Proposal to merge geoserver 2.2.4

13 views
Skip to first unread message

Jesse Eichar

unread,
Feb 22, 2013, 5:12:51 AM2/22/13
to georchestra-dev
Hi,

I have Geoserver 2.2.4 and 2.3.x working with georchestra (only 2.2.4 is well tested).

I would like to merge this change to the master branch.  Does anyone have any objections?

Jesse

Yves Jacolin

unread,
Feb 22, 2013, 6:04:02 AM2/22/13
to georche...@googlegroups.com, Jesse Eichar
Jesse,

I am not a developer but I think this is a nice addition to geOrchestra, so +1
from me.

On the doc side, I think we need to improve documentation for the ACL
management in GeoServer which is quiet hard to understand now with GS 2.2 but
much more powerful.

Y.
--
Responsable Formation et Support
Camptocamp France SAS
Savoie Technolac, BP 352
73377 Le Bourget du Lac, Cedex
Tel (France) : +33 4 79 26 57 98
Tel (Suisse) : 021 619 10 43 (new)
Mob. : +33 6 18 75 42 21
Fax : 04 79 70 15 81
Mail : yves.j...@camptocamp.com
http://www.camptocamp.com

Fabrice Phung

unread,
Feb 22, 2013, 6:51:42 AM2/22/13
to georche...@googlegroups.com
Hi

Thanks a lot for this improvement proposal. I'm still experiencing issues with GS 2.2 snapshot (ace7d3dca289c6a94f56436c1c46b0682f896402). The DescribeLayer redirects to the global services and the global service doesnt perform well with ACLs.

Another big issue is the layer name prefix removal since 2.x, we had to modify every MD to fit the new naming scheme. A smaller one was the broken imagemosaic format, but I heard about this issue being solved.

I can publish the new GS on georchestra.org or on our dev platform to test thoses things, please tell me the branch to dl and how to build it.

2013/2/22 Yves Jacolin <yves.j...@camptocamp.com>

--
--
projet: http://www.georchestra.org/

---
Vous recevez ce message, car vous êtes abonné au groupe Google Groupes georchestra-dev.
Pour vous désabonner de ce groupe et ne plus recevoir d'e-mails le concernant, envoyez un e-mail à l'adresse georchestra-d...@googlegroups.com.
Pour plus d'options, visitez le site https://groups.google.com/groups/opt_out .





--
fph

Jesse Eichar

unread,
Feb 22, 2013, 7:55:43 AM2/22/13
to georchestra-dev
I am not sure what you mean about DescribeLayer.  I tried: 


and that seems to work fine.  I did have to correctly configure the proxy url in global settings but that is normal for most geoserver versions.

The prefix issue is an interesting one.  I need to look into that a bit more. 

Jesse

Jesse Eichar

unread,
Feb 22, 2013, 8:32:03 AM2/22/13
to georchestra-dev
I see what you mean about the prefix issue.  That is a little annoying.  We can use the Geonetwork process service to update all the metadata at once.  But I agree it is annoying...  

Fabrice Phung

unread,
Feb 22, 2013, 9:34:05 AM2/22/13
to georche...@googlegroups.com

Jesse Eichar

unread,
Feb 22, 2013, 9:37:47 AM2/22/13
to georchestra-dev
Ah I see what you mean.  

Are these known GS 2.2.4 bugs?

Are they fixed in GS 2.3 or higher?

Fabrice Phung

unread,
Feb 22, 2013, 10:42:11 AM2/22/13
to georche...@googlegroups.com


2013/2/22 Jesse Eichar <jesse....@gmail.com>

Ah I see what you mean.  

Are these known GS 2.2.4 bugs?

 

Are they fixed in GS 2.3 or higher?


didn't test in GS 2.3 

Jesse Eichar

unread,
Feb 22, 2013, 10:56:52 AM2/22/13
to georchestra-dev
THanks for the information


--

Jesse Eichar

unread,
Feb 26, 2013, 10:41:35 AM2/26/13
to georchestra-dev
I have taking the fix on justin's fork and added it to the geoserver branch I have for geonetwork.  It fixes the one issue with the describe layer.  I have also made an xsl file that can update all links to remove the prefix in geonetwork.  This still isn't perfect as I would like both global and virtual workspaces to have the same layer name.  But between the two I think it can make the system function correctly with the new geoserver.

I saw that geoserver 2.2.5 is being released though.  So I think I might see if that version fixes any of our issues.

Jesse

Fabrice Phung

unread,
Feb 26, 2013, 1:06:16 PM2/26/13
to georche...@googlegroups.com
Thanks a lot Jesse, will test that asap

2013/2/26 Jesse Eichar <jesse....@gmail.com>



--
fph

lydie.vi...@region-bretagne.fr

unread,
Feb 27, 2013, 2:35:16 AM2/27/13
to georche...@googlegroups.com
Thank you Jesse !
 

-----georche...@googlegroups.com a écrit : -----
A : georchestra-dev <georche...@googlegroups.com>
De : Jesse Eichar
Envoyé par : georche...@googlegroups.com
Date : 26/02/2013 16:42
Objet : Re: [georchestra-dev] Proposal to merge geoserver 2.2.4

Fabrice Phung

unread,
Feb 27, 2013, 7:04:46 AM2/27/13
to georche...@googlegroups.com
2013/2/26 Jesse Eichar <jesse....@gmail.com>

I have taking the fix on justin's fork and added it to the geoserver branch I have for geonetwork.  It fixes the one issue with the describe layer.  I have also made an xsl file that can update all links to remove the prefix in geonetwork.  This still isn't perfect as I would like both global and virtual workspaces to have the same layer name.  But between the two I think it can make the system function correctly with the new geoserver.

Hi Jesse

We now have a jenkins task to build georchestra-geoserver-2.2.4

I deployed the war behind our dev security proxy : http://dev.geobretagne.fr/geoserver/
Seems that I missed something in the build ?

I'm using clean install -Pcontrol-flow,wps,inspire,pyramid,gdal

Jesse Eichar

unread,
Feb 27, 2013, 7:50:05 AM2/27/13
to georchestra-dev
That looks more like it is the geonetwork/geoserver interference problem.  When Geoserver loads its needs the correct XSL Transformer.  The old Geonetwork (the new one isn't supposed to do this although I haven't tested it) would replace the XSL transformer.  This makes GEonetwork not load in some cases.  Although sometimes it will load depending on what order the wars are loaded.


--

Fabrice Phung

unread,
Feb 27, 2013, 11:04:42 AM2/27/13
to georche...@googlegroups.com


2013/2/27 Jesse Eichar <jesse....@gmail.com>

That looks more like it is the geonetwork/geoserver interference problem.  When Geoserver loads its needs the correct XSL Transformer.  The old Geonetwork (the new one isn't supposed to do this although I haven't tested it) would replace the XSL transformer.  This makes GEonetwork not load in some cases.  Although sometimes it will load depending on what order the wars are loaded.

Jesse you're right, sneaky bug but I should have remembered it.

Deploy successful on http://dev.geobretagne.fr/geoserver/

Security model on MIXED

Using http://dev.geobretagne.fr/geoserver/ci/wms for tests, two layers : "ProtectedLayer" and "UnprotectedLayer"

GeoServer Auth through CAS OK

GS Extensions are properly built and exposed : WPS, ImagePyramid, INSPIRE, control flow

with mapfishapp :

Unprotected GetCapabilities OK
Unprotected GetMap OK
Unprotected GFI OK
Unprotected DescribeLayer OK
Unprotected DescribeFeatureType OK
Unprotected GetFeature OK
Protected not showing OK

=> login with demo/demodemo, I have to login through mapfishapp

Protected GetCapabilities OK
Protected GetMap OK
Protected GFI OK
Protected DescribeLayer OK
Protected DescribeFeatureType OK
Protected GetFeature OK

Still have to test BASIC AUTH with desktop GIS and the REST interface, but for geOrchestra viewer this a GO for me ! *Nice job !*

I do not understand how the namespace admin right is supposed to react. I noticed that a non admin user may gains access to a limited admin interface on a specific namepsace, but I coudn't perform any adm task.

 

Jesse Eichar

unread,
Feb 27, 2013, 11:07:09 AM2/27/13
to georchestra-dev
Nice job testing and I can't say thank you enough for that!


--

Fabrice Phung

unread,
Feb 27, 2013, 11:19:16 AM2/27/13
to georche...@googlegroups.com
2013/2/27 Jesse Eichar <jesse....@gmail.com>
Nice job testing and I can't say thank you enough for that!

GS2.2 On sdi.georchestra.org ASAP ! 

Fabrice Phung

unread,
Feb 28, 2013, 5:29:57 AM2/28/13
to georche...@googlegroups.com
Hi

I reran the tests and it seems that I forgot something.
I tested the protectedLayer and unprotectedLayer independently. Worked for both.

1/ seems that when both protectedLayer and unprotectedLayer are simultaneously set up on a given namespace, a getFeature on unprotectedLayer raises a BASIC auth for a non authenticated user. Suspecting something about a wrong anonymousUser

2/ I tested the OGC interfaces but didn't test the "SLD auto classification". It fails on protectedLayer for an authenticated user.

Can't say if its local or not.



2013/2/27 Jesse Eichar <jesse....@gmail.com>



--
fph

Jesse Eichar

unread,
Feb 28, 2013, 2:33:51 PM2/28/13
to georchestra-dev
On Thu, Feb 28, 2013 at 11:29 AM, Fabrice Phung <fab...@phung.fr> wrote:
Hi

I reran the tests and it seems that I forgot something.
I tested the protectedLayer and unprotectedLayer independently. Worked for both.

1/ seems that when both protectedLayer and unprotectedLayer are simultaneously set up on a given namespace, a getFeature on unprotectedLayer raises a BASIC auth for a non authenticated user. Suspecting something about a wrong anonymousUser


This sounds fairly serious.  I will look into this
 
2/ I tested the OGC interfaces but didn't test the "SLD auto classification". It fails on protectedLayer for an authenticated user.

How do you test the SLD auto classification?  

Jesse

Fabrice Phung

unread,
Feb 28, 2013, 4:44:08 PM2/28/13
to georche...@googlegroups.com
Le 28/02/2013 20:33, Jesse Eichar a écrit :
>
>
>
> On Thu, Feb 28, 2013 at 11:29 AM, Fabrice Phung <fab...@phung.fr
> <mailto:fab...@phung.fr>> wrote:
>
> Hi
>
> I reran the tests and it seems that I forgot something.
> I tested the protectedLayer and unprotectedLayer independently.
> Worked for both.
>
> 1/ seems that when both protectedLayer and unprotectedLayer are
> simultaneously set up on a given namespace, a getFeature on
> unprotectedLayer raises a BASIC auth for a non authenticated user.
> Suspecting something about a wrong anonymousUser
>
>
> This sounds fairly serious. I will look into this

I got some more infos.

I have 3 "continous integration" layers (btw, I'm trying to build a test
case for that, it would be very useful) :
* unprotectedLayer, r for *
* protectedLayer, r for SV_USER
* forbiddenLayer, r for NO_ONE (means... forbidden for everybody)

After authentication, on *protectedLayer* : getCap OK, getFeatureInfo
OK, DescribeLayer OK, getMap OK, DescribeFeatureType OK

GetFeature NOOK. In the logs, I see that access is not granted because
the user has no r rights on *forbiddenLayer*.

I think that the bug you fixed in GS 2.1 is still here : a single non
granted layer may trigger "access denied" for a sibling granted layer.


> 2/ I tested the OGC interfaces but didn't test the "SLD auto
> classification". It fails on protectedLayer for an authenticated user.
>
>
> How do you test the SLD auto classification?

Through mapfishapp. Guess that the GetFeature ACL check is faultly
(DescribeLayer and DescribeFeatureType are OK).

Jesse Eichar

unread,
Mar 1, 2013, 2:43:14 AM3/1/13
to georchestra-dev
I suspect you are right about the single non-granted layer triggering "access denied"  I forgot about this fix and haven't ported it over.  I will do that before merging.


--
--
projet: http://www.georchestra.org/

--- Vous recevez ce message, car vous êtes abonné au groupe Google Groupes georchestra-dev.
Pour vous désabonner de ce groupe et ne plus recevoir d'e-mails le concernant, envoyez un e-mail à l'adresse georchestra-dev+unsubscribe@googlegroups.com.

Fabrice Phung

unread,
Mar 1, 2013, 4:13:41 AM3/1/13
to georche...@googlegroups.com


2013/3/1 Jesse Eichar <jesse....@gmail.com>

I suspect you are right about the single non-granted layer triggering "access denied"  I forgot about this fix and haven't ported it over.  I will do that before merging.

Jesse, I tested the "HIDDEN" mode instead of the "MIXED" mode. HIDDEN works flawlessly for mapfishapp (even automatic classification on protected layers).

Jesse Eichar

unread,
Mar 1, 2013, 4:20:26 AM3/1/13
to georchestra-dev
Mauricio is taking over this issue. He will port the change from 2.1.3-georchestra branch to 2.2.4-georchestra branch.


--
--
projet: http://www.georchestra.org/
 
---
Vous recevez ce message, car vous êtes abonné au groupe Google Groupes georchestra-dev.
Pour vous désabonner de ce groupe et ne plus recevoir d'e-mails le concernant, envoyez un e-mail à l'adresse georchestra-d...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages