[GeoNode-users] Geoserver encryption problem setting up user services on postgresql

Olivier Dalang olivier.dalang at gmail.com
Wed Jan 17 20:09:05 PST 2018 

Dear Lists,

I'm cross-posting to geoserver-users and geonode-users as this question
concerns the setup of Geoserver but the end goal is to make it work with
Geonode.

I'm trying to setup Geoserver to use a postgres user table from Django (the
people_profile table from Geonode). I was able to make everything work
except password encryption.


To give a bit of context, this is what I did so far) :

1/ Added a new JDBC "User Group Services" with database details in Geoserver
and added it to the authentication provider chain

2/ Created a view in postgres like this (to replace the "users" table that
Geoserver is expecting) :
CREATE VIEW public.users AS
SELECT "username" as "name",
'crypt2:' || split_part("password",'$',4) as "password", -- this extracts
the hash from the django passwords
CASE WHEN "is_active" THEN 'Y' ELSE 'N' END as enabled
FROM public.people_profile;

3/ Created a custom password hasher for Django that using the jasypt4py
python library (that supports "PBEWITHSHA256AND256BITAES-CBC")
from jasypt4py import StandardPBEStringEncryptor
class GeoserverLikePasswordHasher(BasePasswordHasher):
algorithm = "geoserver-strong-pbe"
iterations = 100000

def encode(self, password, salt, iterations=None):
cryptor = StandardPBEStringEncryptor('PBEWITHSHA256AND256BITAES-CBC')
from_keystore =
"4F24227A565B3C743F7D4A69504E27432C292D6E632C4A6B40384A4A60395F364743657969717076"
.decode("hex")
hash = cryptor.encrypt( from_keystore, password, iterations)
return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, hash)

Problem is, when I try to connect with these logins, I get an exception
(see below[1]). The exception is not easy to debug as it's opaque on
prupose (to avoid revealing sensitive details).

When I fake the encryption (by hardcoding a hash that was generated by
Geoserver in the postgres view, or by using plain: and creating a
PlainPasswordHasher), I can log in, which means that the problem really is
at the encryption level.

I'm new to Java and Geoserver, so I'm not really sure what's going on.

I have two hypotheses :

1/ I'm using the wrong "password_key" (I'm using ug:django_key in my
geoserver.jceks that was created when I configured the user group service.
I also tried with config:password:key I could find there, but no more
luck). Am I correct trying to use that one ?
2/ There's a problem with the jasypt4py library. In the readme, they say
they only support "PBEWITHSHA256AND256BITAES-CBC" from Jasypt/Bouncycastle.
Is this what Geoserver uses ? Or are there several incompatible
implementations of Jasypt ? (again, I'm new to Java...)

Any idea of what to try next ? Has anyone been able to make such a setup
work ?

Thank you in advance for your help !!

Olivier




[1] This is the exception :

org.jasypt.exceptions.EncryptionOperationNotPossibleException
	at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:981)
	at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:717)
	at org.jasypt.spring.security3.PBEPasswordEncoder.isPasswordValid(PBEPasswordEncoder.java:218)
	at org.geoserver.security.password.AbstractGeoserverPasswordEncoder.isPasswordValid(AbstractGeoserverPasswordEncoder.java:142)
	at org.geoserver.security.password.GeoServerMultiplexingPasswordEncoder.isPasswordValid(GeoServerMultiplexingPasswordEncoder.java:91)
	at org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:94)
	at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:165)
	at org.geoserver.security.auth.UsernamePasswordAuthenticationProvider.authenticate(UsernamePasswordAuthenticationProvider.java:82)
	at org.geoserver.security.GeoServerAuthenticationProvider.authenticate(GeoServerAuthenticationProvider.java:58)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
	at org.geoserver.security.GeoServerSecurityManager$1.authenticate(GeoServerSecurityManager.java:323)
	at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:93)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:73)
	at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:92)
	at org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationFilter.doFilter(GeoServerUserNamePasswordAuthenticationFilter.java:116)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:69)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
	at org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:53)
	at org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:73)
	at org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:92)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
	at org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:152)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:88)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.geoserver.filters.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:89)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:42)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:48)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:44)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
	at org.eclipse.jetty.server.Server.handle(Server.java:499)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
	at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
	at java.lang.Thread.run(Thread.java:745)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20180118/4c588129/attachment.html>

More information about the geonode-users mailing list