Hello, I recently modified Geoserver to read usernames/passwords from a MySQL database using the underlying Acegi security configuration, so it is possible. I guess Acegi has a class for supporting Active Directory.
Here are my notes on reconfiguring Geoserver in Tomcat for using a different source for usernames and passwords. We have Geoserver 2.0.1 running on Tomcat 6.0.20 Hope this helps, cheers, Chris By default, Geoserver uses a plain text username/password file - webapps\geoserver\data\security\users.properties. This can be edited in the Geoserver web admin GUI, but is obviously unsatisfactory for real-world usage. It is possible to get Geoserver to read usernames/passwords from a database by modifying the config XML files. 1. Modify geoserver/WEB-INF/web.xml - change the contextConfigLocation context-param from <param-value>classpath*:/applicationContext.xml classpath*:/applicationSecurityContext.xml</param-value> to <!-- use unpacked applicationSecurityContext.xml instead of copy in jar --> <param-value>classpath*:/applicationContext.xml WEB-INF/applicationSecurityContext.xml</param-value> 2. Open geoserver\WEB-INF\lib\main-2.0.1.jar with Winzip, and extract applicationSecurityContext.xml, copy to geoserver\WEB-INF 3. Edit WEB-INF\applicationSecurityContext.xml - comment out the existing userDetailsService bean <!-- <bean id="userDetailsService" class="org.geoserver.security.GeoserverUserDao"> <property name="geoServer" ref="geoServer" /> </bean> --> and replace it with <!-- CM 17/06/2010 JDBC userDetailsService --> <bean id="userDetailsService" class="org.acegisecurity.userdetails.jdbc.JdbcDaoImpl"> <property name="dataSource" ref="dataSource"/> <property name="usersByUsernameQuery"> <value>select user_name as username, user_pass as password, 1 as enabled from users where user_name = ?</value> </property> <property name="authoritiesByUsernameQuery"> <value>select user_name as username, role_name as authority from user_roles where user_name = ?</value> </property> </bean> <!-- CM 17/06/2010 JDBC datasource --> <bean id="dataSource" class="org.springframework.jdbc.datasource.DriverManagerDataSource"> <property name="driverClassName"> <value>org.gjt.mm.mysql.Driver</value> </property> <property name="url"> <value>jdbc:mysql://localhost/jdbcrealm?user=tomcat&password=password</value> </property> </bean> <!-- CM 17/06/2010 added MD5 password encoder --> <bean id="passwordEncoder" class="org.acegisecurity.providers.encoding.Md5PasswordEncoder"/> This will enable Geoserver to use the same usernames and passwords as our other Tomcat web apps. Note that Geoserver uses a hardcoded ROLE_ADMINISTRATOR role. ROLE_GIS added to user_roles table for all users. Using this config, Geoserver still uses plain text files to store layer and service permissions - ie which roles are allowed to access the defined layers and services, and the user-editing page will crash, since there is no facility for writing to the database. This is acceptable, since we can edit the user database using other methods, and edit the plain-text files layers.properties and services.properties manually if required. ----- Original Message ----- From: "Gilles Bassière" <[email protected]> To: <[email protected]> Sent: Wednesday, November 03, 2010 5:43 PM Subject: [Geoserver-users] Configure security against an Active Directory instance > Hi GeoServer users, > > I have a GeoServer instance which lives within TomCat on a Windows > system, Apache is also here as an HTTP front-end. The whole thing is > configured according to the wiki [1]. GeoServer is from 1.7.x series but > should be updated to current stable, TomCat version is 5.5. > > I've been asked to configure the GeoServer security subsystem on this > instance. I've read the documentation [2] and I should be fine with > services.properties and layers.properties. But I'd like to be able to > re-use users and roles definition from an Active Directory instance. If > I understand this thread [3], it seems possible to delegate user > authentication to TomCat. Before going further, I'm seeking a > confirmation that I'll be able to define permissions at Acegi-level for > users authenticated at container-level. > > Besides, I've read that Acegi will eventually be replaced by Spring > Security. The GSIP 54 is said to be scheduled for release 2.1.O but is > not mentionned in beta1 changelog. Should I expect important changes > regarding GeoServer security features in the near future? > > [1] : http://geoserver.org/display/GEOSDOC/Apache+HTTP+Server > [2] : http://docs.geoserver.org/stable/en/user/security/ > [3] : > http://old.nabble.com/Problem-with-Authentication-to-%22GeoServer-Realm%22-td13901464.html > > Best regards > -- > Gilles Bassière - MAKINA CORPUS > http://www.makina-corpus.com > > ------------------------------------------------------------------------------ > Achieve Improved Network Security with IP and DNS Reputation. > Defend against bad network traffic, including botnets, malware, > phishing sites, and compromised hosts - saving your company time, > money, and embarrassment. Learn More! > http://p.sf.net/sfu/hpdev2dev-nov > _______________________________________________ > Geoserver-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/geoserver-users > ------------------------------------------------------------ Incoming and outgoing emails are checked for viruses by Sophos AntiVirus. This email may contain confidential information which is intended for the named recipient(s) only. If you are not the named recipient you should not take any action in relation to this email, other than to notify us that you have received it in error. Lynx Information Systems Ltd 93-99 Upper Richmond Rd London SW15 2TG United Kingdom Web: http://www.lynxinfo.co.uk Email: [email protected] Tel: +44 (0)20 8780 2634 Fax: +44 (0)20 8780 0931 Registered in England Number 2454130 VAT Number GB 561 8979 88 ------------------------------------------------------------ ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
