Hi

We have set up GeoServer to use HTTP request header proxy authentication as described in this tutorial http://docs.geoserver.org/stable/en/user/security/tutorials/httpheaderproxy/index.html.

To authenticate from an OpenLayers map we have a Python script that grabs a user’s login from the web server and adds that as a header when requesting the capabilities document.

This works great and users can add only layers that they have access to. Once the layer(s) are added any subsequent requests (GetMap, GetLegendGraphic, GetFeatureInfo) are sent directly to GeoServer with no request header added.

Everything seems to work fine (Layers shows up as you pan/zoom, legend is populated) apart from when making a GetFeatureInfo request when we get back the following error and no popup as expected.

Could not find layer test:authentication_layer

Is this expected behaviour? I was expecting either all requests to fail after the initial GetCapabilities or that once authenticated geoserver would ‘remember’ the header and everything would work.

Any help would be great.

Thanks

Tom

On Tue, May 14, 2013 at 9:07 AM, Thomas Colley <
it087@anonymised.com> wrote:

Is this expected behaviour? I was expecting either all requests to fail
after the initial GetCapabilities or that once authenticated geoserver
would ‘remember’ the header and everything would work.

Hum, not sure, but normally GetFeatureInfo is done as an ajax request.
Wondering if the header is kept when you follow the ajax code path?
Afaik the header should still be present in each request.

Cheers
Andrea

--

GeoServer training in Milan, 6th & 7th June 2013! Visit
http://geoserver.geo-solutions.it for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

As Andrea already mentioned, the header has to be present in each request but only if the security filter chain does not allow to create an HTTP session. (Out of the box, HTTP session creation is only allowed for the “web” filter chain).

If you allow HTTP session creation on the “default” filter chain, you need to send the header only once, subsequent calls will use a session cookie.

Cheers
Christian

Hi Christian / Andrea (sorry for not replying sooner)

Thanks for your replies. I currently have the default filter chain set as follows:

Proxy

Basic

Anonymous

The only other options are form authentication and rememberme.

Once the header has been sent (when requesting getcapabilities) any subsequent getmap requests are fine but the getfeatureinfo request fails if there are any layers that need authentication visible on the map.

Andrea’s suggestion that the GET request isn’t keeping the header/cookie sounds about right. I could route each getfeatureinfo request through a proxy to add the header in the same way as I do for the getcapabilities but I was hoping there might be another way.

The version of GeoServer is 2.2.4

Thanks for the help

Tom

From: Christian Mueller [mailto:christian.mueller@anonymised.com]
Sent: 18 May 2013 10:18
To: Andrea Aime
Cc: Thomas Colley; GeoServer Mailing List List
Subject: Re: [Geoserver-users] Geoserver Header Auth

As Andrea already mentioned, the header has to be present in each request but only if the security filter chain does not allow to create an HTTP session. (Out of the box, HTTP session creation is only allowed for the “web” filter chain).

If you allow HTTP session creation on the “default” filter chain, you need to send the header only once, subsequent calls will use a session cookie.

Cheers

Christian

2013/5/14 Andrea Aime <andrea.aime@anonymised.com>

On Tue, May 14, 2013 at 9:07 AM, Thomas Colley <it087@anonymised.com> wrote:

Is this expected behaviour? I was expecting either all requests to fail after the initial GetCapabilities or that once authenticated geoserver would ‘remember’ the header and everything would work.

Hum, not sure, but normally GetFeatureInfo is done as an ajax request. Wondering if the header is kept when you follow the ajax code path?

Afaik the header should still be present in each request.

Cheers

Andrea

–

==

GeoServer training in Milan, 6th & 7th June 2013! Visit http://geoserver.geo-solutions.it for more information.

Ing. Andrea Aime

@geowolf

Technical Lead

GeoSolutions S.A.S.

Via Poggio alle Viti 1187

55054 Massarosa (LU)

Italy

phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

http://www.geo-solutions.it

http://twitter.com/geosolutions_it

AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)

OSS Open Source Solutions GmbH

Hi Christian

I have updated to Geoserver 2.3.2 and enabled HTTP session creation on the default filter chain. I then submit a getcapabilities request with header attached and I see the correct restricted layers. When I add one of the restricted layers though I still just get pink tiles and the Geoserver log says “could not find layer…”.

I notice that rememberme is not available in the default filter chain while it was on Geoserver 2.2. Is rememberme needed to read the session that has been created?

At the moment the default chain contains proxy and then anonymous. The only other available option is basic.

If you have any suggestions that would be great.

Thanks

Tom

From: Christian Mueller [mailto:christian.mueller@anonymised.com]
Sent: 18 May 2013 10:18
To: Andrea Aime
Cc: Thomas Colley; GeoServer Mailing List List
Subject: Re: [Geoserver-users] Geoserver Header Auth

As Andrea already mentioned, the header has to be present in each request but only if the security filter chain does not allow to create an HTTP session. (Out of the box, HTTP session creation is only allowed for the “web” filter chain).

If you allow HTTP session creation on the “default” filter chain, you need to send the header only once, subsequent calls will use a session cookie.

Cheers

Christian

2013/5/14 Andrea Aime <andrea.aime@anonymised.com>

On Tue, May 14, 2013 at 9:07 AM, Thomas Colley <it087@anonymised.com> wrote:

Is this expected behaviour? I was expecting either all requests to fail after the initial GetCapabilities or that once authenticated geoserver would ‘remember’ the header and everything would work.

Hum, not sure, but normally GetFeatureInfo is done as an ajax request. Wondering if the header is kept when you follow the ajax code path?

Afaik the header should still be present in each request.

Cheers

Andrea

–

==

GeoServer training in Milan, 6th & 7th June 2013! Visit http://geoserver.geo-solutions.it for more information.

Ing. Andrea Aime

@geowolf

Technical Lead

GeoSolutions S.A.S.

Via Poggio alle Viti 1187

55054 Massarosa (LU)

Italy

phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

http://www.geo-solutions.it

http://twitter.com/geosolutions_it

AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)

OSS Open Source Solutions GmbH

Hi Thomas

About your questions

1. Adding a layer and getting pink tiles
   No idea here, adding a layer has nothing to do with authentication, could you reproduce this problem using the default security configuration ?

2. The remember me service works only with http basic auth and form based login. Why ?. The remeber me services uses a cookie and stores a digested representation of the password as cookie value (along with the user id) . Header authentication uses no password → no remember me service.

3. Your filter chain
   You have a proxy and the anonymous filter. The last filter in the chain determines the authentication entry point (e.g. redirecting the browser to a login form). The anonymous filter has no authentication entry point because it always logs you in as “anonymous” successfully. If you use an anonymous filter, the filter has to be the last filter in the chain. A filter behind the anonymous filter will never be used.

You have HTTP session creation enabled. I assume you send the http header once and use the session cookie for subsequent requests. This may be problematic in case of a session time out because you are logged in again as anonymous “automatically”. Remove the anonymous filter if this is possible in your scenario. Upon session time out, you must log in again.

If you cannot remove the anonymous filter, you have to send the http header attribute in each request which requires authentication, there is no other solution. In this scenario, you can disable session creation.

Hope this helps
Christian

Hi people, i have problem with the same topic, i am upgrading from 2.1.4 to 2.2 and then in 2.3.2, and i get problem to log in from web, i use php and i have my own method to access geoserver and i give geoserver the user and pass and it returned to me de jsession session and all fine, but all that was in the 2.1.4 geoserver, in the 2.3.2 is no working, my code is this

public static function loginGeoserver($username, $password)
{
$post_data[‘username’] = $username;
$post_data[‘password’] = $password;
foreach ($post_data as $key => $value) {
$post_items = $key . ‘=’ . $value;
}
$post_string = implode(‘&’, $post_items);
$curl_connection = curl_init(‘http://’ . master::$host .
‘/geoserver/j_spring_security_check’);
curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($curl_connection, CURLOPT_USERAGENT,
“Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”);
curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post_string);
$result = curl_exec($curl_connection);
$arrInfo = curl_getinfo($curl_connection);

//die(print_r($arrInfo));
$url = $arrInfo[‘url’];
parse_str($url, $output);
$trans = array(“.” => “_”);
$base = strtr(master::$host, $trans);

if (master::getLoggedUser() != null) {
if (master::getLoggedUser()->tieneRol(“Operador”))
$str = “http://” . $base . “/geoserver/web/;jsessionid”;
$str = “http://” . $base . “/geoserver/;jsessionid”;

curl_close($curl_connection);
if (!empty($output[$str])) {
} else {
//header(‘Location: /geoportal/index.php?page=home.home&Error=GeoserverDown’);
header(‘Location: /personal/index.php?page=inicio&Error=GeoserverDown’);
}
setcookie(‘JSESSIONID’, $output[$str], 0, ‘/geoserver’);
setcookie(‘JSESSIONID’, $output[$str], 0, ‘/’);
} else {
return null;
}

}

please help this is important to me.

thanks

Hi, for php authentication, please have a look at this discussion

http://osgeo-org.1560.x6.nabble.com/authenticating-with-basic-auth-td5035587.html

Cheers
Christian

Thanks for your reply Christian.

1. The pink tiles are due to Geoserver returning a “could not find layer” message as Catalog Mode under Data Security was set to HIDE. If I change Catalog Mode to CHALLENGE instead of pink tiles I get the 401 challenge prompt.

2. That makes sense, I was on completely the wrong track with Remember Me, it was just a guess.

3. Removing the anonymous filter would not be ideal as the way I was hoping it would work is users with access to restricted layers would authenticate via proxy and everyone else would fallback to anonymous access (anonymous has always been below proxy in the chain). However I have tried removing anonymous from the filter chain and it doesn’t fix the problem.

The problem seems to be that although I have HTTP session creation allowed on the default chain the getcapabilities request containing the header is not creating a session. I can see this by monitoring the Tomcat manager. If I log in to the Geoserver admin interface a session is created and while still logged in the mapping application works fine. As soon as I log out of admin page the restricted map layers break.

Here is the exact process:

1. Openlayers page loads and submits a getcapabilities request with HTTP header added.

2. WMS layer tree is displayed showing the correct restricted layers (data is restricted at a workspace level in Geoserver) so authentication has definitely been successful at this point.

3. Checking Tomcat manager no session has been created

4. Trying to load a restricted layer from this list results in either “can’t find layer” error (pink tiles) or 401 prompt depending on Geoserver setting.

So it appears that for some reason even though I am sending a request with header that is getting successfully authenticated (step 2) a session is not being created.

Thanks again for your help

Tom

From: Christian Mueller [mailto:christian.mueller@anonymised.com]
Sent: 15 June 2013 15:38
To: Thomas Colley
Cc: geoserver-users@anonymised.comeforge.net
Subject: Re: [Geoserver-users] Geoserver Header Auth

Hi Thomas

About your questions

1. Adding a layer and getting pink tiles

No idea here, adding a layer has nothing to do with authentication, could you reproduce this problem using the default security configuration ?

2. The remember me service works only with http basic auth and form based login. Why ?. The remeber me services uses a cookie and stores a digested representation of the password as cookie value (along with the user id) . Header authentication uses no password → no remember me service.

3. Your filter chain

You have a proxy and the anonymous filter. The last filter in the chain determines the authentication entry point (e.g. redirecting the browser to a login form). The anonymous filter has no authentication entry point because it always logs you in as “anonymous” successfully. If you use an anonymous filter, the filter has to be the last filter in the chain. A filter behind the anonymous filter will never be used.

You have HTTP session creation enabled. I assume you send the http header once and use the session cookie for subsequent requests. This may be problematic in case of a session time out because you are logged in again as anonymous “automatically”. Remove the anonymous filter if this is possible in your scenario. Upon session time out, you must log in again.

If you cannot remove the anonymous filter, you have to send the http header attribute in each request which requires authentication, there is no other solution. In this scenario, you can disable session creation.

Hope this helps

Christian

Hi Thomas

Long story for short, you detected a bug. Can you open a JIRA issue and copy/paste your description (step 1 - 4).

There should be an HTTP session but there is none. I looked a the code and can confirm your observations.

I will fix this ASAP.

Wow, uffff, so, what gonna happen now, i need a way to log in the users, and i need this version cause in this version the Direct integration with GeoServer WMS of GWC is working fine, and i need it, please is there another way to grant access or creation of session from php, i need that cause in a few days i have to discuss my project and i need the fast solution that comes with the use of GWC, please help

"Christian Mueller" <christian.mueller@anonymised.com> escribió:

Hi Thomas

Long story for short, you detected a bug. Can you open a JIRA issue and
copy/paste your description (step 1 - 4).

There should be an HTTP session but there is none. I looked a the code and
can confirm your observations.

I will fix this ASAP.

2013/6/17 Thomas Colley <it087@anonymised.com>

Thanks for your reply Christian.****

** **

**1) **The pink tiles are due to Geoserver returning a "could not
find layer" message as Catalog Mode under Data Security was set to HIDE. If
I change Catalog Mode to CHALLENGE instead of pink tiles I get the 401
challenge prompt. ****

** **

**2) **That makes sense, I was on completely the wrong track with
Remember Me, it was just a guess.****

** **

**3) **Removing the anonymous filter would not be ideal as the way
I was hoping it would work is users with access to restricted layers would
authenticate via proxy and everyone else would fallback to anonymous access
(anonymous has always been below proxy in the chain). However I have tried
removing anonymous from the filter chain and it doesn't fix the problem.**
**

** **

The problem seems to be that although I have HTTP session creation allowed
on the default chain the getcapabilities request containing the header is
not creating a session. I can see this by monitoring the Tomcat manager. If
I log in to the Geoserver admin interface a session is created and while
still logged in the mapping application works fine. As soon as I log out of
admin page the restricted map layers break.****

** **

                Here is the exact process:****

** **

**1) **Openlayers page loads and submits a getcapabilities request
with HTTP header added.****

**2) **WMS layer tree is displayed showing the correct restricted
layers (data is restricted at a workspace level in Geoserver) so
authentication has definitely been successful at this point.****

**3) **Checking Tomcat manager no session has been created****

**4) **Trying to load a restricted layer from this list results in
either "can't find layer" error (pink tiles) or 401 prompt depending on
Geoserver setting.****

** **

So it appears that for some reason even though I am sending a request with
header that is getting successfully authenticated (step 2) a session is not
being created.****

** **

Thanks again for your help****

** **

Tom****

** **

                ****

*From:* Christian Mueller [mailto:christian.mueller@anonymised.com]
*Sent:* 15 June 2013 15:38
*To:* Thomas Colley
*Cc:* geoserver-users@lists.sourceforge.net

*Subject:* Re: [Geoserver-users] Geoserver Header Auth****

** **

Hi Thomas****

** **

About your questions****

** **

1) Adding a layer and getting pink tiles****

No idea here, adding a layer has nothing to do with authentication, could
you reproduce this problem using the default security configuration ?****

** **

2) The remember me service works only with http basic auth and form based
login. Why ?. The remeber me services uses a cookie and stores a digested
representation of the password as cookie value (along with the user id) .
Header authentication uses no password --> no remember me service.****

** **

3) Your filter chain****

You have a proxy and the anonymous filter. The last filter in the chain
determines the authentication entry point (e.g. redirecting the browser to
a login form). The anonymous filter has no authentication entry point
because it always logs you in as "anonymous" successfully. If you use an
anonymous filter, the filter has to be the last filter in the chain. A
filter behind the anonymous filter will never be used.****

** **

You have HTTP session creation enabled. I assume you send the http header
once and use the session cookie for subsequent requests. This may be
problematic in case of a session time out because you are logged in again
as anonymous "automatically". Remove the anonymous filter if this is
possible in your scenario. Upon session time out, you must log in again.**
**

** **

If you cannot remove the anonymous filter, you have to send the http
header attribute in each request which requires authentication, there is no
other solution. In this scenario, you can disable session creation.****

** **

Hope this helps****

Christian****

--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--

Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas

Infomed: http://www.sld.cu/

Wow, uffff, so, what gonna happen now, i need a way to log in the
users, and i need this version cause in this version the Direct
integration with GeoServer WMS of GWC is working fine, and i need it,
please is there another way to grant access or creation of session
from php, i need that cause in a few days i have to discuss my project
and i need the fast solution that comes with the use of GWC, please help
this is my php function:
//---------------------------------
public static function loginGeoserver($username, $password)
     {
         $post_data['username'] = $username;
         $post_data['password'] = $password;
         foreach ($post_data as $key => $value) {
             $post_items = $key . '=' . $value;
         }
         $post_string = implode('&', $post_items);
         $curl_connection = curl_init('http://' . master::$host .
             '/geoserver/j_spring_security_check');
         curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
         curl_setopt($curl_connection, CURLOPT_USERAGENT,
             "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");

         curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
         curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
         curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);

    //curl_setopt($curl_connection, CURLOPT_HTTPHEADER,array("HTTPHeader: ".$username));

         curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post_string);
         $result = curl_exec($curl_connection);
         $arrInfo = curl_getinfo($curl_connection);

    die(print_r($arrInfo));

         $url = $arrInfo['url'];
         parse_str($url, $output);
         $trans = array("." => "_");
         $base = strtr(master::$host, $trans);

         if (master::getLoggedUser() != null) {
             if (master::getLoggedUser()->tieneRol("Operador"))
                 $str = "http://" . $base . "/geoserver/web/;jsessionid";
             $str = "http://" . $base . "/geoserver/;jsessionid";

             curl_close($curl_connection);
             if (!empty($output[$str])) {
             } else {
                 //header('Location: /geoportal/index.php?page=home.home&Error=GeoserverDown');
        header('Location: /personal/index.php?page=inicio&Error=GeoserverDown');
             }
             setcookie('JSESSIONID', $output[$str], 0, '/geoserver');
             setcookie('JSESSIONID', $output[$str], 0, '/');
         } else {
             return null;
         }

     }
//---------------------------------
, and i put a break to see what the transaction return and i get :
//-------------------------------------------

Array ( [url] => http://localhost/geoserver/web/ [content_type] => text/html; charset=utf-8 [http_code] => 200 [header_size] => 718 [request_size] => 503 [filetime] => -1 [ssl_verify_result] => 0 [redirect_count] => 2 [total_time] => 0.016 [namelookup_time] => 0 [connect_time] => 0 [pretransfer_time] => 0 [size_upload] => 0 [size_download] => 7991 [speed_download] => 499437 [speed_upload] => 0 [download_content_length] => 7991 [upload_content_length] => 0 [starttransfer_time] => 0.016 [redirect_time] => 0 [certinfo] => Array ( ) [primary_ip] => 127.0.0.1 [primary_port] => 80 [local_ip] => 127.0.0.1 [local_port] => 1176 [redirect_url] => ) 1

please i need help, thanks to all

"Christian Mueller" <christian.mueller@anonymised.com> escribió:

Hi Thomas

Long story for short, you detected a bug. Can you open a JIRA issue and
copy/paste your description (step 1 - 4).

There should be an HTTP session but there is none. I looked a the code and
can confirm your observations.

I will fix this ASAP.

2013/6/17 Thomas Colley <it087@anonymised.com>

Thanks for your reply Christian.****

** **

**1) **The pink tiles are due to Geoserver returning a "could not
find layer" message as Catalog Mode under Data Security was set to HIDE. If
I change Catalog Mode to CHALLENGE instead of pink tiles I get the 401
challenge prompt. ****

** **

**2) **That makes sense, I was on completely the wrong track with
Remember Me, it was just a guess.****

** **

**3) **Removing the anonymous filter would not be ideal as the way
I was hoping it would work is users with access to restricted layers would
authenticate via proxy and everyone else would fallback to anonymous access
(anonymous has always been below proxy in the chain). However I have tried
removing anonymous from the filter chain and it doesn't fix the problem.**
**

** **

The problem seems to be that although I have HTTP session creation allowed
on the default chain the getcapabilities request containing the header is
not creating a session. I can see this by monitoring the Tomcat manager. If
I log in to the Geoserver admin interface a session is created and while
still logged in the mapping application works fine. As soon as I log out of
admin page the restricted map layers break.****

** **

                Here is the exact process:****

** **

**1) **Openlayers page loads and submits a getcapabilities request
with HTTP header added.****

**2) **WMS layer tree is displayed showing the correct restricted
layers (data is restricted at a workspace level in Geoserver) so
authentication has definitely been successful at this point.****

**3) **Checking Tomcat manager no session has been created****

**4) **Trying to load a restricted layer from this list results in
either "can't find layer" error (pink tiles) or 401 prompt depending on
Geoserver setting.****

** **

So it appears that for some reason even though I am sending a request with
header that is getting successfully authenticated (step 2) a session is not
being created.****

** **

Thanks again for your help****

** **

Tom****

** **

                ****

*From:* Christian Mueller [mailto:christian.mueller@anonymised.com]
*Sent:* 15 June 2013 15:38
*To:* Thomas Colley
*Cc:* geoserver-users@lists.sourceforge.net

*Subject:* Re: [Geoserver-users] Geoserver Header Auth****

** **

Hi Thomas****

** **

About your questions****

** **

1) Adding a layer and getting pink tiles****

No idea here, adding a layer has nothing to do with authentication, could
you reproduce this problem using the default security configuration ?****

** **

2) The remember me service works only with http basic auth and form based
login. Why ?. The remeber me services uses a cookie and stores a digested
representation of the password as cookie value (along with the user id) .
Header authentication uses no password --> no remember me service.****

** **

3) Your filter chain****

You have a proxy and the anonymous filter. The last filter in the chain
determines the authentication entry point (e.g. redirecting the browser to
a login form). The anonymous filter has no authentication entry point
because it always logs you in as "anonymous" successfully. If you use an
anonymous filter, the filter has to be the last filter in the chain. A
filter behind the anonymous filter will never be used.****

** **

You have HTTP session creation enabled. I assume you send the http header
once and use the session cookie for subsequent requests. This may be
problematic in case of a session time out because you are logged in again
as anonymous "automatically". Remove the anonymous filter if this is
possible in your scenario. Upon session time out, you must log in again.**
**

** **

If you cannot remove the anonymous filter, you have to send the http
header attribute in each request which requires authentication, there is no
other solution. In this scenario, you can disable session creation.****

** **

Hope this helps****

Christian****

--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--

Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas

Infomed: http://www.sld.cu/

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--

Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas

Infomed: http://www.sld.cu/

hello people, i worked all the night and i get this, when i use curl fromm the console in this way, i get the following
//-----------------------------------------------------------------------------------------------
F:\>curl -v -d "username=admin&password=123456" http://localhost/geoserver/j_spring_security_check

* Adding handle: conn: 0x720948
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x720948) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 80 (#0)
* Trying ::1...
* Connected to localhost (::1) port 80 (#0)

POST /geoserver/j_spring_security_check HTTP/1.1
User-Agent: curl/7.30.0
Host: localhost
Accept: */*
Content-Length: 32
Content-Type: application/x-www-form-urlencoded

* upload completely sent off: 32 out of 32 bytes
< HTTP/1.1 302 Found
< Date: Tue, 18 Jun 2013 05:35:42 GMT
* Server Jetty(6.1.8) is not blacklisted
< Server: Jetty(6.1.8)
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: http://localhost/geoserver/web
< Content-Length: 0
< Set-Cookie: JSESSIONID=1wscsu7aqv0f7;Path=/geoserver
<
* Connection #0 to host localhost left intact

//-----------------------------------------------------------------------------------------------
and when i create a session with this JSESSIONID content that return this it works, i do this with firebug, but with the function it get different JSESSIONID, i dont know what to do , cause my function is fine and the log file of my function write this in the file GeoserverPHP.log:
//-----------------------------------------------------------------------------------------------
* About to connect() to localhost port 80 (#0)
* Trying 127.0.0.1...
* connected
* Connected to localhost (127.0.0.1) port 80 (#0)

POST /geoserver/j_spring_security_check HTTP/1.1

Host: localhost
Accept: */*
Content-type: application/x-www-form-urlencoded
Content-length: 37

* upload completely sent off: 37 out of 37 bytes
< HTTP/1.1 302 Found
< Date: Tue, 18 Jun 2013 07:47:53 GMT
< Server: Jetty(6.1.8)
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: http://localhost/geoserver/web
< Content-Length: 0
< Set-Cookie: JSESSIONID=1qjoy35u1w0ly;Path=/geoserver
<
* Connection #0 to host localhost left intact
# Unsuccessful cURL request to http://localhost/geoserver/j_spring_security_check [302]

* Closing connection #0
//-----------------------------------------------------------------------------------------------
and the function is this:
//-----------------------------------------------------------------------------------------------
public static function loginGeoserver($username, $password)
     {
  $logfh = fopen("GeoserverPHP.log", 'w') or die("can't open log file");
         $post_data['username'] = $username;
         $post_data['password'] = $password;
         foreach ($post_data as $key => $value) {
             $post_items = $key . '=' . $value;
         }
         $post_string = implode('&', $post_items);
         $curl_connection = curl_init('http://' . master::$host .
             '/geoserver/j_spring_security_check');

    // Optional settings for debugging

    curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
         /*curl_setopt($curl_connection, CURLOPT_USERAGENT,
             "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
    */
         curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true); //option to return string
    //curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
         curl_setopt($curl_connection, CURLOPT_VERBOSE, true);
         curl_setopt($curl_connection, CURLOPT_STDERR, $logfh); // logs curl messages

    curl_setopt($curl_connection, CURLOPT_HTTPHEADER,array("Content-type: application/x-www-form-urlencoded", "Content-length: ".strlen($post_string)));
    /*curl_setopt($curl_connection, CURLOPT_HTTPHEADER,
               array("Content-type: application/xml"));
    */

    curl_setopt($curl_connection, CURLOPT_POST, True);
    /*$passwordStr = "admin:master32";
    curl_setopt($curl_connection, CURLOPT_USERPWD, $passwordStr);*/
         curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post_string);
    //curl_setopt($curl_connection, CURLOPT_POSTFIELDS, "username=admin&password=master32");
         $result = curl_exec($curl_connection);
         $arrInfo = curl_getinfo($curl_connection);

    $successCode = 201;
    $url = $arrInfo['url'];

         if ($arrInfo['http_code'] != $successCode) {
    $msgStr = "# Unsuccessful cURL request to ";
    $msgStr .= $url." [". $arrInfo['http_code']. "]\n";
    fwrite($logfh, $msgStr);
    } else {
    $msgStr = "# Successful cURL request to ".$url."\n";
    fwrite($logfh, $msgStr);
    }
    fwrite($logfh, $result."\n");

    curl_close($curl_connection);
    fclose($logfh); // close logfile

    //ini_set("user_agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20041001 Firefox/0.10.1");
         $headers = get_headers($arrInfo['url']);
print_r($arrInfo);
print_r("\n");
die(print_r($headers));

         parse_str($url, $output);
         $trans = array("." => "_");
         $base = strtr(master::$host, $trans);

         if (master::getLoggedUser() != null) {
             if (master::getLoggedUser()->tieneRol("Operador"))
                 $str = "http://" . $base . "/geoserver/web/;jsessionid";
             $str = "http://" . $base . "/geoserver/;jsessionid";

             curl_close($curl_connection);
             if (!empty($output[$str])) {
             } else {
                 //header('Location: /geoportal/index.php?page=home.home&Error=GeoserverDown');
        header('Location: /personal/index.php?page=inicio&Error=GeoserverDown');
             }
             setcookie('JSESSIONID', $output[$str], 0, '/geoserver');
             setcookie('JSESSIONID', $output[$str], 0, '/');
         } else {
             return null;
         }

     }
//-----------------------------------------------------------------------------
and i get this when in php the process die() to see the content of the variables:
//-------------------------------------------------------------------------------
Array ( [url] => http://localhost/geoserver/j_spring_security_check [content_type] => [http_code] => 302 [header_size] => 236
[request_size] => 188 [filetime] => -1 [ssl_verify_result] => 0 [redirect_count] => 0 [total_time] => 0 [namelookup_time] => 0
[connect_time] => 0 [pretransfer_time] => 0 [size_upload] => 37 [size_download] => 0 [speed_download] => 0 [speed_upload] => 37
  [download_content_length] => 0 [upload_content_length] => 37 [starttransfer_time] => 0 [redirect_time] => 0
  [certinfo] => Array ( ) [primary_ip] => 127.0.0.1 [primary_port] => 80 [local_ip] => 127.0.0.1 [local_port] => 1408
  [redirect_url] => http://localhost/geoserver/web )

  Array ( [0] => HTTP/1.1 302 Found [1] => Date: Tue, 18 Jun 2013 07:47:53 GMT
  [2] => Server: Jetty(6.1.8) [3] => Expires: Thu, 01 Jan 1970 00:00:00 GMT
  [4] => Location: http://localhost/geoserver/web/;jsessionid=1npqa4o5dsm7u?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=true [5] => Content-Length: [6] => Set-Cookie: SPRING_SECURITY_REMEMBER_ME_COOKIE=;Path=/geoserver;Expires=Thu, 01 Jan 1970 00:00:00 GMT [7] => Set-Cookie: JSESSIONID=1npqa4o5dsm7u;Path=/geoserver
  [8] => Connection: close [9] => HTTP/1.1 200 OK [10] => Date: Tue, 18 Jun 2013 07:47:53 GMT [11] => Server: Jetty(6.1.8) [12] => Content-Type: text/html; charset=utf-8
  [13] => Content-Language: es-ES [14] => Pragma: no-cache [15] => Cache-Control: no-cache, max-age=0, must-revalidate, no-store [16] => Content-Length: 5246
  [17] => Connection: close ) 1
//--------------------------------------------------------------------------------
help me please

islanis@anonymised.com escribió:

Wow, uffff, so, what gonna happen now, i need a way to log in the
users, and i need this version cause in this version the Direct
integration with GeoServer WMS of GWC is working fine, and i need it,
please is there another way to grant access or creation of session
from php, i need that cause in a few days i have to discuss my project
and i need the fast solution that comes with the use of GWC, please help
this is my php function:
//---------------------------------
public static function loginGeoserver($username, $password)
     {
         $post_data['username'] = $username;
         $post_data['password'] = $password;
         foreach ($post_data as $key => $value) {
             $post_items = $key . '=' . $value;
         }
         $post_string = implode('&', $post_items);
         $curl_connection = curl_init('http://' . master::$host .
             '/geoserver/j_spring_security_check');
         curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
         curl_setopt($curl_connection, CURLOPT_USERAGENT,
             "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");

         curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
         curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
         curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);

    //curl_setopt($curl_connection,
CURLOPT_HTTPHEADER,array("HTTPHeader: ".$username));

         curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post_string);
         $result = curl_exec($curl_connection);
         $arrInfo = curl_getinfo($curl_connection);

    die(print_r($arrInfo));

         $url = $arrInfo['url'];
         parse_str($url, $output);
         $trans = array("." => "_");
         $base = strtr(master::$host, $trans);

         if (master::getLoggedUser() != null) {
             if (master::getLoggedUser()->tieneRol("Operador"))
                 $str = "http://" . $base . "/geoserver/web/;jsessionid";
             $str = "http://" . $base . "/geoserver/;jsessionid";

             curl_close($curl_connection);
             if (!empty($output[$str])) {
             } else {
                 //header('Location:
/geoportal/index.php?page=home.home&Error=GeoserverDown');
        header('Location: /personal/index.php?page=inicio&Error=GeoserverDown');
             }
             setcookie('JSESSIONID', $output[$str], 0, '/geoserver');
             setcookie('JSESSIONID', $output[$str], 0, '/');
         } else {
             return null;
         }

     }
//---------------------------------
, and i put a break to see what the transaction return and i get :
//-------------------------------------------

Array ( [url] => http://localhost/geoserver/web/ [content_type] =>
text/html; charset=utf-8 [http_code] => 200 [header_size] => 718
[request_size] => 503 [filetime] => -1 [ssl_verify_result] => 0
[redirect_count] => 2 [total_time] => 0.016 [namelookup_time] => 0
[connect_time] => 0 [pretransfer_time] => 0 [size_upload] => 0
[size_download] => 7991 [speed_download] => 499437 [speed_upload] => 0
[download_content_length] => 7991 [upload_content_length] => 0
[starttransfer_time] => 0.016 [redirect_time] => 0 [certinfo] => Array
( ) [primary_ip] => 127.0.0.1 [primary_port] => 80 [local_ip] =>
127.0.0.1 [local_port] => 1176 [redirect_url] => ) 1

please i need help, thanks to all

"Christian Mueller" <christian.mueller@anonymised.com> escribió:

Hi Thomas

Long story for short, you detected a bug. Can you open a JIRA issue and
copy/paste your description (step 1 - 4).

There should be an HTTP session but there is none. I looked a the code and
can confirm your observations.

I will fix this ASAP.

2013/6/17 Thomas Colley <it087@anonymised.com>

Thanks for your reply Christian.****

** **

**1) **The pink tiles are due to Geoserver returning a "could not
find layer" message as Catalog Mode under Data Security was set to HIDE. If
I change Catalog Mode to CHALLENGE instead of pink tiles I get the 401
challenge prompt. ****

** **

**2) **That makes sense, I was on completely the wrong track with
Remember Me, it was just a guess.****

** **

**3) **Removing the anonymous filter would not be ideal as the way
I was hoping it would work is users with access to restricted layers would
authenticate via proxy and everyone else would fallback to anonymous access
(anonymous has always been below proxy in the chain). However I have tried
removing anonymous from the filter chain and it doesn't fix the problem.**
**

** **

The problem seems to be that although I have HTTP session creation allowed
on the default chain the getcapabilities request containing the header is
not creating a session. I can see this by monitoring the Tomcat manager. If
I log in to the Geoserver admin interface a session is created and while
still logged in the mapping application works fine. As soon as I log out of
admin page the restricted map layers break.****

** **

                Here is the exact process:****

** **

**1) **Openlayers page loads and submits a getcapabilities request
with HTTP header added.****

**2) **WMS layer tree is displayed showing the correct restricted
layers (data is restricted at a workspace level in Geoserver) so
authentication has definitely been successful at this point.****

**3) **Checking Tomcat manager no session has been created****

**4) **Trying to load a restricted layer from this list results in
either "can't find layer" error (pink tiles) or 401 prompt depending on
Geoserver setting.****

** **

So it appears that for some reason even though I am sending a request with
header that is getting successfully authenticated (step 2) a session is not
being created.****

** **

Thanks again for your help****

** **

Tom****

** **

                ****

*From:* Christian Mueller [mailto:christian.mueller@anonymised.com]
*Sent:* 15 June 2013 15:38
*To:* Thomas Colley
*Cc:* geoserver-users@lists.sourceforge.net

*Subject:* Re: [Geoserver-users] Geoserver Header Auth****

** **

Hi Thomas****

** **

About your questions****

** **

1) Adding a layer and getting pink tiles****

No idea here, adding a layer has nothing to do with authentication, could
you reproduce this problem using the default security configuration ?****

** **

2) The remember me service works only with http basic auth and form based
login. Why ?. The remeber me services uses a cookie and stores a digested
representation of the password as cookie value (along with the user id) .
Header authentication uses no password --> no remember me service.****

** **

3) Your filter chain****

You have a proxy and the anonymous filter. The last filter in the chain
determines the authentication entry point (e.g. redirecting the browser to
a login form). The anonymous filter has no authentication entry point
because it always logs you in as "anonymous" successfully. If you use an
anonymous filter, the filter has to be the last filter in the chain. A
filter behind the anonymous filter will never be used.****

** **

You have HTTP session creation enabled. I assume you send the http header
once and use the session cookie for subsequent requests. This may be
problematic in case of a session time out because you are logged in again
as anonymous "automatically". Remove the anonymous filter if this is
possible in your scenario. Upon session time out, you must log in again.**
**

** **

If you cannot remove the anonymous filter, you have to send the http
header attribute in each request which requires authentication, there is no
other solution. In this scenario, you can disable session creation.****

** **

Hope this helps****

Christian****

--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--

Este mensaje le ha llegado mediante el servicio de correo
electronico que ofrece Infomed para respaldar el cumplimiento de las
misiones del Sistema Nacional de Salud. La persona que envia este
correo asume el compromiso de usar el servicio a tales fines y
cumplir con las regulaciones establecidas

Infomed: http://www.sld.cu/

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--

Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas

Infomed: http://www.sld.cu/

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--

Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas

Infomed: http://www.sld.cu/

Hello people, i founf a way to login to geoserver 2.3.2, and work perfectly, here it is,i share it with you,
1- go to geoserver admin interface and
2- go to Authentication section
3-go to the filter chain section
4-click on webLogin link
5- enable the check mark "Allow creation of an HTTP session for storing the authentication token"
6-click on close
7-then on save button

and that's all

then from php using the following 3 functions you can get access to geoserver 2.3.2,these are the 3 functions:
//----------------------------------------------------------
public static function ExtraerFrase($separador1,$separador2,$cadena)
{
   if(strpos($cadena,$separador1)!==false)
   {
     $pos=strpos($cadena,$separador1);
     $a=substr($cadena,$pos+strlen($separador1));
     if(strpos($a,$separador2)!==false)
     {
       $npos=strpos($a,$separador2);
       $b=substr($a,0,$npos);
       return $b;
     }
     else
       return $a;
   }
   else
     return false;
}

public static function loginGeoserver($username, $password)
     {
  $logfh = fopen("GeoserverPHP.log", 'w') or die("can't open log file");
         $post_data['username'] = $username;
         $post_data['password'] = $password;
         foreach ($post_data as $key => $value) {
             $post_items = $key . '=' . $value;
         }
         $post_string = implode('&', $post_items);
         $curl_connection = curl_init('http://' . master::$host .
             '/geoserver/j_spring_security_check');

    curl_setopt($curl_connection, CURLOPT_HEADER ,1);
         curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true); //option to return string
    curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
         curl_setopt($curl_connection, CURLOPT_VERBOSE, true);
         curl_setopt($curl_connection, CURLOPT_STDERR, $logfh); // logs curl messages
    curl_setopt($curl_connection, CURLOPT_POST, True);
         curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post_string);

         $result = curl_exec($curl_connection);
         $arrInfo = curl_getinfo($curl_connection);

    $successCode = 201;
    $url = $arrInfo['url'];

         if ($arrInfo['http_code'] != $successCode) {
    $msgStr = "# Unsuccessful cURL request to ";
    $msgStr .= $url." [". $arrInfo['http_code']. "]\n";
    fwrite($logfh, $msgStr);
    } else {
    $msgStr = "# Successful cURL request to ".$url."\n";
    fwrite($logfh, $msgStr);
    }
    fwrite($logfh, $result."\n");

    //curl_close($curl_connection);
    fclose($logfh); // close logfile

         parse_str($url, $output);

         $trans = array("." => "_");
         $base = strtr(master::$host, $trans);

         if (master::getLoggedUser() != null) {
             if (master::getLoggedUser()->tieneRol("Operador"))
                 $str = "http://" . $base . "/geoserver/web/;jsessionid";
             $str = "http://" . $base . "/geoserver/;jsessionid";

             curl_close($curl_connection);
             if (!empty($output[$str])) {
             } else {
        header('Location: /personal/index.php?page=inicio&Error=GeoserverDown');
             }
             setcookie('JSESSIONID', master::ExtraerFrase("JSESSIONID=",";",$result), 0, '/geoserver');
             setcookie('JSESSIONID', master::ExtraerFrase("JSESSIONID=",";",$result), 0, '/');
         } else {
             return null;
         }

     }

     public static function logoutGeoserver()
     {
         $curl_connection = curl_init('http://' . master::$host .
             '/geoserver/j_spring_security_logout');
         curl_setopt($curl_connection, CURLOPT_HTTPGET, true);
         curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
         curl_setopt($curl_connection, CURLOPT_USERAGENT,
             "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
         curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
         curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
         curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
         curl_setopt($curl_connection, CURLOPT_COOKIE, 'JSESSIONID=' . $_COOKIE['JSESSIONID']);
         curl_setopt($curl_connection, CURLOPT_POSTFIELDS, '');
         $result = curl_exec($curl_connection);
         curl_close($curl_connection);
         setcookie('JSESSIONID', '', time() - 3600, '/geoserver');
         setcookie('JSESSIONID', '', time() - 3600, '/');
     }
//-----------------------------------------------------------

Thanks to all

islanis@anonymised.com escribió:

hello people, i worked all the night and i get this, when i use curl
fromm the console in this way, i get the following
//-----------------------------------------------------------------------------------------------
F:\>curl -v -d "username=admin&password=123456"
http://localhost/geoserver/j_spring_security_check

* Adding handle: conn: 0x720948
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x720948) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 80 (#0)
* Trying ::1...
* Connected to localhost (::1) port 80 (#0)

POST /geoserver/j_spring_security_check HTTP/1.1
User-Agent: curl/7.30.0
Host: localhost
Accept: */*
Content-Length: 32
Content-Type: application/x-www-form-urlencoded

* upload completely sent off: 32 out of 32 bytes
< HTTP/1.1 302 Found
< Date: Tue, 18 Jun 2013 05:35:42 GMT
* Server Jetty(6.1.8) is not blacklisted
< Server: Jetty(6.1.8)
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: http://localhost/geoserver/web
< Content-Length: 0
< Set-Cookie: JSESSIONID=1wscsu7aqv0f7;Path=/geoserver
<
* Connection #0 to host localhost left intact

//-----------------------------------------------------------------------------------------------
and when i create a session with this JSESSIONID content that return
this it works, i do this with firebug, but with the function it get
different JSESSIONID, i dont know what to do , cause my function is
fine and the log file of my function write this in the file
GeoserverPHP.log:
//-----------------------------------------------------------------------------------------------
* About to connect() to localhost port 80 (#0)
* Trying 127.0.0.1...
* connected
* Connected to localhost (127.0.0.1) port 80 (#0)

POST /geoserver/j_spring_security_check HTTP/1.1

Host: localhost
Accept: */*
Content-type: application/x-www-form-urlencoded
Content-length: 37

* upload completely sent off: 37 out of 37 bytes
< HTTP/1.1 302 Found
< Date: Tue, 18 Jun 2013 07:47:53 GMT
< Server: Jetty(6.1.8)
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< Location: http://localhost/geoserver/web
< Content-Length: 0
< Set-Cookie: JSESSIONID=1qjoy35u1w0ly;Path=/geoserver
<
* Connection #0 to host localhost left intact
# Unsuccessful cURL request to
http://localhost/geoserver/j_spring_security_check [302]

* Closing connection #0
//-----------------------------------------------------------------------------------------------
and the function is this:
//-----------------------------------------------------------------------------------------------
public static function loginGeoserver($username, $password)
    {
  $logfh = fopen("GeoserverPHP.log", 'w') or die("can't open log file");
        $post_data['username'] = $username;
        $post_data['password'] = $password;
        foreach ($post_data as $key => $value) {
            $post_items = $key . '=' . $value;
        }
        $post_string = implode('&', $post_items);
        $curl_connection = curl_init('http://' . master::$host .
            '/geoserver/j_spring_security_check');

    // Optional settings for debugging

    curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
        /*curl_setopt($curl_connection, CURLOPT_USERAGENT,
            "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");
    */
        curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
//option to return string
    //curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($curl_connection, CURLOPT_VERBOSE, true);
        curl_setopt($curl_connection, CURLOPT_STDERR, $logfh); //
logs curl messages

    curl_setopt($curl_connection,
CURLOPT_HTTPHEADER,array("Content-type:
application/x-www-form-urlencoded", "Content-length:
".strlen($post_string)));
    /*curl_setopt($curl_connection, CURLOPT_HTTPHEADER,
              array("Content-type: application/xml"));
    */

    curl_setopt($curl_connection, CURLOPT_POST, True);
    /*$passwordStr = "admin:master32";
    curl_setopt($curl_connection, CURLOPT_USERPWD, $passwordStr);*/
        curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post_string);
    //curl_setopt($curl_connection, CURLOPT_POSTFIELDS,
"username=admin&password=master32");
        $result = curl_exec($curl_connection);
        $arrInfo = curl_getinfo($curl_connection);

    $successCode = 201;
    $url = $arrInfo['url'];

        if ($arrInfo['http_code'] != $successCode) {
    $msgStr = "# Unsuccessful cURL request to ";
    $msgStr .= $url." [". $arrInfo['http_code']. "]\n";
    fwrite($logfh, $msgStr);
    } else {
    $msgStr = "# Successful cURL request to ".$url."\n";
    fwrite($logfh, $msgStr);
    }
    fwrite($logfh, $result."\n");

    curl_close($curl_connection);
    fclose($logfh); // close logfile

    //ini_set("user_agent", "Mozilla/5.0 (Windows; U; Windows NT 5.1;
rv:1.7.3) Gecko/20041001 Firefox/0.10.1");
        $headers = get_headers($arrInfo['url']);
print_r($arrInfo);
print_r("\n");
die(print_r($headers));

        parse_str($url, $output);
        $trans = array("." => "_");
        $base = strtr(master::$host, $trans);

        if (master::getLoggedUser() != null) {
            if (master::getLoggedUser()->tieneRol("Operador"))
                $str = "http://" . $base . "/geoserver/web/;jsessionid";
            $str = "http://" . $base . "/geoserver/;jsessionid";

            curl_close($curl_connection);
            if (!empty($output[$str])) {
            } else {
                //header('Location:
/geoportal/index.php?page=home.home&Error=GeoserverDown');
        header('Location: /personal/index.php?page=inicio&Error=GeoserverDown');
            }
            setcookie('JSESSIONID', $output[$str], 0, '/geoserver');
            setcookie('JSESSIONID', $output[$str], 0, '/');
        } else {
            return null;
        }

    }
//-----------------------------------------------------------------------------
and i get this when in php the process die() to see the content of the
variables:
//-------------------------------------------------------------------------------
Array ( [url] => http://localhost/geoserver/j_spring_security_check
[content_type] => [http_code] => 302 [header_size] => 236
[request_size] => 188 [filetime] => -1 [ssl_verify_result] => 0
[redirect_count] => 0 [total_time] => 0 [namelookup_time] => 0
[connect_time] => 0 [pretransfer_time] => 0 [size_upload] => 37
[size_download] => 0 [speed_download] => 0 [speed_upload] => 37
[download_content_length] => 0 [upload_content_length] => 37
[starttransfer_time] => 0 [redirect_time] => 0
[certinfo] => Array ( ) [primary_ip] => 127.0.0.1 [primary_port] =>
80 [local_ip] => 127.0.0.1 [local_port] => 1408
[redirect_url] => http://localhost/geoserver/web )

Array ( [0] => HTTP/1.1 302 Found [1] => Date: Tue, 18 Jun 2013 07:47:53 GMT
[2] => Server: Jetty(6.1.8) [3] => Expires: Thu, 01 Jan 1970 00:00:00 GMT
[4] => Location:
http://localhost/geoserver/web/;jsessionid=1npqa4o5dsm7u?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage&error=true [5] => Content-Length:
[6] => Set-Cookie:
SPRING_SECURITY_REMEMBER_ME_COOKIE=;Path=/geoserver;Expires=Thu, 01
Jan 1970 00:00:00 GMT [7] => Set-Cookie:
JSESSIONID=1npqa4o5dsm7u;Path=/geoserver
[8] => Connection: close [9] => HTTP/1.1 200 OK [10] => Date: Tue,
18 Jun 2013 07:47:53 GMT [11] => Server: Jetty(6.1.8) [12] =>
Content-Type: text/html; charset=utf-8
[13] => Content-Language: es-ES [14] => Pragma: no-cache [15] =>
Cache-Control: no-cache, max-age=0, must-revalidate, no-store [16] =>
Content-Length: 5246
[17] => Connection: close ) 1
//--------------------------------------------------------------------------------
help me please

islanis@anonymised.com escribió:

Wow, uffff, so, what gonna happen now, i need a way to log in the
users, and i need this version cause in this version the Direct
integration with GeoServer WMS of GWC is working fine, and i need it,
please is there another way to grant access or creation of session
from php, i need that cause in a few days i have to discuss my project
and i need the fast solution that comes with the use of GWC, please help
this is my php function:
//---------------------------------
public static function loginGeoserver($username, $password)
    {
        $post_data['username'] = $username;
        $post_data['password'] = $password;
        foreach ($post_data as $key => $value) {
            $post_items = $key . '=' . $value;
        }
        $post_string = implode('&', $post_items);
        $curl_connection = curl_init('http://' . master::$host .
            '/geoserver/j_spring_security_check');
        curl_setopt($curl_connection, CURLOPT_CONNECTTIMEOUT, 30);
        curl_setopt($curl_connection, CURLOPT_USERAGENT,
            "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)");

        curl_setopt($curl_connection, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($curl_connection, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($curl_connection, CURLOPT_FOLLOWLOCATION, 1);

    //curl_setopt($curl_connection,
CURLOPT_HTTPHEADER,array("HTTPHeader: ".$username));

        curl_setopt($curl_connection, CURLOPT_POSTFIELDS, $post_string);
        $result = curl_exec($curl_connection);
        $arrInfo = curl_getinfo($curl_connection);

    die(print_r($arrInfo));

        $url = $arrInfo['url'];
        parse_str($url, $output);
        $trans = array("." => "_");
        $base = strtr(master::$host, $trans);

        if (master::getLoggedUser() != null) {
            if (master::getLoggedUser()->tieneRol("Operador"))
                $str = "http://" . $base . "/geoserver/web/;jsessionid";
            $str = "http://" . $base . "/geoserver/;jsessionid";

            curl_close($curl_connection);
            if (!empty($output[$str])) {
            } else {
                //header('Location:
/geoportal/index.php?page=home.home&Error=GeoserverDown');
        header('Location: /personal/index.php?page=inicio&Error=GeoserverDown');
            }
            setcookie('JSESSIONID', $output[$str], 0, '/geoserver');
            setcookie('JSESSIONID', $output[$str], 0, '/');
        } else {
            return null;
        }

    }
//---------------------------------
, and i put a break to see what the transaction return and i get :
//-------------------------------------------

Array ( [url] => http://localhost/geoserver/web/ [content_type] =>
text/html; charset=utf-8 [http_code] => 200 [header_size] => 718
[request_size] => 503 [filetime] => -1 [ssl_verify_result] => 0
[redirect_count] => 2 [total_time] => 0.016 [namelookup_time] => 0
[connect_time] => 0 [pretransfer_time] => 0 [size_upload] => 0
[size_download] => 7991 [speed_download] => 499437 [speed_upload] => 0
[download_content_length] => 7991 [upload_content_length] => 0
[starttransfer_time] => 0.016 [redirect_time] => 0 [certinfo] => Array
( ) [primary_ip] => 127.0.0.1 [primary_port] => 80 [local_ip] =>
127.0.0.1 [local_port] => 1176 [redirect_url] => ) 1

please i need help, thanks to all

"Christian Mueller" <christian.mueller@anonymised.com> escribió:

Hi Thomas

Long story for short, you detected a bug. Can you open a JIRA issue and
copy/paste your description (step 1 - 4).

There should be an HTTP session but there is none. I looked a the code and
can confirm your observations.

I will fix this ASAP.

2013/6/17 Thomas Colley <it087@anonymised.com>

Thanks for your reply Christian.****

** **

**1) **The pink tiles are due to Geoserver returning a "could not
find layer" message as Catalog Mode under Data Security was set
to HIDE. If
I change Catalog Mode to CHALLENGE instead of pink tiles I get the 401
challenge prompt. ****

** **

**2) **That makes sense, I was on completely the wrong track with
Remember Me, it was just a guess.****

** **

**3) **Removing the anonymous filter would not be ideal as the way
I was hoping it would work is users with access to restricted layers would
authenticate via proxy and everyone else would fallback to
anonymous access
(anonymous has always been below proxy in the chain). However I have tried
removing anonymous from the filter chain and it doesn't fix the problem.**
**

** **

The problem seems to be that although I have HTTP session creation allowed
on the default chain the getcapabilities request containing the header is
not creating a session. I can see this by monitoring the Tomcat
manager. If
I log in to the Geoserver admin interface a session is created and while
still logged in the mapping application works fine. As soon as I
log out of
admin page the restricted map layers break.****

** **

               Here is the exact process:****

** **

**1) **Openlayers page loads and submits a getcapabilities request
with HTTP header added.****

**2) **WMS layer tree is displayed showing the correct restricted
layers (data is restricted at a workspace level in Geoserver) so
authentication has definitely been successful at this point.****

**3) **Checking Tomcat manager no session has been created****

**4) **Trying to load a restricted layer from this list results in
either "can't find layer" error (pink tiles) or 401 prompt depending on
Geoserver setting.****

** **

So it appears that for some reason even though I am sending a request with
header that is getting successfully authenticated (step 2) a
session is not
being created.****

** **

Thanks again for your help****

** **

Tom****

** **

               ****

*From:* Christian Mueller [mailto:christian.mueller@anonymised.com]
*Sent:* 15 June 2013 15:38
*To:* Thomas Colley
*Cc:* geoserver-users@lists.sourceforge.net

*Subject:* Re: [Geoserver-users] Geoserver Header Auth****

** **

Hi Thomas****

** **

About your questions****

** **

1) Adding a layer and getting pink tiles****

No idea here, adding a layer has nothing to do with authentication, could
you reproduce this problem using the default security configuration ?****

** **

2) The remember me service works only with http basic auth and form based
login. Why ?. The remeber me services uses a cookie and stores a digested
representation of the password as cookie value (along with the user id) .
Header authentication uses no password --> no remember me service.****

** **

3) Your filter chain****

You have a proxy and the anonymous filter. The last filter in the chain
determines the authentication entry point (e.g. redirecting the browser to
a login form). The anonymous filter has no authentication entry point
because it always logs you in as "anonymous" successfully. If you use an
anonymous filter, the filter has to be the last filter in the chain. A
filter behind the anonymous filter will never be used.****

** **

You have HTTP session creation enabled. I assume you send the http header
once and use the session cookie for subsequent requests. This may be
problematic in case of a session time out because you are logged in again
as anonymous "automatically". Remove the anonymous filter if this is
possible in your scenario. Upon session time out, you must log in again.**
**

** **

If you cannot remove the anonymous filter, you have to send the http
header attribute in each request which requires authentication,
there is no
other solution. In this scenario, you can disable session creation.****

** **

Hope this helps****

Christian****

--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--

Este mensaje le ha llegado mediante el servicio de correo
electronico que ofrece Infomed para respaldar el cumplimiento de las
misiones del Sistema Nacional de Salud. La persona que envia este
correo asume el compromiso de usar el servicio a tales fines y
cumplir con las regulaciones establecidas

Infomed: http://www.sld.cu/

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--

Este mensaje le ha llegado mediante el servicio de correo
electronico que ofrece Infomed para respaldar el cumplimiento de las
misiones del Sistema Nacional de Salud. La persona que envia este
correo asume el compromiso de usar el servicio a tales fines y
cumplir con las regulaciones establecidas

Infomed: http://www.sld.cu/

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--

Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas

Infomed: http://www.sld.cu/

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

--

Este mensaje le ha llegado mediante el servicio de correo electronico que ofrece Infomed para respaldar el cumplimiento de las misiones del Sistema Nacional de Salud. La persona que envia este correo asume el compromiso de usar el servicio a tales fines y cumplir con las regulaciones establecidas

Infomed: http://www.sld.cu/

Hi Christian

Thanks very much for the work you’ve done fixing this issue. I can confirm that using the new nightly build sessions are now being created.

That said requests sent after the authenticating GetCapabilities request still do not seem to be using the session. I still get the same pink tiles or authentication prompt when adding a restricted layer.

Looking at the sessions in Tomcat, the session created from the ows request has 1 attribute called SPRING_SECURITY_CONTEXT but the session created from logging in to the admin page has additional attributes called:

wicket:wicket:session - org.geoserver.web.spring.security.GeoServerSession@anonymised.com

wicket:wicket:m:null – [PageMap name=null]

Wicket:SessionUnbindingListener-wicket - org.apache.wicket.protocol.http.AbstractHttpSessionStore$SessionBindingListener@anonymised.com

I have noticed that deleting the wicket:session attribute breaks the functionality of restricted layers on the map when logged in to the admin console. Sorry if this is completely irrelevant as I don’t really understand what I am talking about.

On a separate note, am I using sessions in the wrong way here? Is it better to not create sessions at all and just attach the header to every request? I have tried to think of a way to do this painlessly but cannot.

Thanks again

Tom

From: Christian Mueller [mailto:christian.mueller@anonymised.com]
Sent: 17 June 2013 11:18
To: Thomas Colley
Cc: geoserver-users@anonymised.comrge.net
Subject: Re: [Geoserver-users] Geoserver Header Auth

Hi Thomas

Long story for short, you detected a bug. Can you open a JIRA issue and copy/paste your description (step 1 - 4).

There should be an HTTP session but there is none. I looked a the code and can confirm your observations.

I will fix this ASAP.

2013/6/17 Thomas Colley <it087@anonymised.com>

Thanks for your reply Christian.

1. The pink tiles are due to Geoserver returning a “could not find layer” message as Catalog Mode under Data Security was set to HIDE. If I change Catalog Mode to CHALLENGE instead of pink tiles I get the 401 challenge prompt.

2. That makes sense, I was on completely the wrong track with Remember Me, it was just a guess.

3. Removing the anonymous filter would not be ideal as the way I was hoping it would work is users with access to restricted layers would authenticate via proxy and everyone else would fallback to anonymous access (anonymous has always been below proxy in the chain). However I have tried removing anonymous from the filter chain and it doesn’t fix the problem.

The problem seems to be that although I have HTTP session creation allowed on the default chain the getcapabilities request containing the header is not creating a session. I can see this by monitoring the Tomcat manager. If I log in to the Geoserver admin interface a session is created and while still logged in the mapping application works fine. As soon as I log out of admin page the restricted map layers break.

Here is the exact process:

1. Openlayers page loads and submits a getcapabilities request with HTTP header added.

2. WMS layer tree is displayed showing the correct restricted layers (data is restricted at a workspace level in Geoserver) so authentication has definitely been successful at this point.

3. Checking Tomcat manager no session has been created

4. Trying to load a restricted layer from this list results in either “can’t find layer” error (pink tiles) or 401 prompt depending on Geoserver setting.

So it appears that for some reason even though I am sending a request with header that is getting successfully authenticated (step 2) a session is not being created.

Thanks again for your help

Tom

From: Christian Mueller [mailto:christian.mueller@anonymised.com]
Sent: 15 June 2013 15:38
To: Thomas Colley
Cc: geoserver-users@lists.sourceforge.net

Subject: Re: [Geoserver-users] Geoserver Header Auth

Hi Thomas

About your questions

1. Adding a layer and getting pink tiles

No idea here, adding a layer has nothing to do with authentication, could you reproduce this problem using the default security configuration ?

2. The remember me service works only with http basic auth and form based login. Why ?. The remeber me services uses a cookie and stores a digested representation of the password as cookie value (along with the user id) . Header authentication uses no password → no remember me service.

3. Your filter chain

You have a proxy and the anonymous filter. The last filter in the chain determines the authentication entry point (e.g. redirecting the browser to a login form). The anonymous filter has no authentication entry point because it always logs you in as “anonymous” successfully. If you use an anonymous filter, the filter has to be the last filter in the chain. A filter behind the anonymous filter will never be used.

You have HTTP session creation enabled. I assume you send the http header once and use the session cookie for subsequent requests. This may be problematic in case of a session time out because you are logged in again as anonymous “automatically”. Remove the anonymous filter if this is possible in your scenario. Upon session time out, you must log in again.

If you cannot remove the anonymous filter, you have to send the http header attribute in each request which requires authentication, there is no other solution. In this scenario, you can disable session creation.

Hope this helps

Christian

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)

OSS Open Source Solutions GmbH

Problem 1), the cookie is not used after GetCapabiliteis

Let us examine your cookie attributes. What are the values of

Secure
Domain
Path
HTTPOnly
Expires

Especially the value of HTTPOnly is interesting. If true, the cookie is not visible to scripts. (I assume your client uses Java Script).

Normally, the browser takes care of sending the cookie for each request.

The attribute SPRING_SECURITY_CONTEXT holds the security token, this is correct.

Problem 2) wicket session.
This is a new aspect, perhaps I have to create the session compatible to the admin interface.

Problem 3) Not using a session. This is the default for stateless services. An example for openlayers is here
http://osgeo-org.1560.x6.nabble.com/Load-GeoServer-WMS-secured-layers-with-OpenLayers-td3919938.html

Christian

1. There doesn’t seem to be a cookie at all. Although the session is active in Tomcat there is no cookie related to the site. I’m checking using Firefox add-ons Cookie Monster and View Cookies. The JSESSIONID is present when logging in to geoserver admin.

Thanks

Tom

From: Christian Mueller [mailto:christian.mueller@anonymised.com]
Sent: 24 June 2013 12:16
To: Thomas Colley
Cc: geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] Geoserver Header Auth

Problem 1), the cookie is not used after GetCapabiliteis

Let us examine your cookie attributes. What are the values of

Secure

Domain

Path

HTTPOnly

Expires

Especially the value of HTTPOnly is interesting. If true, the cookie is not visible to scripts. (I assume your client uses Java Script).

Normally, the browser takes care of sending the cookie for each request.

The attribute SPRING_SECURITY_CONTEXT holds the security token, this is correct.

Problem 2) wicket session.

This is a new aspect, perhaps I have to create the session compatible to the admin interface.

Problem 3) Not using a session. This is the default for stateless services. An example for openlayers is here

http://osgeo-org.1560.x6.nabble.com/Load-GeoServer-WMS-secured-layers-with-OpenLayers-td3919938.html

Christian

2013/6/24 Thomas Colley <it087@anonymised.com.>

Hi Christian

Thanks very much for the work you’ve done fixing this issue. I can confirm that using the new nightly build sessions are now being created.

That said requests sent after the authenticating GetCapabilities request still do not seem to be using the session. I still get the same pink tiles or authentication prompt when adding a restricted layer.

Looking at the sessions in Tomcat, the session created from the ows request has 1 attribute called SPRING_SECURITY_CONTEXT but the session created from logging in to the admin page has additional attributes called:

wicket:wicket:session - org.geoserver.web.spring.security.GeoServerSession@anonymised.com

wicket:wicket:m:null – [PageMap name=null]

Wicket:SessionUnbindingListener-wicket - org.apache.wicket.protocol.http.AbstractHttpSessionStore$SessionBindingListener@anonymised.com…

I have noticed that deleting the wicket:session attribute breaks the functionality of restricted layers on the map when logged in to the admin console. Sorry if this is completely irrelevant as I don’t really understand what I am talking about.

On a separate note, am I using sessions in the wrong way here? Is it better to not create sessions at all and just attach the header to every request? I have tried to think of a way to do this painlessly but cannot.

Thanks again

Tom

From: Christian Mueller [mailto:christian.mueller@anonymised.com]

Sent: 17 June 2013 11:18

To: Thomas Colley
Cc: geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] Geoserver Header Auth

Hi Thomas

Long story for short, you detected a bug. Can you open a JIRA issue and copy/paste your description (step 1 - 4).

There should be an HTTP session but there is none. I looked a the code and can confirm your observations.

I will fix this ASAP.

2013/6/17 Thomas Colley <it087@anonymised.com>

Thanks for your reply Christian.

1. The pink tiles are due to Geoserver returning a “could not find layer” message as Catalog Mode under Data Security was set to HIDE. If I change Catalog Mode to CHALLENGE instead of pink tiles I get the 401 challenge prompt.

2. That makes sense, I was on completely the wrong track with Remember Me, it was just a guess.

3. Removing the anonymous filter would not be ideal as the way I was hoping it would work is users with access to restricted layers would authenticate via proxy and everyone else would fallback to anonymous access (anonymous has always been below proxy in the chain). However I have tried removing anonymous from the filter chain and it doesn’t fix the problem.

The problem seems to be that although I have HTTP session creation allowed on the default chain the getcapabilities request containing the header is not creating a session. I can see this by monitoring the Tomcat manager. If I log in to the Geoserver admin interface a session is created and while still logged in the mapping application works fine. As soon as I log out of admin page the restricted map layers break.

Here is the exact process:

1. Openlayers page loads and submits a getcapabilities request with HTTP header added.

2. WMS layer tree is displayed showing the correct restricted layers (data is restricted at a workspace level in Geoserver) so authentication has definitely been successful at this point.

3. Checking Tomcat manager no session has been created

4. Trying to load a restricted layer from this list results in either “can’t find layer” error (pink tiles) or 401 prompt depending on Geoserver setting.

So it appears that for some reason even though I am sending a request with header that is getting successfully authenticated (step 2) a session is not being created.

Thanks again for your help

Tom

From: Christian Mueller [mailto:christian.mueller@anonymised.com]
Sent: 15 June 2013 15:38
To: Thomas Colley
Cc: geoserver-users@lists.sourceforge.net

Subject: Re: [Geoserver-users] Geoserver Header Auth

Hi Thomas

About your questions

1. Adding a layer and getting pink tiles

No idea here, adding a layer has nothing to do with authentication, could you reproduce this problem using the default security configuration ?

2. The remember me service works only with http basic auth and form based login. Why ?. The remeber me services uses a cookie and stores a digested representation of the password as cookie value (along with the user id) . Header authentication uses no password → no remember me service.

3. Your filter chain

You have a proxy and the anonymous filter. The last filter in the chain determines the authentication entry point (e.g. redirecting the browser to a login form). The anonymous filter has no authentication entry point because it always logs you in as “anonymous” successfully. If you use an anonymous filter, the filter has to be the last filter in the chain. A filter behind the anonymous filter will never be used.

You have HTTP session creation enabled. I assume you send the http header once and use the session cookie for subsequent requests. This may be problematic in case of a session time out because you are logged in again as anonymous “automatically”. Remove the anonymous filter if this is possible in your scenario. Upon session time out, you must log in again.

If you cannot remove the anonymous filter, you have to send the http header attribute in each request which requires authentication, there is no other solution. In this scenario, you can disable session creation.

Hope this helps

Christian

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)

OSS Open Source Solutions GmbH

–

DI Christian Mueller MSc (GIS), MSc (IT-Security)

OSS Open Source Solutions GmbH