[GeoNode-users] Failed to download layers as anonymous user

Víctor González victor.gonzalez at geomati.co
Wed Nov 23 06:49:27 PST 2016 

If I change the rest configuration for GeoServer
(<data_dir>/security/rest.properties)
to this:

/**;GET=IS_AUTHENTICATED_ANONYMOUSLY
/**;POST,DELETE,PUT=ROLE_ADMINISTRATOR

the auth dialog does not appear. The only problem with that solution is
that then all GET requests to the REST API are available to anyone. For
example, an anonymous user could get a package (http://mygeonode/geoserver/
rest/process/batchDownload/download/1) even if that has been created for an
authenticated user.

In case you want to take a look at the real instance:

http://geoserver-test.dainst.org/maps/976/download

Any ideas on this?

2016-11-18 15:37 GMT+01:00 Víctor González <victor.gonzalez at geomati.co>:

> Hi,
>
> I have a GeoNode instance installed from packages in a Ubuntu 14.04 [1].
>
> Authentication between GeoNode and GeoServer seems to be working; if I log
> into GeoNode and go to http://mygeonode/geoserver I am successfully
> logged in as the GeoNode user.
>
> The problem comes when I try to download a map as an anonymous user:
> http://mygeonode/maps/976/download.
>
> After clicking the download button and waiting a bit, I get a Basic HTTP
> auth dialog because of a 401 response from http://mygeonode/geoserver/res
> t/process/batchDownload/download/3
>
> The map is configured for viewing and downloading by anyone and it works
> as expected if I'm logged into GeoNode.
>
> I've seen that the rest filter chain in GeoServer uses the
> geonodeCookieFilter chain filter, which I think expects a valid "sessionid"
> cookie. That cookie is being sent in my anonymous requests together with
> csrftoken, both unexpired with path=/.
>
> I tried to compare the behavior and requests with demo.geonode.org but
> http://demo.geonode.org/geoserver is unresponsive right now.
>
> Find here a section of geoserver.log in case it sheds some light:
>
> 2016-11-18 15:28:01,628 DEBUG [geoserver.security] - AuthenticationCache
> found an entry for basic, admin:bfa584f5598433a3c1fe16b00acc9c43
> 2016-11-18 15:28:01,628 DEBUG [security.RESTfulPathBasedFilterInvocationDefinitionMap]
> - Converted URL to lowercase, from: '/rest/process/batchdownload/status/3';
> to: '/rest/process/batchdownload/status/3'  and httpMethod= GET
> 2016-11-18 15:28:01,628 DEBUG [security.RESTfulPathBasedFilterInvocationDefinitionMap]
> - ~~~~~~~~~~ antPath= /** methodList= [GET]
> 2016-11-18 15:28:01,628 DEBUG [security.RESTfulPathBasedFilterInvocationDefinitionMap]
> - Candidate is: '/rest/process/batchdownload/status/3'; antPath is /**;
> matchedPath=true; matchedMethods=true
> 2016-11-18 15:28:01,628 DEBUG [security.RESTfulPathBasedFilterInvocationDefinitionMap]
> - returning ROLE_ADMINISTRATOR
> 2016-11-18 15:28:01,629 DEBUG [ows.OWSHandlerMapping] - No handler mapping
> found for [/rest/process/batchDownload/status/3]
> 2016-11-18 15:28:01,629 DEBUG [ows.OWSHandlerMapping] - No handler mapping
> found for [/rest/process/batchDownload/status/3]
> 2016-11-18 15:28:01,629 DEBUG [ows.OWSHandlerMapping] - No handler mapping
> found for [/rest/process/batchDownload/status/3]
> 2016-11-18 15:28:01,630 DEBUG [geoserver.filters] - Compressing output for
> mimetype: application/json;charset=ISO-8859-1
> 2016-11-18 15:28:01,630 DEBUG [filter.GeoServerSecurityContextPersistenceFilter$1]
> - SecurityContextHolder now cleared, as request processing completed
> 2016-11-18 15:28:01,775 DEBUG [security.RESTfulPathBasedFilterInvocationDefinitionMap]
> - Converted URL to lowercase, from: '/rest/process/batchdownload/download/3';
> to: '/rest/process/batchdownload/download/3'  and httpMethod= GET
> 2016-11-18 15:28:01,775 DEBUG [security.RESTfulPathBasedFilterInvocationDefinitionMap]
> - ~~~~~~~~~~ antPath= /** methodList= [GET]
> 2016-11-18 15:28:01,775 DEBUG [security.RESTfulPathBasedFilterInvocationDefinitionMap]
> - Candidate is: '/rest/process/batchdownload/download/3'; antPath is /**;
> matchedPath=true; matchedMethods=true
> 2016-11-18 15:28:01,775 DEBUG [security.RESTfulPathBasedFilterInvocationDefinitionMap]
> - returning ROLE_ADMINISTRATOR
> 2016-11-18 15:28:01,776 DEBUG [filter.GeoServerSecurityContextPersistenceFilter$1]
> - SecurityContextHolder now cleared, as request processing completed
>
> Is this a bug? Misconfiguration in my instance? The expected behavior?
>
> Thanks in advance.
>
> [1] http://docs.geonode.org/en/master/tutorials/install_and_admi
> n/quick_install.html#ubuntu
>
> --
> Víctor González
> http://geomati.co
>



-- 
Víctor González
http://geomati.co
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20161123/afa3df57/attachment.html>

More information about the geonode-users mailing list