[Geoserver-devel] New community module: authentication by unique id

Hi,
I’d like to add a new community module that would perform authentication by
unique id in the request URL.

Basically the request would contain an extra parameter:
http://host:port/geoserver/wms?..&authkey=abc-reqa-drq1-4312-3412

that would serve, alone, as the authentication for a specific user.
Code wise a dispatcher callback at the highest priority would pick the
request params and stick the authentication in the Spring thread locals,
and a URL mangler that would stick back the authentication key in all
backlinks GeoServer generates (capabilities and the like).

The unique id to user provider would be pluggable to allow for implementations
like daily tokens, random ones generated by phisical token generators, but
the default implementation would use the old clear text property file.

I know, I know, it’s not really secure, especially in its default incarnation, however
I’ve seen it used a number of times already, even in very large installations
(besides, being pluggable, it’s up to whoever installs it to decide for herself
if it’s ok or not).

The sponsor for this functionality actually needs it to allow some level of security
for WMS clients that do not even support basic authentication,
for those they would give the client a full link to the caps document that
includes the authentication token, and have the client (that knows how to
be a full WMS client) go from there

I guess that once the work on trunk for pluggable authentication lands the
dispatcher callback will be replaced by a pluggable Spring Security filter.

Cheers
Andrea

Ing. Andrea Aime
GeoSolutions S.A.S.
Tech lead

Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584 962313
fax: +39 0584 962313
mob: +39 339 8844549

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.youtube.com/user/GeoSolutionsIT
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf


Works for me, +1 on a community module. I agree in that this should eventually be implemented as a custom authentication provider (or filter) in the new security world that is coming down. Actually a relatively simple scheme like this could be a useful example to have showing how to implement such a custom authentication mechanism.

On Mon, Dec 12, 2011 at 10:22 AM, Andrea Aime <andrea.aime@anonymised.com> wrote:

Hi,
I’d like to add a new community module that would perform authentication by
unique id in the request URL.

Basically the request would contain an extra parameter:
http://host:port/geoserver/wms?..&authkey=abc-reqa-drq1-4312-3412

that would serve, alone, as the authentication for a specific user.
Code wise a dispatcher callback at the highest priority would pick the
request params and stick the authentication in the Spring thread locals,
and a URL mangler that would stick back the authentication key in all
backlinks GeoServer generates (capabilities and the like).

The unique id to user provider would be pluggable to allow for implementations
like daily tokens, random ones generated by phisical token generators, but
the default implementation would use the old clear text property file.

I know, I know, it’s not really secure, especially in its default incarnation, however
I’ve seen it used a number of times already, even in very large installations
(besides, being pluggable, it’s up to whoever installs it to decide for herself
if it’s ok or not).

The sponsor for this functionality actually needs it to allow some level of security
for WMS clients that do not even support basic authentication,
for those they would give the client a full link to the caps document that
includes the authentication token, and have the client (that knows how to
be a full WMS client) go from there

I guess that once the work on trunk for pluggable authentication lands the
dispatcher callback will be replaced by a pluggable Spring Security filter.

Cheers
Andrea

Ing. Andrea Aime
GeoSolutions S.A.S.
Tech lead

Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy

phone: +39 0584 962313
fax: +39 0584 962313
mob: +39 339 8844549

http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.youtube.com/user/GeoSolutionsIT
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf



Learn Windows Azure Live! Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for
developers. It will provide a great way to learn Windows Azure and what it
provides. You can attend the event by watching it streamed LIVE online.
Learn more at http://p.sf.net/sfu/ms-windowsazure


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel


Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.