Thanks for your continuing help.
I understand the fundamental principles of authentication and stateless requests.
What I am having problems with is the combination of Geoserver and J2EE authentication.
As I said in my previous request for help, I had managed to 'hack' Geoserver 2.0 to provide
this functionality, but with the enhancements to authentication in recent Geoserver versions,
it seems I should not now need to subvert any geoserver functionality, just configure it
according to my requirements, but I am a bit bewildered by the range of options available.
The J2EE authentication as I have configured it allows me (or any user in our J2EE users
database with the GEOSERVER_ADMIN role) to log in the Geoserver web UI,
but it does not allow _any_ users (or anonymous users) to see any layers from outside
the web UI - all I get is a continual basic login prompt (enter username/password, click OK,
password dialog appears again). This is obviously not right - is it related to the <url-pattern> /*
in my web.xml <security-constraint> ?
Hi Chris
Some basic facts about basic/digest authentication
1) These protocols are stateless, you have send the credentials (user,password) for EACH request. There is no concept of a logout, each request is authenticated individually.
2) Normally, a browser pops up a login panel for the first request and adds the credentials for subsequent requests automatically. If you want to log out, you have to close the browser.
3) The GeoServer GUI creates a http session (using a cookie). Since the tomcat container receives a cookie for each request, no authentication is needed.
4) The default filter chain does not create a session. You can try to allow session creation for the chain in the details panel. (Press "close" to close the panel and "save" on the authentication page to store your changes). Be warned, creating a session for stateless services is not recommended.
Hope this helps to figure out your problem
Christian
On Thu, Oct 31, 2013 at 10:38 AM, Chris Morgan <chris@anonymised.com <mailto:chris@anonymised.com>> wrote:
Hi Christian,
Yes, you have summarised my problem quite succinctly.
I have just tried adding the J2EE filter to the 'default' filter
chain as well as the 'web' filter chain - this makes no difference
- I still cannot access any layers except via the layer preview
when logged in to the GUI.
Do you need to see any of the config XML files?
I am running Geoserver in a Tomcat 6.0.20 instance, with JVM
1.6.0_20-b02
Thanks,
Chris
On 31/10/2013 08:29, Christian Mueller wrote:
Hi Chris
As far as I understand, you can access your layers using the GUI
but not directly. If this is the case, did you add your j2ee
filter to the default filter chain (Ant pattern /** ).
Cheers
Christian
On Wed, Oct 30, 2013 at 5:59 PM, Chris Morgan
<chris@anonymised.com <mailto:chris@anonymised.com>> wrote:
Hi all,
I am having some problems configuring Geoserver 2.4 to use
J2EE authentication. I have a mix of public and private layers
that I am serving from Geoserver.
I have upgraded from Geoserver 2.0 to 2.4.0, and followed the
instructions here
http://docs.geoserver.org/stable/en/user/security/tutorials/j2ee/index.html
(with help from Christian Mueller a week ago), and I can
now log in to the Geoserver web GUI as an admin and use Layer
Preview
to view layers successfully.
However, I cannot ONLY access the layers within the layer
preview.
A direct URL link to (say) the Open Layers web map, or a KML
network link
in Google Earth for a public layer (anonymous access allowed)
will
continuously prompt for a geoserver realm username and password.
Similarly for private layers - the username and password are
never
accepted (although the same username/password allows me to
login to the
web GUI and use layer preview to view the layer).
This is my addition to the web.xml config file:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>GEOSERVER_ADMIN</role-name>
<role-name>GEOSERVER_USER</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
In the admin GUI, I added a J2EE authentication filter,
added J2EE to the web filter chain (rememberme,j2ee,anonymous),
defined the GEOSERVER_ADMIN and GEOSERVER_USER roles in
Users,Groups,Roles-Roles
and then defined GEOSERVER_ADMIN as the administrator role.
I am obviously doing something wrong, or missing a
fundamental step -
any suggestions?
Thanks,
Chris
------------------------------------------------------------
Lynx Information Systems Ltd
93-99 Upper Richmond Rd
London SW15 2TG
United Kingdom
Web: http://www.lynxinfo.co.uk
Email: lynx@anonymised.com <mailto:lynx@anonymised.com>
Tel: +44 (0)20 8780 2634 <tel:%2B44%20%280%2920%208780%202634>
Fax: +44 (0)20 8780 0931 <tel:%2B44%20%280%2920%208780%200931>
Registered in England Number 2454130
VAT Number GB 561 8979 88
Incoming and outgoing emails are checked for viruses
by Sophos AntiVirus.
This email may contain confidential information which is
intended for the named recipient(s) only. If you are
not the named recipient you should not take any action in
relation to this email, other than to notify us that you
have received it in error.
------------------------------------------------------------
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development
platform that
developers love is also attractive to malware creators.
Download this white
paper to learn more about secure code signing practices that
can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
<mailto:Geoserver-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
-- DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
------------------------------------------------------------
Lynx Information Systems Ltd
93-99 Upper Richmond Rd
London SW15 2TG
United Kingdom
Web:http://www.lynxinfo.co.uk
Email:lynx@anonymised.com <mailto:lynx@anonymised.com>
Tel:+44 (0)20 8780 2634 <tel:%2B44%20%280%2920%208780%202634>
Fax:+44 (0)20 8780 0931 <tel:%2B44%20%280%2920%208780%200931>
Registered in England Number 2454130
VAT Number GB 561 8979 88
Incoming and outgoing emails are checked for viruses
by Sophos AntiVirus.
This email may contain confidential information which is
intended for the named recipient(s) only. If you are
not the named recipient you should not take any action in
relation to this email, other than to notify us that you
have received it in error.
------------------------------------------------------------
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development
platform that
developers love is also attractive to malware creators. Download
this white
paper to learn more about secure code signing practices that can
help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
<mailto:Geoserver-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH