default admin pass broken ?

[landryb]

It seems the default passwd for admin user in security/usergroup/default/users.xml is broken right now, probably since a java update or geoserver update (java8, gs 2.12.1):

$curl -u admin:geoserver http://localhost:8380/geoserver/rest

Le serveur a rencontré une erreur interne qui l''a empêché de satisfaire la requête.

java.lang.UnsupportedOperationException: No password decoder for: crypt1:ZYumHgpSwOXKRcXns0u/+LMQpY2k1RnT
org.geoserver.security.password.GeoServerMultiplexingPasswordEncoder.lookupEncoderForEncodedPassword(GeoServerMultiplexingPasswordEncoder.java:72)
org.geoserver.security.password.GeoServerMultiplexingPasswordEncoder.isPasswordValid(GeoServerMultiplexingPasswordEncoder.java:90)
org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:94)
org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:165)
org.geoserver.security.auth.UsernamePasswordAuthenticationProvider.authenticate(UsernamePasswordAuthenticationProvider.java:82)   
org.geoserver.security.GeoServerAuthenticationProvider.authenticate(GeoServerAuthenticationProvider.java:58)
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
org.geoserver.security.GeoServerSecurityManager$1.authenticate(GeoServerSecurityManager.java:323)
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:178)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:73)
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:92)
org.geoserver.security.filter.GeoServerBasicAuthenticationFilter.doFilter(GeoServerBasicAuthenticationFilter.java:84)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
org.geoserver.security.filter.GeoServerPreAuthenticationFilter.doFilter(GeoServerPreAuthenticationFilter.java:75)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:69)
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
org.geoserver.security.filter.GeoServerSecurityContextPersistenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:53)
org.geoserver.security.filter.GeoServerCompositeFilter$NestedFilterChain.doFilter(GeoServerCompositeFilter.java:73)
org.geoserver.security.filter.GeoServerCompositeFilter.doFilter(GeoServerCompositeFilter.java:92)
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
org.geoserver.security.GeoServerSecurityFilterChainProxy.doFilter(GeoServerSecurityFilterChainProxy.java:152)
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:88)
org.geoserver.filters.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:89)
org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:48)
org.geoserver.filters.SessionDebugFilter.doFilter(SessionDebugFilter.java:48)
org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilter.java:44)
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:197)
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)

resetting the admin pass to 'geoserver' (dont remember what was the default value) via the web UI sets this in the xml:

<user enabled="true" name="admin" password="digest1:HOuF5LNp27fC53VOprd1EO9sBZTARMIUzjEVWzY323RtcPJSXVdpgrqEol/LTjT4"/>

Maybe we should update the default datadir to use a working scheme?

Separate issue, but this admin user still cant access the rest iface, nor the geoserver_privileged_user one ... digging.

[landryb]

Ah, geoserver_privileged_user can access the rest API with a basic auth if he goes through the SP, or bypassing it with the correct headers:

$curl -u geoserver_privileged_user:xxxx http://localhost:8180/geoserver/rest

# -> 200 OK

$curl -H 'sec-roles: ROLE_ADMINISTRATOR' -H 'sec-username: geoserver_privileged_user' http://localhost:8380/geoserver/rest 

# -> 200 OK

And you dont even need to specify a valid username for the latter:

$curl -H 'sec-roles: ROLE_ADMINISTRATOR' -H 'sec-username: foo' http://localhost:8380/geoserver/rest

works too.

[pmauduit]

Why not using the basic-auth from the security-proxy, instead of using the internal user database of GeoServer ?

[edit]telescoped[/edit]

[landryb]

Why not using the basic-auth from the security-proxy, instead of using the internal user database of GeoServer ?

Well i dont remember why we have this internal admin user nor if he's supposed to be used for some stuff - i do here, as i dont really like having a hidden geoserver_privileged_user in the LDAP, as the directory can be used for many other services

but right now the default config is broken for this user...

[fvanderbiest]

The geoserver admin comes from the default usergroup service, and should probably be removed from our configurations...