Hi list,
I have been using Geoserver 1.5 with a Tomcat 5.5 and JDK 1.5 for some time
now, where users had to authenticate themselves with password and username.
I had configured this in geoservers web.xml and made the valid users known
to tomcat in its tomcat-users.xml. When I changed to Geoserver 1.6 RC 1, the
Authentication fails when a user postes a Request on my Geoserver. After the
old Authentication is done, another window pops up where one is asked to
authenticate to a GeoServer Realm, that I've never configured and none of my
tomcat users is accepted at. The strange thing is, that this does not happen
after you FIRST made simple visit to geoserver (.../geoserver/welcome.do),
authenticated like always and then posted yur request once again. I would
like to avoid this, because some requests on my geoserver should be done by
another application automatically (no user in a browser), which then crashes
totally.
Any one who can helpme? I am quite desperate.
cheers, Andreas
--
View this message in context: http://www.nabble.com/Problem-with-Authentication-to-"GeoServer-Realm"-tf4857900.html#a13901464
Sent from the GeoServer - User mailing list archive at Nabble.com.
Andreas Kempf ha scritto:
Hi list,
I have been using Geoserver 1.5 with a Tomcat 5.5 and JDK 1.5 for some time
now, where users had to authenticate themselves with password and username.
I had configured this in geoservers web.xml and made the valid users known
to tomcat in its tomcat-users.xml. When I changed to Geoserver 1.6 RC 1, the
Authentication fails when a user postes a Request on my Geoserver. After the
old Authentication is done, another window pops up where one is asked to
authenticate to a GeoServer Realm, that I've never configured and none of my
tomcat users is accepted at. The strange thing is, that this does not happen
after you FIRST made simple visit to geoserver (.../geoserver/welcome.do),
authenticated like always and then posted yur request once again. I would
like to avoid this, because some requests on my geoserver should be done by
another application automatically (no user in a browser), which then crashes
totally.
Any one who can helpme? I am quite desperate.
Hmm... it may be the integrated acegi security subsystem that is conflicting with the container level security... not sure what do
to about it, I've never played with container level security.
Can you give me a sample of configuration?
Also, you may want to consider using GeoServer built in one
instead, some documentation here:
http://docs.codehaus.org/display/GEOSDEV/Geoserver+security+implementation%2C+initial+version
Cheers
Andrea
Hi Andrea,
here is the part I added to the web.xml of Geoserver
<security-constraint>
<display-name>Example Security Constraint</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Restricted Area</realm-name>
</login-config>
Used to work perfectly in Geoserver 1.5, but not with 1.6 RC1
---
Andreas Kempf
phone: +49 (89) 121528-44 mailto:andreas.kempf@anonymised.com
fax: +49 (89) 121528-79 http://www.gaf.de
GAF AG Arnulfstr. 197 D-80634 Muenchen Germany
Vorstand: Dr. Peter Volk, Aufsichtsratsvorsitzender: Marcello Maranesi
Amtsgericht Muenchen HRB 140 509, Firmensitz: Muenchen
Hi Andrea,
I got this problem solved when I assigned the user from tomcat-users-xml
also in users.properties of Geoserver's /data/security folder.
As one has to keep the pw in clear text, I would prefer skipping all
this and keep to my container level security until digested pws are
accepted. Is there a way to "switch off" the authentication on geoserver
side?
cheers, Andreas
---
Andreas Kempf
phone: +49 (89) 121528-44 mailto:andreas.kempf@anonymised.com
fax: +49 (89) 121528-79 http://www.gaf.de
GAF AG Arnulfstr. 197 D-80634 Muenchen Germany
Vorstand: Dr. Peter Volk, Aufsichtsratsvorsitzender: Marcello Maranesi
Amtsgericht Muenchen HRB 140 509, Firmensitz: Muenchen
Andreas Kempf ha scritto:
Hi Andrea,
I got this problem solved when I assigned the user from tomcat-users-xml
also in users.properties of Geoserver's /data/security folder.
As one has to keep the pw in clear text, I would prefer skipping all
this and keep to my container level security until digested pws are
accepted. Is there a way to "switch off" the authentication on geoserver
side?
None at the moment... we don't have digested passwords because there
is no UI to edit the property files. I'll have to investigate this
further, but I have no time now... I hope to get this done before
releasing 1.6.0 final:
http://jira.codehaus.org/browse/GEOS-1554
You may want to become a watcher to that issue if you're interested
in tracking its evolution.
Cheers
Andrea
Andreas Kempf ha scritto:
Hi Andrea,
I got this problem solved when I assigned the user from tomcat-users-xml
also in users.properties of Geoserver's /data/security folder.
As one has to keep the pw in clear text, I would prefer skipping all
this and keep to my container level security until digested pws are
accepted. Is there a way to "switch off" the authentication on geoserver
side?
I've looked a bit into this one and found two solutions:
* have geoserver use the same users and roles you provided in tomcat.
This requires quite some programming, since I have to make
authentication providers pluggable. A set of changes I cannot make
in RC state, thought I've opened a jira issue to make it possible to
use them in future geoserver versions:
http://jira.codehaus.org/browse/GEOS-1579
* completely disabling geoserver authentication. I can do this with
a very small patch in the web ui code and by disabling acegi
integration filter in web.xml, but beware, when you do so,
geoserver won't ask any authentication at all when going into
the config ui, it will be up to you to configure JAAS so that
the administration area is locked down (you'll have to restrict
everything in geoserver/config/* so that only and admin type
user can go inside of it).
Would the second option be good enough for you?
Cheers
Andrea
Hi Andrea,
thank you very much for the work you did.
For us, the first option in the next non-RC versions of Geoserver would
be ok, because it is exactly what we would have wanted.
Nonetheless, if you could provide us with the patch, we would try to
bridge the time gap until that.
Shifting from container level security to built in GeoServer
functionality is an option we will also check.
Thanks again and cheers,
Andreas
---
Andreas Kempf
phone: +49 (89) 121528-44 mailto:andreas.kempf@anonymised.com
fax: +49 (89) 121528-79 http://www.gaf.de
GAF AG Arnulfstr. 197 D-80634 Muenchen Germany
Vorstand: Dr. Peter Volk, Aufsichtsratsvorsitzender: Marcello Maranesi
Amtsgericht Muenchen HRB 140 509, Firmensitz: Muenchen
Andreas Kempf ha scritto:
Hi Andrea,
thank you very much for the work you did.
For us, the first option in the next non-RC versions of Geoserver would
be ok, because it is exactly what we would have wanted. Nonetheless, if you could provide us with the patch, we would try to
bridge the time gap until that.
I need time to develop that patch, create a new extensions point,
test it, it's not something I can do in five minutes, but most
probably something I'll tackle in January if I find a spare day.
Shifting from container level security to built in GeoServer
functionality is an option we will also check.
So let me understand, the idea of disabling completely geoserver
security and have JAAS manage everything is not of interest?
I have a patch ready for this option.
Cheers
Andrea
Hi Andrea,
no, we would like to have the patch and then check which possibility is
better. This is not something I will decide but some other people and I
would simply provide them with both methods.
Thanks a lot and cheers,
Andreas
---
Andreas Kempf
phone: +49 (89) 121528-44 mailto:andreas.kempf@anonymised.com
fax: +49 (89) 121528-79 http://www.gaf.de
GAF AG Arnulfstr. 197 D-80634 Muenchen Germany
Vorstand: Dr. Peter Volk, Aufsichtsratsvorsitzender: Marcello Maranesi
Amtsgericht Muenchen HRB 140 509, Firmensitz: Muenchen