[Geoserver-users] authenticating with basic auth

Hi list
I am pretty new to the GeoServer security system, so please bear my
request if it is obvious

I have a web application that needs to provide a map viewer using
secured WMS layers from GeoServer (installed together with GeoNode).
After reading some posts [1] [2] [3] in the list, I am trying with
this approach (in Python ) to generate a valid JSESSIONID using Basic
Authentication to be used for any request from the client to access
the secured layers:

from httplib2 import Http
url = 'http://myserver/geoserver/j_spring_security_check’
hds = {
        "Authorization": "Basic secretbase64xyz=",
}
h = Http()
gs_resp, gs_content = h.request(url, "POST", headers=hds )

If I investigate the gs_resp variable, I effectively find a valid
JSESSIONID, but the status of the GeoServer response is 302, and in my
client map viewer the layers are still not displayed:

ipdb> gs_resp
{'status': '302', 'content-length': '0', 'set-cookie':
'JSESSIONID=95223F466298BA31F6DF96F90D98C1C9; Path=/geoserver',
'server': 'Apache-Coyote/1.1', 'location':
'http://myserver/geoserver/web/;jsessionid=95223F466298BA31F6DF96F90D98C1C9?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=true’,
'date': 'Tue, 19 Feb 2013 00:16:58 GMT', 'content-type': 'text/plain'}

Any suggestions?
Thanks in advance
p

[1] http://osgeo-org.1560.n6.nabble.com/Authenticate-in-Geoserver-from-PHP-application-td5009457.html
[2] http://osgeo-org.1560.n6.nabble.com/Geoserver-Authentication-td3788480.html
[3] http://en.usenet.digipedia.org/thread/12186/13463/

--
Paolo Corti
Geospatial software developer
web: http://www.paolocorti.net
twitter: @capooti
skype: capooti

Hi Paolo

Which GeoServer version are you talking about ?

Two possibilities

1. If you authenticate using
   ‘http://myserver/geoserver/j_spring_security_check’

you have to send two http parameters in the POST body

username: myusername
password: mypassword

You will receive a cookie which you have to attach to all future requests. No basic auth needed.

2. Call the services directly and add the “Authorization” header for EACH request. Geoserver does not create a session.

Hope that helps

On Thu, Feb 21, 2013 at 9:30 AM, Christian Mueller
<christian.mueller@anonymised.com> wrote:

Hi Paolo

Which GeoServer version are you talking about ?

Two possibilities

1) If you authenticate using
'http://myserver/geoserver/j_spring_security_check’
you have to send two http parameters in the POST body

username: myusername
password: mypassword

You will receive a cookie which you have to attach to all future requests.
No basic auth needed.

2) Call the services directly and add the "Authorization" header for EACH
request. Geoserver does not create a session.

Hope that helps

Hi Christian,

thanks so much for the excellent explanation
I am using GeoServer 2.1-SNAPSHOT, that is what we have in production here.

I have been testing the first solution yesterday, before I ended up
being confused between the two methods.

This is what I did:

from httplib2 import Http
from urllib import urlencode
h = Http()
url = 'http://myserver/geoserver/j_spring_security_check’
data = dict(username="myuser", password="mypassword")
gs_resp, gs_content = h.request(url, "POST", urlencode(data) )

ipdb> gs_resp
{'status': '302', 'content-length': '0', 'set-cookie':
'JSESSIONID=A0C2E89C4D82BCAFBF8DD4D8A5621085; Path=/geoserver',
'server': 'Apache-Coyote/1.1', 'location':
'http://myserver/web/;jsessionid=A0C2E89C4D82BCAFBF8DD4D8A5621085?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=true’,
'date': 'Tue, 19 Feb 2013 17:17:27 GMT', 'content-type': 'text/plain'}

Still a 302 error.
The cookie is anyway generated:
JSESSIONID=A5608A92A39E1E1433475AF03FCB616A; path=/geoserver; domain=localhost

but If at this point I try to load in the map some secured layer, I
have no success.

With curl I am experiencing the same 302 error:

$ curl -v --data "username=myuser&password=mypassword"
http://myserver/geoserver/j_spring_security_check
* About to connect() to myserver port 80 (#0)
* Trying 74.3.255.211... connected

POST /geoserver/j_spring_security_check HTTP/1.1
User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Host: myserver
Accept: */*
Content-Length: 32
Content-Type: application/x-www-form-urlencoded

* upload completely sent off: 32out of 32 bytes
< HTTP/1.1 302 Moved Temporarily
< Date: Tue, 19 Feb 2013 17:15:14 GMT
< Server: Apache-Coyote/1.1
< Location: http://myserver/geoserver/;jsessionid=132EC849573AF8BA01210B6306EF85A0
< Content-Length: 0
< Set-Cookie: JSESSIONID=132EC849573AF8BA01210B6306EF85A0; Path=/geoserver
< Content-Type: text/plain
<
* Connection #0 to host myserver left intact
* Closing connection #0

any suggestions?
thanks in advance
p

--
Paolo Corti
Geospatial software developer
web: http://www.paolocorti.net
twitter: @capooti
skype: capooti

Hi Paolo

First, for WMS requests, solution 2) is recommended. Lets have a look a the output you included in your last mail trying solution 1).

302 is not an error code, it is an HTTP redirect. The redirect url is stored in the “location” response header attribute. In your php sample, the login request is NOT successful and you are redirected to the geoserver login page. (I am not used to develop in PHP and I cannot give you a hint).

The curl example works well. Login is successful and you are redirected to the Geoserver start page.

As you can see you always get a 302 response code. I would switch to basic auth.

Christian

On Thu, Feb 21, 2013 at 12:58 PM, Christian Mueller
<christian.mueller@anonymised.com> wrote:

Hi Paolo

First, for WMS requests, solution 2) is recommended. Lets have a look a the
output you included in your last mail trying solution 1).

302 is not an error code, it is an HTTP redirect. The redirect url is stored
in the "location" response header attribute. In your php sample, the login
request is NOT successful and you are redirected to the geoserver login
page. (I am not used to develop in PHP and I cannot give you a hint).

The curl example works well. Login is successful and you are redirected to
the Geoserver start page.

As you can see you always get a 302 response code. I would switch to basic
auth.

Christian

You are definitely right, and I have got to the same conclusion.
curl request is working well, I have seen that i get 302 (page
redirect) also when browsing to that page.
What was wrong was my Python code: I had to set HTTP Content-Type header to
"application/x-www-form-urlencoded" , as suggested here [1] and now it
is working well.

For future reference, this is the working code:

from httplib2 import Http
from urllib import urlencode
url = 'http://myserver/geoserver/j_spring_security_check’
hds = {
    "content-type": "application/x-www-form-urlencoded",
}
http = Http()
data = dict(username="myuser", password="mypassword")
gs_resp, gs_content = http.request(url, method="POST",
body=urlencode(data), headers=hds )

thanks a lot again!
p

[1] http://stackoverflow.com/questions/5385699/python-httplib2-http-not-sending-post-parameters

--
Paolo Corti
Geospatial software developer
web: http://www.paolocorti.net
twitter: @capooti
skype: capooti

Fine, but be aware of the fact that each new cookie creates an HTTP session on the Geoserver side wasting resources you do not need for WMS requests. At the end of the day, it is your decision

Christian

On Thu, Feb 21, 2013 at 3:42 PM, Christian Mueller
<christian.mueller@anonymised.com> wrote:

Fine, but be aware of the fact that each new cookie creates an HTTP session
on the Geoserver side wasting resources you do not need for WMS requests. At
the end of the day, it is your decision

Christian

Christian

the point is that I need to add a WMS layers in Leaflet, and I do not
see an easy way to modify headers using the Leaflet WMS class [1].

Neither I wish to expose username and password as suggested here [2]
at the client side (this solution does not work for all browser,
though, as far as I can see). By the way: is there any available
complete OpenLayers example performing Basic Authentication with WMS?
I couldn't find one.

That is why I have been looking to a way to perform cookie
authentication, modifying the response with Python and attaching the
cookie to the response (using Django here). Unluckily this approach
does not work if the GeoServer and Web App domains are different, as
the generated cookie won't be accepted by GeoServer (while the
JSESSIONID has a valid value, the domain is different), and this is
the scenario I am in.
I am looking now to alternatives, but I am afraid that using proxies
or cascading or extending Leaflet are the only options here.

thanks for your kind support
p

[1] http://leafletjs.com/reference.html#tilelayer-wms
[2] http://osgeo-org.1560.n6.nabble.com/Load-GeoServer-WMS-secured-layers-with-OpenLayers-td3919938.html

--
Paolo Corti
Geospatial software developer
web: http://www.paolocorti.net
twitter: @capooti
skype: capooti

Hi Guan

On Thu, Feb 21, 2013 at 6:11 PM, Guan Wang <gwang@anonymised.com> wrote:

What's your goal? For me, it's like you are looking for a solution to only
allow authorized users consuming your WMS services. Then it doesn't sound
like a role for Geoserver. It gotta be something above GeoServer to take
this responsibility.

I am already using a really good one (GeoNode), but now I have the task to
create a viewer external from the GeoNode context using private
layers, this is why I am
looking at what is the best way to authenticate with GeoServer

I would suggest you leaving Geoserver along and use a proxy server on top of
GeoServer for authentication.

That is exactly what I have ended up with

BTW, I can't see why extending Leaflet could be an alternative since it's
just a client sied javascript library, isn't it?

A possible approach we were considering is with XMLHttpRequest,
setting the headers for basic auth, and feed the viewer with json,
using WFS instead than WMS. But you are right, this is not applicable
to WMS.

regards
p

--
Paolo Corti
Geospatial software developer
web: http://www.paolocorti.net
twitter: @capooti
skype: capooti