Proposal to merge geoserver 2.2.4

[Jesse Eichar]

Hi,

I have Geoserver 2.2.4 and 2.3.x working with georchestra (only 2.2.4 is well tested).

I would like to merge this change to the master branch.  Does anyone have any objections?

Jesse

[Yves Jacolin]

Jesse,

I am not a developer but I think this is a nice addition to geOrchestra, so +1
from me.

On the doc side, I think we need to improve documentation for the ACL
management in GeoServer which is quiet hard to understand now with GS 2.2 but
much more powerful.

Y.
--
Responsable Formation et Support
Camptocamp France SAS
Savoie Technolac, BP 352
73377 Le Bourget du Lac, Cedex
Tel (France) : +33 4 79 26 57 98
Tel (Suisse) : 021 619 10 43 (new)
Mob. : +33 6 18 75 42 21
Fax : 04 79 70 15 81
Mail : yves.j...@camptocamp.com
http://www.camptocamp.com

[Fabrice Phung]

Hi

Thanks a lot for this improvement proposal. I'm still experiencing issues with GS 2.2 snapshot (ace7d3dca289c6a94f56436c1c46b0682f896402). The DescribeLayer redirects to the global services and the global service doesnt perform well with ACLs.

Another big issue is the layer name prefix removal since 2.x, we had to modify every MD to fit the new naming scheme. A smaller one was the broken imagemosaic format, but I heard about this issue being solved.

I can publish the new GS on georchestra.org or on our dev platform to test thoses things, please tell me the branch to dl and how to build it.

2013/2/22 Yves Jacolin <yves.j...@camptocamp.com>

--
--
projet: http://www.georchestra.org/

---
Vous recevez ce message, car vous êtes abonné au groupe Google Groupes georchestra-dev.
Pour vous désabonner de ce groupe et ne plus recevoir d'e-mails le concernant, envoyez un e-mail à l'adresse georchestra-d...@googlegroups.com.
Pour plus d'options, visitez le site https://groups.google.com/groups/opt_out .

--
fph

[Jesse Eichar]

I am not sure what you mean about DescribeLayer.  I tried: 

http://c2cpc61.camptocamp.com/geoserver/wms?request=DescribeLayer&version=1.1.1&layers=pigma_pub:departements 

and that seems to work fine.  I did have to correctly configure the proxy url in global settings but that is normal for most geoserver versions.

The prefix issue is an interesting one.  I need to look into that a bit more. 

Jesse

[Jesse Eichar]

I see what you mean about the prefix issue.  That is a little annoying.  We can use the Geonetwork process service to update all the metadata at once.  But I agree it is annoying...  

[Fabrice Phung]

2013/2/22 Jesse Eichar <jesse....@gmail.com>

I am not sure what you mean about DescribeLayer.  I tried: 

http://c2cpc61.camptocamp.com/geoserver/wms?request=DescribeLayer&version=1.1.1&layers=pigma_pub:departements 

try http://c2cpc61.camptocamp.com/geoserver/pigma_pub/wms?request=DescribeLayer&version=1.1.1&layers=departements

you'll have a response on the global service http://c2cpc61.camptocamp.com/geoserver/wfs/WfsDispatcher? 

this one cannot find the layer "departements"

http://c2cpc61.camptocamp.com/geoserver/wfs/WfsDispatcher?request=DescribeFeatureType&version=1.1.1&typename=departements

--
fph

[Jesse Eichar]

Ah I see what you mean.  

Are these known GS 2.2.4 bugs?

Are they fixed in GS 2.3 or higher?

[Fabrice Phung]

2013/2/22 Jesse Eichar <jesse....@gmail.com>

Ah I see what you mean.  

Are these known GS 2.2.4 bugs?

Yep http://jira.codehaus.org/browse/GEOS-5564

 

Are they fixed in GS 2.3 or higher?

maybe in justin deoliveira fork https://github.com/jdeolive/geoserver/commit/a0b46717d2c770301d338ea8840d44b24e9908ef

didn't test in GS 2.3 

[Jesse Eichar]

THanks for the information

--

[Jesse Eichar]

I have taking the fix on justin's fork and added it to the geoserver branch I have for geonetwork.  It fixes the one issue with the describe layer.  I have also made an xsl file that can update all links to remove the prefix in geonetwork.  This still isn't perfect as I would like both global and virtual workspaces to have the same layer name.  But between the two I think it can make the system function correctly with the new geoserver.

I saw that geoserver 2.2.5 is being released though.  So I think I might see if that version fixes any of our issues.

Jesse

[Fabrice Phung]

Thanks a lot Jesse, will test that asap

2013/2/26 Jesse Eichar <jesse....@gmail.com>

--
fph

[lydie.vi...@region-bretagne.fr]

Thank you Jesse !

 

-----georche...@googlegroups.com a écrit : -----

A : georchestra-dev <georche...@googlegroups.com>
De : Jesse Eichar
Envoyé par : georche...@googlegroups.com
Date : 26/02/2013 16:42
Objet : Re: [georchestra-dev] Proposal to merge geoserver 2.2.4

[Fabrice Phung]

2013/2/26 Jesse Eichar <jesse....@gmail.com>

I have taking the fix on justin's fork and added it to the geoserver branch I have for geonetwork.  It fixes the one issue with the describe layer.  I have also made an xsl file that can update all links to remove the prefix in geonetwork.  This still isn't perfect as I would like both global and virtual workspaces to have the same layer name.  But between the two I think it can make the system function correctly with the new geoserver.

Hi Jesse

We now have a jenkins task to build georchestra-geoserver-2.2.4

I deployed the war behind our dev security proxy : http://dev.geobretagne.fr/geoserver/
Seems that I missed something in the build ?

I'm using clean install -Pcontrol-flow,wps,inspire,pyramid,gdal

[Jesse Eichar]

That looks more like it is the geonetwork/geoserver interference problem.  When Geoserver loads its needs the correct XSL Transformer.  The old Geonetwork (the new one isn't supposed to do this although I haven't tested it) would replace the XSL transformer.  This makes GEonetwork not load in some cases.  Although sometimes it will load depending on what order the wars are loaded.

--

[Fabrice Phung]

2013/2/27 Jesse Eichar <jesse....@gmail.com>

That looks more like it is the geonetwork/geoserver interference problem.  When Geoserver loads its needs the correct XSL Transformer.  The old Geonetwork (the new one isn't supposed to do this although I haven't tested it) would replace the XSL transformer.  This makes GEonetwork not load in some cases.  Although sometimes it will load depending on what order the wars are loaded.

Jesse you're right, sneaky bug but I should have remembered it.

Deploy successful on http://dev.geobretagne.fr/geoserver/

Security model on MIXED

Using http://dev.geobretagne.fr/geoserver/ci/wms for tests, two layers : "ProtectedLayer" and "UnprotectedLayer"

GeoServer Auth through CAS OK

GS Extensions are properly built and exposed : WPS, ImagePyramid, INSPIRE, control flow

with mapfishapp :

Unprotected GetCapabilities OK
Unprotected GetMap OK
Unprotected GFI OK
Unprotected DescribeLayer OK
Unprotected DescribeFeatureType OK
Unprotected GetFeature OK
Protected not showing OK

=> login with demo/demodemo, I have to login through mapfishapp

Protected GetCapabilities OK
Protected GetMap OK
Protected GFI OK
Protected DescribeLayer OK
Protected DescribeFeatureType OK
Protected GetFeature OK

Still have to test BASIC AUTH with desktop GIS and the REST interface, but for geOrchestra viewer this a GO for me ! *Nice job !*

I do not understand how the namespace admin right is supposed to react. I noticed that a non admin user may gains access to a limited admin interface on a specific namepsace, but I coudn't perform any adm task.

 

[Jesse Eichar]

Nice job testing and I can't say thank you enough for that!

--

[Fabrice Phung]

2013/2/27 Jesse Eichar <jesse....@gmail.com>

Nice job testing and I can't say thank you enough for that!

GS2.2 On sdi.georchestra.org ASAP ! 

[Fabrice Phung]

Hi

I reran the tests and it seems that I forgot something.
I tested the protectedLayer and unprotectedLayer independently. Worked for both.

1/ seems that when both protectedLayer and unprotectedLayer are simultaneously set up on a given namespace, a getFeature on unprotectedLayer raises a BASIC auth for a non authenticated user. Suspecting something about a wrong anonymousUser

2/ I tested the OGC interfaces but didn't test the "SLD auto classification". It fails on protectedLayer for an authenticated user.

Can't say if its local or not.

2013/2/27 Jesse Eichar <jesse....@gmail.com>

--
fph

[Jesse Eichar]

On Thu, Feb 28, 2013 at 11:29 AM, Fabrice Phung <fab...@phung.fr> wrote:

Hi

I reran the tests and it seems that I forgot something.
I tested the protectedLayer and unprotectedLayer independently. Worked for both.

1/ seems that when both protectedLayer and unprotectedLayer are simultaneously set up on a given namespace, a getFeature on unprotectedLayer raises a BASIC auth for a non authenticated user. Suspecting something about a wrong anonymousUser

This sounds fairly serious.  I will look into this

 

2/ I tested the OGC interfaces but didn't test the "SLD auto classification". It fails on protectedLayer for an authenticated user.

How do you test the SLD auto classification?  

Jesse

[Fabrice Phung]

Le 28/02/2013 20:33, Jesse Eichar a écrit :
>
>
>
> On Thu, Feb 28, 2013 at 11:29 AM, Fabrice Phung <fab...@phung.fr
> <mailto:fab...@phung.fr>> wrote:
>
> Hi
>
> I reran the tests and it seems that I forgot something.
> I tested the protectedLayer and unprotectedLayer independently.
> Worked for both.
>
> 1/ seems that when both protectedLayer and unprotectedLayer are
> simultaneously set up on a given namespace, a getFeature on
> unprotectedLayer raises a BASIC auth for a non authenticated user.
> Suspecting something about a wrong anonymousUser
>
>
> This sounds fairly serious. I will look into this

I got some more infos.

I have 3 "continous integration" layers (btw, I'm trying to build a test
case for that, it would be very useful) :
* unprotectedLayer, r for *
* protectedLayer, r for SV_USER
* forbiddenLayer, r for NO_ONE (means... forbidden for everybody)

After authentication, on *protectedLayer* : getCap OK, getFeatureInfo
OK, DescribeLayer OK, getMap OK, DescribeFeatureType OK

GetFeature NOOK. In the logs, I see that access is not granted because
the user has no r rights on *forbiddenLayer*.

I think that the bug you fixed in GS 2.1 is still here : a single non
granted layer may trigger "access denied" for a sibling granted layer.

> 2/ I tested the OGC interfaces but didn't test the "SLD auto
> classification". It fails on protectedLayer for an authenticated user.
>
>
> How do you test the SLD auto classification?

Through mapfishapp. Guess that the GetFeature ACL check is faultly
(DescribeLayer and DescribeFeatureType are OK).

[Jesse Eichar]

I suspect you are right about the single non-granted layer triggering "access denied"  I forgot about this fix and haven't ported it over.  I will do that before merging.

--
--
projet: http://www.georchestra.org/

--- Vous recevez ce message, car vous êtes abonné au groupe Google Groupes georchestra-dev.

Pour vous désabonner de ce groupe et ne plus recevoir d'e-mails le concernant, envoyez un e-mail à l'adresse georchestra-dev+unsubscribe@googlegroups.com.

[Fabrice Phung]

2013/3/1 Jesse Eichar <jesse....@gmail.com>

I suspect you are right about the single non-granted layer triggering "access denied"  I forgot about this fix and haven't ported it over.  I will do that before merging.

Jesse, I tested the "HIDDEN" mode instead of the "MIXED" mode. HIDDEN works flawlessly for mapfishapp (even automatic classification on protected layers).

[Jesse Eichar]

Mauricio is taking over this issue. He will port the change from 2.1.3-georchestra branch to 2.2.4-georchestra branch.

--

--
projet: http://www.georchestra.org/
 
---
Vous recevez ce message, car vous êtes abonné au groupe Google Groupes georchestra-dev.

Pour vous désabonner de ce groupe et ne plus recevoir d'e-mails le concernant, envoyez un e-mail à l'adresse georchestra-d...@googlegroups.com.