
2016-11-18 15:28:01,775 DEBUG
[security.RESTfulPathBasedFilterInvocationDefinitionMap] - Converted URL to
lowercase, from: '/rest/process/batchdownload/download/3'; to:
'/rest/process/batchdownload/download/3'  and httpMethod= GET
2016-11-18 15:28:01,775 DEBUG
[security.RESTfulPathBasedFilterInvocationDefinitionMap] - ~~~~~~~~~~
antPath= /** methodList= [GET]
2016-11-18 15:28:01,775 DEBUG
[security.RESTfulPathBasedFilterInvocationDefinitionMap] - Candidate is:
'/rest/process/batchdownload/download/3'; antPath is /**; matchedPath=true;
matchedMethods=true
2016-11-18 15:28:01,775 DEBUG
[security.RESTfulPathBasedFilterInvocationDefinitionMap] - returning
ROLE_ADMINISTRATOR
2016-11-18 15:28:01,776 DEBUG
[filter.GeoServerSecurityContextPersistenceFilter$1] -
SecurityContextHolder now cleared, as request processing completed

Is this a bug? Misconfiguration in my instance? The expected behavior?

Thanks in advance.

[1]
http://docs.geonode.org/en/master/tutorials/install_and_admin/quick_install.html#ubuntu

-- 
Víctor González
http://geomati.co
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20161118/2da13cc4/attachment.html>