[Geoserver-devel] Re-use another web app login

Hi all,

I'm attempting to build a web app that runs alongside Geoserver and
provides data to be mapped though geoserver's web services. To do this
I need to be able to re-use the login session from my other web app
(spring security), then request the particular set of features I'm
interested in.

So far I've created new UserGroup and Role services that can access my
own user database, but I'd really appreciate some advice on how to share
the login with Geoserver. It looks like the easiest way might be to use
RememberMe sessions - so any thoughts on the particular configuration to
do this would be helpful.

Thanks!

Mark

The remember me service is not the correct way. This service has a timeout value which will cause problems. The remember me service is more for convenience, I would not recommend to use it in a production environment.

One important question, is Geoserver calling your app or is your app calling geoserver. In the second case, the solution may be easy. Your app would act as an authentication proxy and you can send user name and roles with http headers.

What do you mean with alongside Geoserver ?. If both applications run within one J2EE container, you can delegate authentication/role management to the J2EE container.

Please answer my questions, I think we will find a solution.

2012/8/24 Mark Paxton <mark@anonymised.com>

Hi all,

I’m attempting to build a web app that runs alongside Geoserver and
provides data to be mapped though geoserver’s web services. To do this
I need to be able to re-use the login session from my other web app
(spring security), then request the particular set of features I’m
interested in.

So far I’ve created new UserGroup and Role services that can access my
own user database, but I’d really appreciate some advice on how to share
the login with Geoserver. It looks like the easiest way might be to use
RememberMe sessions - so any thoughts on the particular configuration to
do this would be helpful.

Thanks!

Mark


Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/


Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

My app is calling geoserver, with the user already having logged via a spring security setup in my app. Yes, they’re running on the same tomcat server. Thanks again :slight_smile: Mark

···

Thanks for the help - see below…
On 24/08/2012 15:56, Christian Mueller wrote:

One important question, is Geoserver calling your app or is your app calling geoserver. In the second case, the solution may be easy. Your app would act as an authentication proxy and you can send user name and roles with http headers.

What do you mean with alongside Geoserver ?. If both applications run within one J2EE container, you can delegate authentication/role management to the J2EE container.

Please answer my questions, I think we will find a solution.

2012/8/24 Mark Paxton <mark@anonymised.com>

Hi all,

I’m attempting to build a web app that runs alongside Geoserver and
provides data to be mapped though geoserver’s web services. To do this
I need to be able to re-use the login session from my other web app
(spring security), then request the particular set of features I’m
interested in.

So far I’ve created new UserGroup and Role services that can access my
own user database, but I’d really appreciate some advice on how to share
the login with Geoserver. It looks like the easiest way might be to use
RememberMe sessions - so any thoughts on the particular configuration to
do this would be helpful.

Thanks!

Mark


Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

You have many possibilities. First, go to “Security”->Authentication and click “Add a new authentication filter”.
You see a list of possible Filters, a short explanation

  1. J2EE container, let the container do the job for both apps

If you want to reauthenticate on Geoserver
2) Basic auth
3) Digest auth

If you want to have your app acting as an authentication proxy
4) CAS-PT if you want to have a single sign on solution (You have to install a CAS Server and use CAS proxy tickets)
5) Http header authentication

  1. is very efficient and simple. You have to specify a a http header attribute for transmitting the user name. As a role source you can specify a different header attribute and pass the roles a string delimted by “;” like role1;role2;role3. This is by far the fastest solution.

After you have created your filter, go back to “Security”->Authentication, section “Filter chains”. Chose the filter chain “default” and add your newly created filter.

In your app, you have set the corresponding header attributes.

Hope that helps

2012/8/24 Mark Paxton <mark@anonymised.com>

Thanks for the help - see below…

On 24/08/2012 15:56, Christian Mueller wrote:

One important question, is Geoserver calling your app or is your app calling geoserver. In the second case, the solution may be easy. Your app would act as an authentication proxy and you can send user name and roles with http headers.

My app is calling geoserver, with the user already having logged via a spring security setup in my app.

What do you mean with alongside Geoserver ?. If both applications run within one J2EE container, you can delegate authentication/role management to the J2EE container.

Yes, they’re running on the same tomcat server.

Please answer my questions, I think we will find a solution.

Thanks again :slight_smile:

Mark

2012/8/24 Mark Paxton <mark@anonymised.com>

Hi all,

I’m attempting to build a web app that runs alongside Geoserver and
provides data to be mapped though geoserver’s web services. To do this
I need to be able to re-use the login session from my other web app
(spring security), then request the particular set of features I’m
interested in.

So far I’ve created new UserGroup and Role services that can access my
own user database, but I’d really appreciate some advice on how to share
the login with Geoserver. It looks like the easiest way might be to use
RememberMe sessions - so any thoughts on the particular configuration to
do this would be helpful.

Thanks!

Mark


Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

2012/8/24 Mark Paxton <mark@anonymised.com>

Hi,

Thanks for the input - it sounds like I would need to reauthenticate, since otherwise wouldn’t it be possible just to send headers like user “admin” and role “administrator” without checks?

Yes, there are no checks. You have to ensure that only your app is able to send such requests.

One thing I have done is to write a UserGroupService and RoleService implementation for Geoserver that pulls in the data from my existing database, I’m assuming that if I can send a username and password from my app, then I can log in that way and access all the roles, etc that I need. I think that’s where I’m a little uncertain.

Yes , in this case geoserver does a full authentication procedure. The easiest way is basic auth.

My other app is a spring-roo application that’s using spring security, which I think uses a server session to store the login. Do you think it sounds feasible to re-use that data by getting the session id and login details that way?

Yes, but I am wondering if you will find the password in the session. If not, you have no chance to reauthenticate on geoserver and you have to use the http header approach or use a CAS server.

Cheers,
Mark

On 24/08/2012 16:36, Christian Mueller wrote:

You have many possibilities. First, go to “Security”->Authentication and click “Add a new authentication filter”.
You see a list of possible Filters, a short explanation

  1. J2EE container, let the container do the job for both apps

If you want to reauthenticate on Geoserver
2) Basic auth
3) Digest auth

If you want to have your app acting as an authentication proxy
4) CAS-PT if you want to have a single sign on solution (You have to install a CAS Server and use CAS proxy tickets)
5) Http header authentication

  1. is very efficient and simple. You have to specify a a http header attribute for transmitting the user name. As a role source you can specify a different header attribute and pass the roles a string delimted by “;” like role1;role2;role3. This is by far the fastest solution.

After you have created your filter, go back to “Security”->Authentication, section “Filter chains”. Chose the filter chain “default” and add your newly created filter.

In your app, you have set the corresponding header attributes.

Hope that helps

2012/8/24 Mark Paxton <mark@anonymised.com>

Thanks for the help - see below…

On 24/08/2012 15:56, Christian Mueller wrote:

One important question, is Geoserver calling your app or is your app calling geoserver. In the second case, the solution may be easy. Your app would act as an authentication proxy and you can send user name and roles with http headers.

My app is calling geoserver, with the user already having logged via a spring security setup in my app.

What do you mean with alongside Geoserver ?. If both applications run within one J2EE container, you can delegate authentication/role management to the J2EE container.

Yes, they’re running on the same tomcat server.

Please answer my questions, I think we will find a solution.

Thanks again :slight_smile:

Mark

2012/8/24 Mark Paxton <mark@anonymised.com281…>

Hi all,

I’m attempting to build a web app that runs alongside Geoserver and
provides data to be mapped though geoserver’s web services. To do this
I need to be able to re-use the login session from my other web app
(spring security), then request the particular set of features I’m
interested in.

So far I’ve created new UserGroup and Role services that can access my
own user database, but I’d really appreciate some advice on how to share
the login with Geoserver. It looks like the easiest way might be to use
RememberMe sessions - so any thoughts on the particular configuration to
do this would be helpful.

Thanks!

Mark


Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Hi Mark, some fact I forgot to mention about the http header authentication. Since you have to configure the name of the header attribute(s) you have a shared secret between your app and geoserver. If you use

myusername10439
myroles3284kfd

as header attributes, an attacker needs to know these names !!!. I would recommend you to go this way, it will be the easiest.

2012/8/24 Christian Mueller <mcrmcr21@anonymised.com>

2012/8/24 Mark Paxton <mark@anonymised.com>

Hi,

Thanks for the input - it sounds like I would need to reauthenticate, since otherwise wouldn’t it be possible just to send headers like user “admin” and role “administrator” without checks?

Yes, there are no checks. You have to ensure that only your app is able to send such requests.

One thing I have done is to write a UserGroupService and RoleService implementation for Geoserver that pulls in the data from my existing database, I’m assuming that if I can send a username and password from my app, then I can log in that way and access all the roles, etc that I need. I think that’s where I’m a little uncertain.

Yes , in this case geoserver does a full authentication procedure. The easiest way is basic auth.

My other app is a spring-roo application that’s using spring security, which I think uses a server session to store the login. Do you think it sounds feasible to re-use that data by getting the session id and login details that way?

Yes, but I am wondering if you will find the password in the session. If not, you have no chance to reauthenticate on geoserver and you have to use the http header approach or use a CAS server.

Cheers,
Mark

On 24/08/2012 16:36, Christian Mueller wrote:

You have many possibilities. First, go to “Security”->Authentication and click “Add a new authentication filter”.
You see a list of possible Filters, a short explanation

  1. J2EE container, let the container do the job for both apps

If you want to reauthenticate on Geoserver
2) Basic auth
3) Digest auth

If you want to have your app acting as an authentication proxy
4) CAS-PT if you want to have a single sign on solution (You have to install a CAS Server and use CAS proxy tickets)
5) Http header authentication

  1. is very efficient and simple. You have to specify a a http header attribute for transmitting the user name. As a role source you can specify a different header attribute and pass the roles a string delimted by “;” like role1;role2;role3. This is by far the fastest solution.

After you have created your filter, go back to “Security”->Authentication, section “Filter chains”. Chose the filter chain “default” and add your newly created filter.

In your app, you have set the corresponding header attributes.

Hope that helps

2012/8/24 Mark Paxton <mark@anonymised.com>

Thanks for the help - see below…

On 24/08/2012 15:56, Christian Mueller wrote:

One important question, is Geoserver calling your app or is your app calling geoserver. In the second case, the solution may be easy. Your app would act as an authentication proxy and you can send user name and roles with http headers.

My app is calling geoserver, with the user already having logged via a spring security setup in my app.

What do you mean with alongside Geoserver ?. If both applications run within one J2EE container, you can delegate authentication/role management to the J2EE container.

Yes, they’re running on the same tomcat server.

Please answer my questions, I think we will find a solution.

Thanks again :slight_smile:

Mark

2012/8/24 Mark Paxton <mark@anonymised.com281…>

Hi all,

I’m attempting to build a web app that runs alongside Geoserver and
provides data to be mapped though geoserver’s web services. To do this
I need to be able to re-use the login session from my other web app
(spring security), then request the particular set of features I’m
interested in.

So far I’ve created new UserGroup and Role services that can access my
own user database, but I’d really appreciate some advice on how to share
the login with Geoserver. It looks like the easiest way might be to use
RememberMe sessions - so any thoughts on the particular configuration to
do this would be helpful.

Thanks!

Mark


Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel