[Geoserver-devel] Container Authentication

On Tue, Nov 10, 2015 at 3:01 PM, Martin Andersson <martin.andersson@anonymised.com> wrote:

Hi,

I’m currently looking into various options for username/password-based container authentication for GeoServer.

GeoServer uses Spring Security for authentication holding the authentication info in a thread local variable.

The J2EE filter requires fiddling with web.xml and gives me an ugly native popup from the browser.

The J2EE filter does no authentication, it only tries to get the roles for a user authenticated by the container. The ugly popp is triggered by the container, not from GeoServer

What I would ideally want is for J2EE filter to call HttpServletReguest.login() and have the container handle the authentication from the GeoServer form.

This is the other way around, you want GeoServer to trigger a J2EE authentication.

Is that be something you would be interested in adding to the current J2EE filter? This would require bumping the servlet-api version to 3.0.

Upgrading to version 3.0 requires a broader discussion. (As an example, 3.0 would break existing GeoServer installations on tomcat 6.x ). You should open a new thread on the mailing list for a further discusion.

I’m willing to provide patches if I get some pointers on where to begin.

If that’s not an option, would it be possible to write an extension for that?

Both options are possible, but it does not make sense at the moment. You have to start the discussion mentioned about.

Thanks for a great product!

Br,
Martin Andersson

Cheers
Christian

---

---

Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH