Examples of org.geoserver.security.GeoServerSecurityManager$AuthProviderHelper

• org.geoserver.security.GeoServerSecurityManager
  Interface that can be used to assist migration phases, adding XStream behaviours to be used only during migration of configurations from previous versions. A specific implementation can be passed to {@link FilterHelper.loadConfig} and/or {@link FilterHelper.saveConfig} to change XStream mappings and conversions to allow loadingof old (incompatible) configuration files that need to be updated to a new format. The implementation should implement the migrationPersister method to add aliases, converters or other XStream behaviours needed only when migrating old configurations. @author Mauro Bartolomeoli (mauro.bartolomeoli@geo-solutions.it)

        SecurityNamedServiceConfig filterCfg = new BaseSecurityNamedServiceConfig();
        filterCfg.setName("custom");
        filterCfg.setClassName(AuthCapturingFilter.class.getName());

        GeoServerSecurityManager secMgr = getSecurityManager();
        secMgr.saveFilter(filterCfg);

        SecurityManagerConfig cfg = secMgr.getSecurityConfig();
        cfg.getFilterChain().insertAfter("/web/**", filterCfg.getName(), GeoServerSecurityFilterChain.REMEMBER_ME_FILTER);

//        cfg.getFilterChain().put("/web/**", Arrays.asList(
//            new FilterChainEntry(filterCfg.getName(), Position.AFTER,
//                GeoServerSecurityFilterChain.REMEMBER_ME_FILTER)));

        secMgr.saveSecurityConfig(cfg);
    }

    protected ICrypt getEncrypterFromSession(HttpSession s) {
        ICrypt result = (ICrypt) s.getAttribute(ICRYPT_ATTR_NAME);
        if (result !=null) return result;

        GeoServerSecurityManager manager = GeoServerApplication.get().getSecurityManager();
        char[] key = manager.getRandomPassworddProvider().getRandomPasswordWithDefaultLength();

        StandardPBEByteEncryptor enc = new StandardPBEByteEncryptor();
        enc.setPasswordCharArray(key);
        // since the password is copied, we can scramble it
        manager.disposePassword(key);

        if (manager.isStrongEncryptionAvailable()) {
            enc.setProvider(new BouncyCastleProvider());
            enc.setAlgorithm("PBEWITHSHA256AND128BITAES-CBC-BC");
        }
        else // US export restrictions
            enc.setAlgorithm("PBEWITHMD5ANDDES");

    @Test
    public void testRoleStoreWrapper() throws Exception {
        setMockCreator(new MockCreator() {
            @Override
            public GeoServerSecurityManager createSecurityManager(MockTestData testData) throws Exception {
                GeoServerSecurityManager secMgr = createMock(GeoServerSecurityManager.class);

                GeoServerRoleStore roleStore1 = createRoleStore("test", secMgr, "role1", "parent1");
                addRolesToCreate(roleStore1, "", "duplicated", "xxx");

                GeoServerRoleStore roleStore2 = createRoleStore("test1", secMgr, "duplicated");

                expect(secMgr.listRoleServices()).andReturn(
                    new TreeSet<String>(Arrays.asList("test", "test1"))).anyTimes();

                replay(roleStore1, roleStore2, secMgr);
                return secMgr;
            }
        });

        GeoServerSecurityManager secMgr = getSecurityManager();
        GeoServerRoleStore roleStore = (GeoServerRoleStore) secMgr.loadRoleService("test");

        RoleStoreValidationWrapper store = new RoleStoreValidationWrapper(roleStore);
        try {
            store.addRole(store.createRoleObject(""));
            fail("empty role name should throw exception");
        } catch (IOException ex) {
            assertSecurityException(ex, NAME_REQUIRED);
        }

        try {
            store.addRole(store.createRoleObject(""));
            fail("empty role name should throw exception");
        } catch (IOException ex) {
            assertSecurityException(ex, NAME_REQUIRED);
        }

        GeoServerRole role1 = store.getRoleByName("role1");

        try {
            store.addRole(role1);
            fail("already existing role name should throw exception");
        } catch (IOException ex) {
            assertSecurityException(ex, ALREADY_EXISTS, "role1");
        }

        for (GeoServerRole srole : GeoServerRole.SystemRoles) {
            try {
                store.addRole(store.createRoleObject(srole.getAuthority()));
                fail("reserved role name should throw exception");
            } catch (IOException ex) {
                assertSecurityException(ex, RESERVED_NAME, srole.getAuthority());
            }
        }

        GeoServerRoleStore roleStore1 = (GeoServerRoleStore) secMgr.loadRoleService("test1");
        RoleStoreValidationWrapper store1 = new RoleStoreValidationWrapper(roleStore1);

        try {
            store.addRole(store.createRoleObject("duplicated"));
            fail("reserved role name should throw exception");

    @Test
    public void testRoleServiceWrapperAccessRules() throws Exception {
        setMockCreator(new MockCreator() {
            @Override
            public GeoServerSecurityManager createSecurityManager( MockTestData testData) throws Exception {
                GeoServerSecurityManager secMgr = createNiceMock(GeoServerSecurityManager.class);

                GeoServerRoleStore roleStore = createRoleStore("test", secMgr, "role1", "parent1");
                expect(roleStore.removeRole(new GeoServerRole("unused"))).andReturn(true);

                DataAccessRule dataAccessRule = createNiceMock(DataAccessRule.class);
                expect(dataAccessRule.compareTo(dataAccessRule)).andReturn(0).anyTimes();
                expect(dataAccessRule.getKey()).andReturn("foo").anyTimes();
                expect(dataAccessRule.getRoles()).andReturn(new TreeSet<String>(Arrays.asList("role1"))).anyTimes();
                replay(dataAccessRule);

                DataAccessRuleDAO dataAccessDAO = createNiceMock(DataAccessRuleDAO.class);
                expect(dataAccessDAO.getRulesAssociatedWithRole("role1")).andReturn(
                    new TreeSet<DataAccessRule>(Arrays.asList(dataAccessRule))).anyTimes();
                expect(dataAccessDAO.getRulesAssociatedWithRole("parent1")).andReturn(
                        new TreeSet<DataAccessRule>()).anyTimes();
                expect(secMgr.getDataAccessRuleDAO()).andReturn(dataAccessDAO).anyTimes();

                ServiceAccessRuleDAO serviceAccessDAO = createNiceMock(ServiceAccessRuleDAO.class);
                expect(serviceAccessDAO.getRulesAssociatedWithRole(
                    (String)anyObject())).andReturn(new TreeSet<ServiceAccessRule>()).anyTimes();
                expect(secMgr.getServiceAccessRuleDAO()).andReturn(serviceAccessDAO).anyTimes();

                replay(dataAccessDAO, serviceAccessDAO, roleStore, secMgr);
                return secMgr;
            }
        });

    @Test
    public void testRoleStoreWrapperWithUGServices() throws Exception {
        setMockCreator(new MockCreator() {
            @Override
            public GeoServerSecurityManager createSecurityManager(MockTestData testData) throws Exception {
                GeoServerSecurityManager secMgr = createNiceMock(GeoServerSecurityManager.class);

                GeoServerUserGroupStore ugStore1 = createUserGroupStore("test1", secMgr);
                addUsers(ugStore1, "user1", "abc");
                addGroups(ugStore1, "group1");

                GeoServerUserGroupStore ugStore2 = createUserGroupStore("test2", secMgr);
                addUsers(ugStore1, "user2", "abc");
                addGroups(ugStore1, "group2");

                GeoServerRoleStore roleStore = createRoleStore("test", secMgr, "role1");
                expect(roleStore.getGroupNamesForRole(new GeoServerRole("role1"))).andReturn(
                    new TreeSet<String>(Arrays.asList("group1", "group2"))).anyTimes();

                replay(ugStore1, ugStore2, roleStore, secMgr);
                return secMgr;
            }
        });

        GeoServerSecurityManager secMgr = getSecurityManager();
        GeoServerUserGroupStore ugStore1 = (GeoServerUserGroupStore) secMgr.loadUserGroupService("test1");
        GeoServerUserGroupStore ugStore2 = (GeoServerUserGroupStore) secMgr.loadUserGroupService("test2");

        RoleStoreValidationWrapper store = new RoleStoreValidationWrapper(
            (GeoServerRoleStore)secMgr.loadRoleService("test"), ugStore1, ugStore2);

        GeoServerRole role1 = store.getRoleByName("role1");
        try {
            store.associateRoleToGroup(role1, "group3");
            fail("unkown group should throw exception");

        getSecurityManager().saveFilter(bconfig);
    }

    @Before
    public void revertFilters() throws Exception {
        GeoServerSecurityManager secMgr = getSecurityManager();
        if (secMgr.listFilters().contains(testFilterName2)) {
            SecurityFilterConfig config = secMgr.loadFilterConfig(testFilterName2);
            secMgr.removeFilter(config);
        }
    }

    static class SecurityWarningsPanel extends Panel {

        public SecurityWarningsPanel(String id) {
            super(id);

            GeoServerSecurityManager manager = GeoServerApplication.get().getSecurityManager();

            // warn in case of an existing masterpw.info
            File mpInfo = null;
            Label mpInfoLabel=null;
            try {
                mpInfo = new File (manager.getSecurityRoot(),
                        GeoServerSecurityManager.MASTER_PASSWD_INFO_FILENAME);
                mpInfoLabel=new Label("mpfile", new StringResourceModel("masterPasswordFile", (Component)this, null,
                        new Object[] {mpInfo.getCanonicalFile()}));
                mpInfoLabel.setEscapeModelStrings(false);
                add(mpInfoLabel);
                mpInfoLabel.setVisible(mpInfo.exists());
            } catch (Exception ex) {
                throw new RuntimeException (ex);
            }

            // warn in case of an existing user.properties.old
            File userprops = null;
            Label userpropsLabel=null;
            try {
                userprops = new File (manager.getSecurityRoot(),
                        "users.properties.old");
                userpropsLabel=new Label("userpropsold", new StringResourceModel("userPropertiesOldFile", (Component)this, null,
                        new Object[] {userprops.getCanonicalFile()}));
                userpropsLabel.setEscapeModelStrings(false);
                add(userpropsLabel);
                userpropsLabel.setVisible(userprops.exists());
            } catch (Exception ex) {
                throw new RuntimeException (ex);
            }

            // check for default master password
            boolean visibility = manager.checkMasterPassword( DEFAULT_ADMIN_PASSWD);

            Label label=new Label("mpmessage", new StringResourceModel("changeMasterPassword", (Component)this, null));
            label.setEscapeModelStrings(false);
            add(label);
            Link link=null;;
            add(link=new Link("mplink") {
                @Override
                public void onClick() {
                    setResponsePage(new MasterPasswordChangePage());
                }
            });
            label.setVisible(visibility);
            link.setVisible(visibility);



            // check for default admin password
            visibility= manager.checkForDefaultAdminPassword();
            Page changeItPage = null;
            String passwordEncoderName=null;
            try {
                GeoServerUserGroupService ugService = manager.loadUserGroupService(XMLUserGroupService.DEFAULT_NAME);
                if (ugService != null) {
                    passwordEncoderName = ugService.getPasswordEncoderName();
                    GeoServerUser user = ugService.getUserByUsername(ADMIN_USERNAME);
                    if (user != null) {
                        changeItPage = new EditUserPage(ugService.getName(), user);
                    }
                }
            } catch (IOException e) {
                LOGGER.log(Level.WARNING, "Error looking up admin user", e);
            }
            if (changeItPage == null) {
                changeItPage = new UserGroupRoleServicesPage();
            }


            final Page linkPage = changeItPage;
            label=new Label("adminmessage", new StringResourceModel("changeAdminPassword", (Component)this, null));
            label.setEscapeModelStrings(false);
            add(label);
            add(link=new Link("adminlink") {
                @Override
                public void onClick() {
                    setResponsePage(linkPage);
                }
            });
            label.setVisible(visibility);
            link.setVisible(visibility);

            // inform about strong encryption
            if (manager.isStrongEncryptionAvailable()) {
                add(new Label("strongEncryptionMsg", new StringResourceModel("strongEncryption", new SecuritySettingsPage(), null))
                    .add(new AttributeAppender("class", new Model("info-link"), " ")));
            }
            else {
                add(new Label("strongEncryptionMsg", new StringResourceModel("noStrongEncryption", new SecuritySettingsPage(), null))
                .add(new AttributeAppender("class", new Model("warning-link"), " ")));
            }

            // check for password encoding in the default user group service
            visibility=false;
            if (passwordEncoderName!=null) {
                GeoServerPasswordEncoder encoder = manager.loadPasswordEncoder(passwordEncoderName);
                if (encoder!=null) {
                    visibility = encoder.isReversible();
                }
            }

    protected void oneTimeSetUp() throws Exception {
        super.oneTimeSetUp();
        scriptMgr = getScriptManager();

        // mock security manager to facilitate the requred admin access
        GeoServerSecurityManager secMgr = createNiceMock(GeoServerSecurityManager.class);
        expect(secMgr.checkAuthenticationForAdminRole()).andReturn(true).anyTimes();
        replay(secMgr);
        scriptMgr.setSecurityManager(secMgr);
    }

        config.setAdminRoleName("adminRole");
        config.setGroupAdminRoleName("groupAdminRole");
        config.setClassName(MemoryRoleService.class.getName());
        GeoServerRoleService service = new MemoryRoleService();
        service.initializeFromConfig(config);
        GeoServerSecurityManager manager = GeoServerExtensions.bean(GeoServerSecurityManager.class);
        service.setSecurityManager(manager);
        manager.setActiveRoleService(service);
        manager.saveRoleService(config);

        GeoServerRoleStore store = service.createStore();
        GeoServerRole adminRole = store.createRoleObject("adminRole");
        GeoServerRole groupAdminRole = store.createRoleObject("groupAdminRole");
        GeoServerRole role1 = store.createRoleObject("role1");

        }

        @Override
        public List<String> getObject() {

            GeoServerSecurityManager secMgr = getSecurityManager();
            List<String> filters = new ArrayList<String>(chainModel.getChain().getFilterNames());
            try {
                filters.retainAll(chainModel.getVariableFilterChain().listFilterCandidates(secMgr));
            } catch (IOException e) {
                throw new RuntimeException(e);