Thanks for the info. I didn’t know that the password is base64 encoded when you use the username:password@…79… in the URL. I am aware that base64 is pretty much equivalent to plain text and this is just for a prototype, in the real system we will definitely use HTTPS and I am planning to implement a Single-Sign-On with Jasig CAS for the real system. So I may or may not need to use the authkey module but it is a good backup plan if the we hit roadblocks with the CAS SSO capability for UI to use when talking with OGC services and our own REST API.
···
Hi Stephen
Using http://username:password@…79…:8080/geoserver//wms sends the password in plain text. If you are using basic auth, the password is sent Base64 encoded. Concerning security, Base64 encoding is the same as plain text. Both methods require HTTPS.
Even the form based login of the Web GUI sends the password in plain text.
If HTTPS is not an option to you, you should switch to digest auth. Digest auth never sends the password over the wire but behaves likes basic auth.
Let me know about your experience with the auth key module, I am planing to migrate this custom extension to an official GeoServer extension.
Christian
On Thu, Aug 14, 2014 at 7:05 PM, Stephen Brooke <sbrooke@…3836…> wrote:
Hi Christian,
Yes, after a user login into OpenLayers-based web client I can successfully make a WMS GetCapabilities request as I provided the correct “Authorization” header and this request was made by using the OpenLayers.Request() construct which uses XMLHttpRequest object underneath. However, even though I do this when OpenLayers makes WMS GetMap requests when I enable a certain layer the browser (latest versions of Chrome and Firefox) does not automatically send the credentials I provided with the previous request and I still get the browser login popup. From my online research it appears that you cannot send an “Authorization” header for these WMS requests with OpenLayers because it uses the HTML ![]()
tag. What did work is setting the URL for my layer to http://username:password@…79…:8080/geoserver//wms, however this means I would need to send the password in plain text across the wire which is unacceptable.
Why doesn’t the browser reuse the authorization headers after an authenticated XMLHttpRequest?
http://stackoverflow.com/questions/20617720/why-doesnt-the-browser-reuse-the-authorization-headers-after-an-authenticated-x
However, the solution proposed in the above stackoverflow question cannot be applied in this situation because the solution says to simply avoid using the ![]()
tag altogether and instead load images with JS XMLHttpRequest.
The key problem I see here is that the browser will not send credentials until a credential challenge (HTTP 401 server response) is sent back by the server, and with little control over how OpenLayers renders the images from WMS GetMap request, it doesn’t appear that I can provide a custom handling for the HTTP 401 response to override this browser behavior on the client-side from Javascript when the request is not an XMLHttpRequest.
I’ve looked at the “authKey” plugin and it looks like it might work out-of-the-box for me. I will attempt to try it today.
Thanks,
–Steve
From: Christian Mueller [mailto:christian.mueller@…5445…]
Sent: Thursday, August 14, 2014 7:03 AM
To: Stephen Brooke
Cc: Andrea Aime; geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] After period of GeoServer inactivity client making WMS request gets HTTP 404 Not Found (pink no image tiles)
Hi Stephen
After the user is logged in into your application (open layers) successfully, did you try to send a OGC request to GeoServer containing the proper basic auth headers in your java script code simulating a popup login. Not sure if this works, never tried.
Of course it would be possible to add a configuration option “Do not send WWW-Authenticate” to the filter, but this is not standard and as a consequence, I do not want to implement it.
On the other side, it is possible to develop your own authentication filter as a plugin. The “authkey” module is a good example.
http://docs.geoserver.org/stable/en/user/community/authkey/index.html
Cheers
Christian
On Wed, Aug 13, 2014 at 6:26 PM, Stephen Brooke <sbrooke@…3836…> wrote:
Now that I get the login popup in the browser for the first WMS request I can see that this will not be very pleasant for the user who has already been made to login to my application. According to several forum posts on the subject it is the HTTP header ‘WWW-Authenticate:Basic realm="GeoServer Realm“’ that causes this browser behavior. Is there a way to tell GeoServer not to set the WWW-Authenticate response header when it sends HTTP 401? Or is this something the “User-Agent”, that is, the browser needs to deal with? According to the HTTP spec a “User-Agent” can set the HTTP Authorization header with appropriate credentials in place of popping up a login dialog, however, the consensus in the dev community seems to be that preventing the browser to popup the dialog is not currently possible unless the server deviates from the HTTP spec in some way (for example, if the server omits the WWW-Authenticate header).
Some forums suggest that it is becoming good practice for clients to set the HTTP header “X-Requested-With: XMLHttpRequest” as a hint to the server to not include the WWW-Authenticate header, and hence the browser would not popup the login prompt.
Anybody have any good solutions for preventing the browser to popup a login dialog in response to HTTP 401 from GeoServer and instead have the browser client (OpenLayers) respond with proper “Authorization” header?
Here’s an explanation of this web browser HTTP 401 problem:
http://www.freelock.com/2008/06/technical-note-http-auth-with-ajax
Here’s a Chrome issue that talks about this issue a bit more.
https://code.google.com/p/chromium/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Pri%20Mstone%20ReleaseBlock%20OS%20Area%20Feature%20Status%20Owner%20Summary&groupby=&sort=&id=31582
For instance could I put a Servlet Filter in GeoServer web.xml such that it causes the “WWW-Authenticate” header to not get set in certain situtions?
–Steve
From: Stephen Brooke
Sent: Tuesday, August 12, 2014 10:14 AM
To: ‘Christian Mueller’
Cc: Andrea Aime; geoserver-users@lists.sourceforge.net
Subject: RE: [Geoserver-users] After period of GeoServer inactivity client making WMS request gets HTTP 404 Not Found (pink no image tiles)
Hi Christian,
I tried opening a new browser window and making a WMS GetCapabilities request and it did not popup a login panel which I thought was strange. I then used the filter chain tester tool in the GeoServer Web Admin and checked the WMS request URL and it said it was using the “default” filter which had both “anonymous” and “basic” authentication providers selected so I removed the “anonymous” authentication provider. After this I re-ran the test and the WMS request caused a login panel to popup the first time I tried to access the resource.
I will try the scenario again to see if the timeout happens now that I have the correct “default” service chain filter in place.
–Steve
From: Christian Mueller [mailto:christian.mueller@…5445…]
Sent: Tuesday, August 12, 2014 2:57 AM
To: Stephen Brooke
Cc: Andrea Aime; geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] After period of GeoServer inactivity client making WMS request gets HTTP 404 Not Found (pink no image tiles)
Hi Stephen
Can you try the following.
Open a browser and call a OGC service on a protected resource. The browser should pop up a login panel (for basic or digest auth). After login, the browser should send authentication header attributes for each request. To stop sending this attributes, you must close your browser because there is no explicit log out for stateless authentication.
AFAIK it is not possible to disable “session integration”. Would be a new feature.
Christian
On Mon, Aug 11, 2014 at 6:58 PM, Stephen Brooke <sbrooke@…3836…> wrote:
Andrea,
Here are some more details that should answer your questions:
Session? As in HTTP one?
[Steve]: Yes I mean HTTP session
OGC services should create a session to start with, unless you configured the security otherwise, or you are using the same browser
to admin and do OGC requests at the same time.
[Steve]: Yes, I am using the same browser to admin GeoServer and also to run a web client that uses OGC services. I will try running the web client in a different browser and see if the problem is still reproducible in that case.
My web client can pass credentials each time so a session isn’t really needed for the OGC services. Is there a stateless mode for the OGC services? I see in the “GeoServer User Manual, Release 2.5-RC2” it states:
16.2.3 Authentication to OWS and REST services
“OWS and REST services are stateless and have no inherent awareness of “session”, so the authentication
scheme for these services requires the client to supply credentials on every request. That said, “session integration”
is supported, meaning that if a session already exists on the server (from a concurrent authenticated
web admin session*) it will be used for authentication. This scheme allows GeoServer to avoid the overhead*
of session creation for OWS and REST services.”
Is there a way to disable “session integration” for OGC services?
–Steve
From: andrea.aime@…84… [mailto:andrea.aime@…84…] On Behalf Of Andrea Aime
Sent: Saturday, August 09, 2014 1:07 AM
To: Stephen Brooke
Cc: geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] After period of GeoServer inactivity client making WMS request gets HTTP 404 Not Found (pink no image tiles)
On Fri, Aug 8, 2014 at 10:38 PM, Stephen Brooke <sbrooke@…3836…> wrote:
I’m running GeoServer 2.5.1 with OpenLayers client making WMS requests and I have basic authentication turned on for all OGC services.
After a period (say 30 minutes) of GeoServer inactivity due to client inactivity, if the client is then used to make a WMS request it receives HTTP 404 Not Found and I get the dreaded pink square tiles instead of my imagery tiles. In the GeoServer log there are several warning log messages of the form:
08 Aug 20:23:03 WARN [servlet.PageNotFound] - No mapping found for HTTP request with URI [/geoserver//wms] in DispatcherServlet with name ‘dispatcher’
If I go to the GeoServer web admin console and login as administrator or simply refresh an existing timed-out session then the WMS requests work fine again. Does anyone know what I need to do to get GeoServer to not do this?
Session? As in HTTP one?
OGC services should create a session to start with, unless you configured the security otherwise, or you are using the same browser
to admin and do OGC requests at the same time.
Is this your case?
Can you provide more details on your setup?
Cheers
Andrea
–
==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.
==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
–
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
–
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
–
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH