Gael Lafond created GEOS-5726 |
Issue Type: |
Bug |
Affects Versions: |
2.3.0 |
Assignee: |
|
Components: |
Security |
Created: |
25/Mar/13 8:54 PM |
Description: |
When a Basic authentication is present in the request header, for example, because it’s required to access Apache or Tomcat, GeoServer prompt for it’s own Basic authentication realms, overriding the one present in the header. The only way the GeoServer Web interface can be accessed is to duplicate Apache / Tomcat users in GeoServer OR to delete the “Basic” authentication filter using the GeoServer administrator interface (available in GeoServer 2.3). Note that GeoServer Basic authentication is only prompted when a basic authentication is already present in the request header and contains credentials that do not match GeoServer users. Once the GeoServer has accepted the Basic authentication, the user still need to log in GeoServer using the Web interface. That Basic authentication do not trigger the GeoServer authentication. It’s a simple validation, I don’t understand why it’s actually doing it. As soon as the authentication is disabled in the container (Apache or Tomcat), the request do not contains any Basic authentication credentials and GeoServer do prompt for it’s own Basic authentication. GeoServer show its Web interface directly, as it should. |
Environment: |
GeoServer installed inside a Basic authentication contener |
Project: |
|
Priority: |
Minor |
Reporter: |