kartoza/docker-geoserver

Tomcat httpHeaderSecurity filter breaks OAuth2-Google plugin

alexkuretz opened this issue · 1 comments

alexkuretz commented

What is the bug or the crash?

I'm logging this here because it appears the tomcat config is different in this image than the base Geoserver docker image.

I've installed and configured the sec-oauth2-google-plugin community plugin in my 2.23.1 kartoza instance, and when attempting to log in with the Google SSO auth, an exception is displayed on the page.

javax.servlet.ServletException: Unable to add HTTP headers since response is already committed on entry to the HTTP header security Filter

I found that the login succeeds if in web.xml for tomcat I comment out the httpHeaderSecurity filter (lines 465-473 and 565-569).

I then installed the geoserver/docker image 2.23.1 and was able to get it working with no modifications. I inspected the web.xml on that instance and found the httpHeaderSecurity filter is not enabled in that image.

Steps to reproduce the issue

I followed the official documentation to configure the plugin but that isn't necessary to demonstrate the issue, you can skip the whole Google setup part and just do the geoserver config setup with bogus clientID and secretID.

  1. Install with COMMUNITY_EXTENSIONS: sec-oauth2-google-plugin
  2. Log in as admin
  3. Under Security click Authentication
  4. Under Authentication Filters click "Add new"
  5. Click "Google OAuth2", give a name like "Google SSO", enter some random string into Client ID and Client Secret, under Role Source choose "Role Service" and then "Default", click Save
  6. On Authentication page under "Filter Chains" click "web"
  7. At the bottom under "Available" move "Google SSO" to the "Selected" section and move it up above "Anonymous"
  8. Click Close, then click Save
  9. Logout as Admin
  10. You should now have a G+ icon next to your Login button, click that you should see the stacktrace
  11. Copy the web.xml and deploy it via /settings/ directory with the filter commented out, and you should get taken to a Google login prompt (or some Google error message since you haven't properly set up the Google side of things)

Versions

2.23.1

Additional context

I could see an environment variable being added to disable that filter similar to the way the DISABLE_CORS setting is handled.

NyakudyaA commented

Thanks , will check this out and make changes. You can also mount your custom web.xml to override the logic from the container

-v web.xml:/settings/web.xml