Hi,
I’d like to add a new community module that would perform authentication by
unique id in the request URL.
Basically the request would contain an extra parameter:
http://host:port/geoserver/wms?..&authkey=abc-reqa-drq1-4312-3412
that would serve, alone, as the authentication for a specific user.
Code wise a dispatcher callback at the highest priority would pick the
request params and stick the authentication in the Spring thread locals,
and a URL mangler that would stick back the authentication key in all
backlinks GeoServer generates (capabilities and the like).
The unique id to user provider would be pluggable to allow for implementations
like daily tokens, random ones generated by phisical token generators, but
the default implementation would use the old clear text property file.
I know, I know, it’s not really secure, especially in its default incarnation, however
I’ve seen it used a number of times already, even in very large installations
(besides, being pluggable, it’s up to whoever installs it to decide for herself
if it’s ok or not).
The sponsor for this functionality actually needs it to allow some level of security
for WMS clients that do not even support basic authentication,
for those they would give the client a full link to the caps document that
includes the authentication token, and have the client (that knows how to
be a full WMS client) go from there
I guess that once the work on trunk for pluggable authentication lands the
dispatcher callback will be replaced by a pluggable Spring Security filter.
Cheers
Andrea
–
Ing. Andrea Aime
GeoSolutions S.A.S.
Tech lead
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 962313
mob: +39 339 8844549
http://www.geo-solutions.it
http://geo-solutions.blogspot.com/
http://www.youtube.com/user/GeoSolutionsIT
http://www.linkedin.com/in/andreaaime
http://twitter.com/geowolf