[52N Security] WFS DescribeFeatureType issue

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[52N Security] WFS DescribeFeatureType issue

geotux_tuxman
Hi all,

First of all, thanks for sharing the security package with the community.

I have not checked if this was addressed before, but I want to ask you about a strange behavior in the DescribeFeatureType WFS request.

I have installed the WSS 2.2.0 package for implementing security on geographic web services and this is how the permissions file looks like (well, just one part of it):
-------------------------------------
<Permission name="bob_DescribeFeatureType">
    <Resource value="/featuretype/limite_internacional"/>
    <Resource value="/featuretype/municipios"/>
    <Resource value="/featuretype/hito_limite"/>
    <Action value="/operations/DescribeFeatureType"/>
    <Subject value="bob"/>
</Permission>
-------------------------------------

If I try this request [1] with the user Bob (HTTP basic authentication) I get all the feature types described, not only those that I have referenced in the permissions file.
As far as I know, the user Bob is not supposed to get those results. Anyway, if I try either this request [2], with the p
arameter TYPENAME pointing at an allowed layer (e.g. hito_limite) or this [3], with the parameter TYPENAME pointing at a not allowed layer (e.g. departamentos), I get an appropriate result (a description with [2] and an exception with [3]). 

Is this behavior considered normal? I may provide you the results (XML's) as well as the permissions file.

Best regards,

Germán

[1] http://localhost:8080/wss/service/wfs_local/httpauth?SERVICE=WFS&VERSION=1.0.0&REQUEST=DescribeFeatureType
[2] http://localhost:8080/wss/service/wfs_local/httpauth?SERVICE=WFS&VERSION=1.0.0&REQUEST=DescribeFeatureType&TYPENAME=hito_limite
[3] http://localhost:8080/wss/service/wfs_local/httpauth?SERVICE=WFS&VERSION=1.0.0&REQUEST=DescribeFeatureType&TYPENAME=departamentos

--
-----------
  |\__  
(:>__)(
  |/    

Soluciones Geoinformáticas Libres                            
http://geotux.tuxfamily.org/

_______________________________________________
Security mailing list
[hidden email]
http://list.52north.org/mailman/listinfo/security
http://security.forum.52north.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [52N Security] WFS DescribeFeatureType issue

Jan Drewnak
Hi Germán,

your observations are right. This alpha version of the WSS lacks support for requests with empty TYPENAME parameters. I will take a look to see if we can at least provide a version that blocks these kinds of requests entirely instead of just letting them through.
Help on implementing a full support -- ie. filling in only allowed type names if all types are requested with empty TYPENAME parameter -- is welcome ;)

Best regards,

Jan

----------------------------------
From: [hidden email] [mailto:[hidden email]] On Behalf Of [hidden email]
Sent: Dienstag, 30. November 2010 20:37
To: [hidden email]
Subject: [52N Security] WFS DescribeFeatureType issue

Hi all,

First of all, thanks for sharing the security package with the community.

I have not checked if this was addressed before, but I want to ask you about a strange behavior in the DescribeFeatureType WFS request.

I have installed the WSS 2.2.0 package for implementing security on geographic web services and this is how the permissions file looks like (well, just one part of it):
-------------------------------------
<Permission name="bob_DescribeFeatureType">
    <Resource value="/featuretype/limite_internacional"/>
    <Resource value="/featuretype/municipios"/>
    <Resource value="/featuretype/hito_limite"/>
    <Action value="/operations/DescribeFeatureType"/>
    <Subject value="bob"/>
</Permission>
-------------------------------------

If I try this request [1] with the user Bob (HTTP basic authentication) I get all the feature types described, not only those that I have referenced in the permissions file.
As far as I know, the user Bob is not supposed to get those results. Anyway, if I try either this request [2], with the parameter TYPENAME pointing at an allowed layer (e.g. hito_limite) or this [3], with the parameter TYPENAME pointing at a not allowed layer (e.g. departamentos), I get an appropriate result (a description with [2] and an exception with [3]). 

Is this behavior considered normal? I may provide you the results (XML's) as well as the permissions file.

Best regards,

Germán

[1] http://localhost:8080/wss/service/wfs_local/httpauth?SERVICE=WFS&VERSION=1.0.0&REQUEST=DescribeFeatureType 
[2] http://localhost:8080/wss/service/wfs_local/httpauth?SERVICE=WFS&VERSION=1.0.0&REQUEST=DescribeFeatureType&TYPENAME=hito_limite
[3] http://localhost:8080/wss/service/wfs_local/httpauth?SERVICE=WFS&VERSION=1.0.0&REQUEST=DescribeFeatureType&TYPENAME=departamentos
--
-----------
  |\__  
(:>__)(
  |/    

Soluciones Geoinformáticas Libres                            
http://geotux.tuxfamily.org/
_______________________________________________
Security mailing list
[hidden email]
http://list.52north.org/mailman/listinfo/security
http://security.forum.52north.org
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [52N Security] WFS DescribeFeatureType issue

geotux_tuxman
Hi Jan,

thank you. Actually, this is my first attempt working with security matters, so I think I can not help on it at that level.

Regards,

Germán

--
-----------
  |\__  
(:>__)(
  |/    

Soluciones Geoinformáticas Libres                            
http://geotux.tuxfamily.org/


-----Original Message-----
From: Jan Drewnak <[hidden email]>
To: [hidden email] <[hidden email]>; [hidden email] <[hidden email]>
Sent: Wed, Dec 1, 2010 1:43 am
Subject: RE: [52N Security] WFS DescribeFeatureType issue

Hi Germán,

your observations are right. This alpha version of the WSS lacks support for
requests with empty TYPENAME parameters. I will take a look to see if we can at
least provide a version that blocks these kinds of requests entirely instead of
just letting them through.
Help on implementing a full support -- ie. filling in only allowed type names if
all types are requested with empty TYPENAME parameter -- is welcome ;)

Best regards,

Jan

----------------------------------
From: [hidden email] [mailto:[hidden email]]
On Behalf Of [hidden email]
Sent: Dienstag, 30. November 2010 20:37
To: [hidden email]
Subject: [52N Security] WFS DescribeFeatureType issue

Hi all,

First of all, thanks for sharing the security package with the community.

I have not checked if this was addressed before, but I want to ask you about a
strange behavior in the DescribeFeatureType WFS request.

I have installed the WSS 2.2.0 package for implementing security on geographic
web services and this is how the permissions file looks like (well, just one
part of it):
-------------------------------------
<Permission name="bob_DescribeFeatureType">
    <Resource value="/featuretype/limite_internacional"/>
    <Resource value="/featuretype/municipios"/>
    <Resource value="/featuretype/hito_limite"/>
    <Action value="/operations/DescribeFeatureType"/>
    <Subject value="bob"/>
</Permission>
-------------------------------------

If I try this request [1] with the user Bob (HTTP basic authentication) I get
all the feature types described, not only those that I have referenced in the
permissions file.
As far as I know, the user Bob is not supposed to get those results. Anyway, if
I try either this request [2], with the parameter TYPENAME pointing at an
allowed layer (e.g. hito_limite) or this [3], with the parameter TYPENAME
pointing at a not allowed layer (e.g. departamentos), I get an appropriate
result (a description with [2] and an exception with [3]). 

Is this behavior considered normal? I may provide you the results (XML's) as
well as the permissions file.

Best regards,

Germán

[1] http://localhost:8080/wss/service/wfs_local/httpauth?SERVICE=WFS&VERSION=1.0.0&REQUEST=DescribeFeatureType

[2] http://localhost:8080/wss/service/wfs_local/httpauth?SERVICE=WFS&VERSION=1.0.0&REQUEST=DescribeFeatureType&TYPENAME=hito_limite
[3] http://localhost:8080/wss/service/wfs_local/httpauth?SERVICE=WFS&VERSION=1.0.0&REQUEST=DescribeFeatureType&TYPENAME=departamentos
--
-----------
  |\__  
(:>__)(
  |/    

Soluciones Geoinformáticas Libres                            
http://geotux.tuxfamily.org/

_______________________________________________
Security mailing list
[hidden email]
http://list.52north.org/mailman/listinfo/security
http://security.forum.52north.org
Loading...