mattiagiupponi
commented
11 months ago Thanks for opening the issue, we will take a look at it since is someting unexpected
Open gisdata-es opened 11 months ago
mattiagiupponi
commented
11 months ago Thanks for opening the issue, we will take a look at it since is someting unexpected
etj
commented
11 months ago It seems that one request in a while asks for auth. Pls note that the screenshotted requests all ask for the same layer:
Also, repeating the very same request later it retrurns the image with a 200
etj
commented
11 months ago @afabiani reported this is always requesting authentication: https://development.demo.geonode.org/geoserver/gwc/service/wmts?service=WMTS&REQUEST=DescribeDomains&version=1.0.0&layer=geonode:simulation_clusters&tileMatrixSet=EPSG:4326&expandLimit=10
GeoServer log reports this:
15 Dec 11:02:47 DEBUG [geoserver.geofence] - ResourceInfo filter: RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"92.222.205.36"+ serv:"WMS"+ req:"GETCAPABILITIES"+ sub:ANY ws:"geonode"+ layer:"simulation_clusters"+]
15 Dec 11:02:47 DEBUG [geofence.cache] - Request for RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"92.222.205.36"+ serv:"WMS"+ req:"GETCAPABILITIES"+ sub:ANY ws:"geonode"+ layer:"simulation_clusters"+]
15 Dec 11:02:47 DEBUG [geofence.cache] - Loading RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"92.222.205.36"+ serv:"WMS"+ req:"GETCAPABILITIES"+ sub:ANY ws:"geonode"+ layer:"simulation_clusters"+]
15 Dec 11:02:47 INFO [services.RuleReaderServiceImpl] - Requesting access for RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"92.222.205.36"+ serv:"WMS"+ req:"GETCAPABILITIES"+ sub:ANY ws:"geonode"+ layer:"simulation_clusters"+]
15 Dec 11:02:47 DEBUG [util.FilterUtils] - ADDED Rule[id:43193 pri:31774 srv:WMS ws:geonode l:simulation_clusters acc:ALLOW]
15 Dec 11:02:47 DEBUG [util.FilterUtils] - ADDED Rule[id:43200 pri:31781 ws:geonode l:simulation_clusters acc:ALLOW]
15 Dec 11:02:47 DEBUG [services.RuleReaderServiceImpl] - Filter RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"92.222.205.36"+ serv:"WMS"+ req:"GETCAPABILITIES"+ sub:ANY ws:"geonode"+ layer:"simulation_clusters"+] is matching the following Rules:
15 Dec 11:02:47 DEBUG [services.RuleReaderServiceImpl] - Role:ROLE_ANONYMOUS
15 Dec 11:02:47 DEBUG [services.RuleReaderServiceImpl] - Role:ROLE_ANONYMOUS ---> Rule[id:43193 pri:31774 srv:WMS ws:geonode l:simulation_clusters acc:ALLOW]
15 Dec 11:02:47 DEBUG [services.RuleReaderServiceImpl] - Role:ROLE_ANONYMOUS ---> Rule[id:43200 pri:31781 ws:geonode l:simulation_clusters acc:ALLOW]
15 Dec 11:02:47 DEBUG [services.RuleReaderServiceImpl] - Filter RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"92.222.205.36"+ serv:"WMS"+ req:"GETCAPABILITIES"+ sub:ANY ws:"geonode"+ layer:"simulation_clusters"+] on role ROLE_ANONYMOUS has access AccessInfoInternal[grant:ALLOW]
15 Dec 11:02:47 INFO [services.RuleReaderServiceImpl] - Returning AccessInfo[grant:ALLOW admin:false] for RuleFilter[user:"anonymous"+ role:ANY inst:name+:default-gs ip:"92.222.205.36"+ serv:"WMS"+ req:"GETCAPABILITIES"+ sub:ANY ws:"geonode"+ layer:"simulation_clusters"+]
15 Dec 11:02:47 DEBUG [geoserver.geofence] - Returning mode HIDE for resource FeatureTypeInfoImpl[simulation_clusters]
15 Dec 11:02:47 DEBUG [geoserver.geofence] - Returning VectorAccessLimits [readAttributes=null, writeAttributes=null, writeFilter=Filter.INCLUDE, readFilter=Filter.INCLUDE, mode=HIDE] for layer simulation_clusters and user anonymousso GeoFence is allowing the access for such a layer.
etj
commented
11 months ago Log when accessing https://development.demo.geonode.org/catalogue/#/map/3287
The only part related to to error seems to be:
9267 15 Dec 11:19:59 DEBUG [geoserver.security] - Matched Path: /gwc/service/wmts, QueryString: service=WMTS&REQUEST=DescribeDomains&version=1.0.0&layer=geonode:simulation_clusters&tileMatrixSet=EPSG:4326&expandLimit=10 with /gwc/**
9268 15 Dec 11:19:59 DEBUG [geoserver.security] - Inspecting the http request looking for the Custom Session ID.
9269 15 Dec 11:19:59 DEBUG [geoserver.security] - Found 4 cookies!
9270 15 Dec 11:19:59 DEBUG [geoserver.security] - Found Custom Session cookie: 1endd9o6m9dr9aoo40ppagefpqfx9djj
9271 15 Dec 11:19:59 DEBUG [geoserver.security] - preAuthenticatedPrincipal = null, trying to authenticateThis are the snippets where such string appear:
find -name *.java | xargs grep "trying to authenticate"
./src/main/src/main/java/org/geoserver/security/filter/GeoServerPreAuthenticationFilter.java: "preAuthenticatedPrincipal = " + principal + ", trying to authenticate");
./src/community/security/oauth2/oauth2-core/src/main/java/org/geoserver/security/oauth2/GeoServerOAuthAuthenticationFilter.java: "preAuthenticatedPrincipal = " + principal + ", trying to authenticate");
./src/community/security/oauth2/oauth2-core/src/main/java/org/geoserver/security/oauth2/GeoServerOAuthAuthenticationFilter.java: "Error while trying to authenticate to OAuth2 Provider with the following Exception cause:",
./src/extension/authkey/src/main/java/org/geoserver/security/GeoServerAuthenticationKeyFilter.java: LOGGER.log(Level.FINE, "found user: = " + user.getUsername() + ", trying to authenticate");
afabiani
commented
11 months ago Plese check the GWC Filter Chain and make sure it has been correctly configured
giohappy
commented
10 months ago @gisdata-es did you have the chance to test the fix proposed by @afabiani?
gisdata-es
commented
10 months ago Hello, I have tried again and the problem persists.
I have modified the filter chain and the problem persists.
giohappy
commented
10 months ago the datadir for Geoserver 2.23.3 with the fix has been published.
gisdata-es
commented
9 months ago Hello,
Tested at https://stable.demo.geonode.org/
and notice that the problem persists
I have created the following map:
1.- https://stable.demo.geonode.org/catalogue/#/map/9179
2.- I zoom in and zoom out several times and at some point the authentication prompt appears.
Any solution?
giohappy
commented
9 months ago @gisdata-es we're still investigating the problem. It seems to be rooted deep down in Geoserver. FYI For the moment we have reverted stable demo to Geoserver 2.23.1 (with the same data dir and configurations as 2.23.3) and the problem seems to not appear.
etj
commented
9 months ago By removing geonode-oauth2 from the Authentication Filters list, the problem does not show up.
geonode-oauth2 authenticatorweb chain, so you'll have to
security/config.xml file and remove geonode-oauth2 from the various chainsAlso only removing geonode-oauth2 from the chain web solves.
Replacing the spring-security libs v5.7.10 with the ones in geoserver 2.23.1 (v5.7.8) does not solve.
afabiani
commented
9 months ago @giohappy @etj api/o/v4/userinfo is a GeoNode endpoint. This is used by GeoServer OAUTH2 module to retrieve the user details. Is it now protected somehow on GeoNode? Something has changed here? In any case that's a bit strange. GeoServer should not query that method in the case of an anoymous user. It's possible that in the newest GeoServer plugin it will attempt to check the user-infos in any case.
giohappy
commented
9 months ago @afabiani as far as I know the userinfo has always been protected / unavailable for anymous users
giohappy
commented
9 months ago Let's recap:
giohappy
commented
9 months ago Fixed in 4.2.2
gannebamm
commented
2 months ago We encountered the issue with GeoNode 4.2.5 and GeoServer 2.24.4. See my comment here: https://github.com/GeoNode/geoserver-geonode-ext/commit/1e36104a11355e131d437bafd7555a5d5b3d2475#commitcomment-146374544
Can we please re-check if the latest builds of GeoServer GeoNode data dirs have fixed this issue, too?
Hello, I have seen that when viewing a map without being authenticated, when you interact with the map, a pop-up window appears asking me to authenticate. I close the window and it lets me continue interacting, at the same time the window appears again asking me to authenticate. Can anyone understand why this is happening?
Steps to Reproduce the Problem
Specifications