Hi Robert
Digest --> Strong PBE is simple not possible.
Passwords encrypted with PBE can be decrypted to plain text. Digested
passwords cannot be reverted to plain text. Digesting uses a "trap door"
function (hashing). As an example, google "md5".
Cheers
Christian
On Thu, Apr 20, 2017 at 11:38 AM, Langford, Robert <
[email protected]> wrote:
> Hi all,
>
>
>
> Thanks for weighing in.
>
>
>
> RE: *Issue 3:* No Recode of existing passwords Digest -> Strong PBE
>
> I’ve checked the docs and I can’t find any reference to the “Recode
> existing passwords”. You access the page by editing an existing “User
> Group Service” and then changing the “Password encryption” dropdown. It
> gives you the option to recode the existing passwords to the new encryption
> type. By looking at the XML you can see the prefixes changing from
> `crypt2:` to ` digest1` ("Strong PBE" to "Digest"). However the reverse
> doesn’t occur (going from ("Digest" to "Strong PBE").
>
>
>
> Ok, so unless I hear otherwise I’ll raise 4 tickets:
>
> 1. GROUP_ADMIN being able to disable & change non-group members,
> for:
>
> a. *Issue 1:* Disabling non-group users:
>
> b. *Issue 2:* Changing non-group users passwords
>
> 2. No Recode of existing passwords Digest -> Strong PBE
>
> a. *Issue 3:* No Recode of existing passwords Digest -> Strong PBE
>
> 3. Delete user not in different groups (unhandled exception)
>
> a. *Issue 4:* Delete user not in different groups (unhandled
> exception)
>
> 4. Delete user not in any groups
>
> a. *Issue 5:* Delete user not in any groups
>
>
>
> Thanks for your help.
>
>
>
> Rob
>
>
>
> *From:* Christian Mueller [mailto:[email protected]]
> *Sent:* 19 April 2017 10:08
> *To:* Justin Deoliveira <[email protected]>
> *Cc:* Andrea Aime <[email protected]>; Langford, Robert <
> [email protected]>; GeoServer Mailing List List <
> [email protected]>
> *Subject:* Re: [Geoserver-users] Possible bug GROUP_ADMIN deleting users
>
>
>
> Hi all
>
>
>
> Sounds like a bug.
>
>
>
> @Justin, as far as I can remember I never contributed some code to the
> Group Admin concept, I think you invented this feature for a customer.
> Maybe I am wrong here.
>
>
>
> Cheers
>
>
>
>
>
>
>
> On Wed, Apr 19, 2017 at 4:18 AM, Justin Deoliveira <[email protected]>
> wrote:
>
>
>
> On Tue, Apr 18, 2017 at 3:11 AM Andrea Aime <[email protected]>
> wrote:
>
> On Thu, Apr 6, 2017 at 1:52 PM, Rob L <[email protected]> wrote:
>
> Done some more testing now I'm certain I've found further issues; these
> have
> only been tested with the "Default XML user/group service"
>
> Create 2 groups:
> 1. group-1
> 2. group-2
>
> Create 3 users
> 1. group-1-user ; member of group-1 ; add role GROUP_ADMIN
> 2. group-2-user ; member of group-2
> 3. no-group-user
>
>
> *Issue 1:* Disabling non-group users:
> - Log in to webGUI as group-1-user (GROUP_ADMIN)
> - Open group-2-user
> - Un-tick the "Enabled" check box
> - Click save -> Error message: "An error occurred while saving the user:
> User [...] is member of group(s) not administered by current user and cant
> be modified."
> - Navigate back to user list (or press "Cancel")
> - group-2-user now doesn't have the "Enabled" tick and cannot log in
>
>
>
> Bug.
>
>
>
>
>
> *Issue 2:* Changing non-group users passwords (occurred when Password
> encryption=Digest, didn't affect Strong PBE):
> - Log in to webGUI as group-1-user (GROUP_ADMIN)
> - Open group-2-user
> - Change the password
> - Click save -> Error message: "An error occurred while saving the user:
> User [...] is member of group(s) not administered by current user and cant
> be modified."
> - Navigate back to user list (or press "Cancel")
> - group-2-user tries to log on and gets HTTP 500: "No password decoder
> for"
>
>
>
> This one seems to be in the same ticket as the above one.
>
>
>
>
>
> *Issue 3:* No Recode of existing passwords Digest -> Strong PBE
> - Passwords in users.xml aren't re-encoded going from "Digest" to "Strong
> PBE" (however going from "Strong PBE" to "Digest" does)
>
>
>
> I'm lost here, how does this happen? Changing the setting in the global UI
> or
>
> is it something group specific too?
>
> Also, what would be the expected behavior according to docs (if any)?
>
>
>
>
>
> *Issue 4:* Delete user not in different groups (unhandled exception)
> - Log in to webGUI as group-1-user (GROUP_ADMIN)
> - Check group-2-user and click "Remove Selected" and then confirm
> - JavaScript "Do you want to leave this site.." warning appears, click
> "Leave"
> - Get "Oops, something went wrong..." page
>
>
>
> Probably a separate ticket.
>
>
>
>
>
> *Issue 5:* Delete user not in any groups (maybe not a bug but seems
> strange)
> - Log in to webGUI as group-1-user (GROUP_ADMIN)
> - Check no-group-user and click "Remove Selected" and then confirm
> - User is deleted
>
>
>
> Unsure, I've cc'ed who I believe is the original author(s) to get info on
> the expected
>
> behavior. Rob, you could also check the documentation and see if the
> behavior with
>
> anything declared there.
>
>
>
> Yeah, I would say this is probably a bug. If I remember the original
> intention it was that a group admin should only be able to do things
> related to the group they are the admin of. So really that means just add
> and remove users from the group. Christian probably has a better
> recollection than I though.
>
>
>
> Cheers
>
> Andrea
>
>
>
>
>
> --
>
> ==
>
> GeoServer Professional Services from the experts! Visit
>
> http://goo.gl/it488V for more information.
>
> ==
>
>
>
> Ing. Andrea Aime
>
> @geowolf
>
> Technical Lead
>
>
>
> GeoSolutions S.A.S.
> Via di Montramito 3/A
> 55054 Massarosa (LU)
>
> phone: +39 0584 962313 <+39%200584%20962313>
>
> fax: +39 0584 1660272 <+39%200584%20166%200272>
>
> mob: +39 339 8844549 <+39%20339%20884%204549>
>
>
>
> http://www.geo-solutions.it
>
> http://twitter.com/geosolutions_it
>
>
>
> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>
> Le informazioni contenute in questo messaggio di posta elettronica e/o
> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
> darcene notizia via e-mail e di procedere alla distruzione del messaggio
> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
> principi dettati dal D.Lgs. 196/2003.
>
>
>
> The information in this message and/or attachments, is intended solely for
> the attention and use of the named addressee(s) and may be confidential or
> proprietary in nature or covered by the provisions of privacy act
> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
> Code).Any use not in accord with its purpose, any disclosure, reproduction,
> copying, distribution, or either dissemination, either whole or partial, is
> strictly forbidden except previous formal approval of the named
> addressee(s). If you are not the intended recipient, please contact
> immediately the sender by telephone, fax or e-mail and delete the
> information in this message that has been received in error. The sender
> does not give any warranty or accept liability as the content, accuracy or
> completeness of sent messages and accepts no responsibility for changes
> made after they were sent or for other risks which arise as a result of
> e-mail transmission, viruses, etc.
>
>
>
> -------------------------------------------------------
>
>
>
>
>
> --
>
> DI Christian Mueller MSc (GIS), MSc (IT-Security)
>
> OSS Open Source Solutions GmbH
>
>
>
> DISCLAIMER: The information contained in this communication/message from
> [email protected] sent on Thu Apr 20 10:38:57 2017 is confidential.
> It is intended solely for the addressee(s)
> [email protected];[email protected];[email protected]
>
> Access to this message by anyone else is unauthorised. If you are not the
> intended recipient, any disclosure, copying, or distribution of the message,
> or any action or omission taken by you in reliance on it, is prohibited and
> may be unlawful.
> As a public body, Salford City Council may be required to disclose this email
> [or any response to it] under the Freedom of Information Act 2000, unless the
> information in it is covered by one of the exemptions in the Act.
> Please immediately contact the sender, [email protected] if you
> have received this message in error.
>
> For the full disclaimer please access http://www.salford.gov.uk/e-mail.
> Thank you.
>
>
--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
