I am using the Key authentication module. As my key provider I am using an external web service.
When the external web services returns a valid user every subsequent request is valid as I understand it – the webservice is not called anymore.
How does Geoserver handle this internally? Is there some kind of session created?
How can I invalidate / expire the token from the external service? Is there some timeout setting after which the wesbervice is called again to see if the token is still valid?
It is a configuration option to control is using a filter chain, establishing a list of authentication providers to try in order (basic authentication, remember me to establish a session, etc…).
Having a session is useful for the web administration application, but not required for the various stateless protocols such as WMS and WPS. Indeed for those you may wish to check credentials each time.
Sorry for not being clear - I think I expressed myself wrong:
I would like to know why the Key authentication module calls the webservice only for the first few requests (for example: the first 20 wms raster images which are loaded in leaflet when navigating to my site the first time) – when panning, zooming on the page afterwards for all other subsequent wms request geoserver does not call the webservice anymore (no logs on my webservice endpoint).
It is clear to me that all OWS requests are stateless, so there is no session – but how does geoserver still know that any subsequent request from the client is valid for requests with the specific token without calling the webservice anymore and validating the token? As I understand, it can’t be the rememberme filter, as this filter only works for the Web Login (and I can’t see any cookie sent in the requests).
After waiting some time I found out that the service is called again – so it looks like there is some “token-caching” done.
So my questions are:
why is the webservice not called for every single geoserver wms request?
Is there some “token-caching” mechanism?
If so:
Can I invalidate the token?
Is there a timeout setting after which the webservice is called again?
Thank you!
Bernd
···
Not sure where exactly to start answering you.
It is a configuration option to control is using a filter chain, establishing a list of authentication providers to try in order (basic authentication, remember me to establish a session, etc…).
Having a session is useful for the web administration application, but not required for the various stateless protocols such as WMS and WPS. Indeed for those you may wish to check credentials each time.
I am using the Key authentication module. As my key provider I am using an external web service.
When the external web services returns a valid user every subsequent request is valid as I understand it – the webservice is not called anymore.
How does Geoserver handle this internally? Is there some kind of session created?
How can I invalidate / expire the token from the external service? Is there some timeout setting after which the wesbervice is called again to see if the token is still valid?
Thanks
Bernd
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this list: