Now that I get the login popup in the browser for the first WMS request I can see that this will not be very pleasant for the user who has already been made to login to my application. According to several forum posts on the subject it is the HTTP header ‘WWW-Authenticate:Basic realm="GeoServer Realm“’ that causes this browser behavior. Is there a way to tell GeoServer not to set the WWW-Authenticate response header when it sends HTTP 401? Or is this something the “User-Agent”, that is, the browser needs to deal with? According to the HTTP spec a “User-Agent” can set the HTTP Authorization header with appropriate credentials in place of popping up a login dialog, however, the consensus in the dev community seems to be that preventing the browser to popup the dialog is not currently possible unless the server deviates from the HTTP spec in some way (for example, if the server omits the WWW-Authenticate header).
Some forums suggest that it is becoming good practice for clients to set the HTTP header “X-Requested-With: XMLHttpRequest” as a hint to the server to not include the WWW-Authenticate header, and hence the browser would not popup the login prompt. Anybody have any good solutions for preventing the browser to popup a login dialog in response to HTTP 401 from GeoServer and instead have the browser client (OpenLayers) respond with proper “Authorization” header? Here’s an explanation of this web browser HTTP 401 problem: http://www.freelock.com/2008/06/technical-note-http-auth-with-ajax Here’s a Chrome issue that talks about this issue a bit more. https://code.google.com/p/chromium/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Pri%20Mstone%20ReleaseBlock%20OS%20Area%20Feature%20Status%20Owner%20Summary&groupby=&sort=&id=31582 For instance could I put a Servlet Filter in GeoServer web.xml such that it causes the “WWW-Authenticate” header to not get set in certain situtions? --Steve From: Stephen Brooke Sent: Tuesday, August 12, 2014 10:14 AM To: 'Christian Mueller' Cc: Andrea Aime; geoserver-users@lists.sourceforge.net Subject: RE: [Geoserver-users] After period of GeoServer inactivity client making WMS request gets HTTP 404 Not Found (pink no image tiles) Hi Christian, I tried opening a new browser window and making a WMS GetCapabilities request and it did not popup a login panel which I thought was strange. I then used the filter chain tester tool in the GeoServer Web Admin and checked the WMS request URL and it said it was using the “default” filter which had both “anonymous” and “basic” authentication providers selected so I removed the “anonymous” authentication provider. After this I re-ran the test and the WMS request caused a login panel to popup the first time I tried to access the resource. I will try the scenario again to see if the timeout happens now that I have the correct “default” service chain filter in place. --Steve From: Christian Mueller [mailto:christian.muel...@os-solutions.at] Sent: Tuesday, August 12, 2014 2:57 AM To: Stephen Brooke Cc: Andrea Aime; geoserver-users@lists.sourceforge.net<mailto:geoserver-users@lists.sourceforge.net> Subject: Re: [Geoserver-users] After period of GeoServer inactivity client making WMS request gets HTTP 404 Not Found (pink no image tiles) Hi Stephen Can you try the following. Open a browser and call a OGC service on a protected resource. The browser should pop up a login panel (for basic or digest auth). After login, the browser should send authentication header attributes for each request. To stop sending this attributes, you must close your browser because there is no explicit log out for stateless authentication. AFAIK it is not possible to disable "session integration". Would be a new feature. Christian On Mon, Aug 11, 2014 at 6:58 PM, Stephen Brooke <sbro...@mdacorporation.com<mailto:sbro...@mdacorporation.com>> wrote: Andrea, Here are some more details that should answer your questions: >Session? As in HTTP one? [Steve]: Yes I mean HTTP session >OGC services should create a session to start with, unless you configured the >security otherwise, or you are using the same browser >to admin and do OGC requests at the same time. [Steve]: Yes, I am using the same browser to admin GeoServer and also to run a web client that uses OGC services. I will try running the web client in a different browser and see if the problem is still reproducible in that case. My web client can pass credentials each time so a session isn’t really needed for the OGC services. Is there a stateless mode for the OGC services? I see in the “GeoServer User Manual, Release 2.5-RC2” it states: ---------------------------------------- 16.2.3 Authentication to OWS and REST services “OWS and REST services are stateless and have no inherent awareness of “session”, so the authentication scheme for these services requires the client to supply credentials on every request. That said, “session integration” is supported, meaning that if a session already exists on the server (from a concurrent authenticated web admin session) it will be used for authentication. This scheme allows GeoServer to avoid the overhead of session creation for OWS and REST services.” ---------------------------------------- Is there a way to disable “session integration” for OGC services? --Steve From: andrea.a...@gmail.com<mailto:andrea.a...@gmail.com> [mailto:andrea.a...@gmail.com<mailto:andrea.a...@gmail.com>] On Behalf Of Andrea Aime Sent: Saturday, August 09, 2014 1:07 AM To: Stephen Brooke Cc: geoserver-users@lists.sourceforge.net<mailto:geoserver-users@lists.sourceforge.net> Subject: Re: [Geoserver-users] After period of GeoServer inactivity client making WMS request gets HTTP 404 Not Found (pink no image tiles) On Fri, Aug 8, 2014 at 10:38 PM, Stephen Brooke <sbro...@mdacorporation.com<mailto:sbro...@mdacorporation.com>> wrote: I’m running GeoServer 2.5.1 with OpenLayers client making WMS requests and I have basic authentication turned on for all OGC services. After a period (say 30 minutes) of GeoServer inactivity due to client inactivity, if the client is then used to make a WMS request it receives HTTP 404 Not Found and I get the dreaded pink square tiles instead of my imagery tiles. In the GeoServer log there are several warning log messages of the form: 08 Aug 20:23:03 WARN [servlet.PageNotFound] - No mapping found for HTTP request with URI [/geoserver/<workspace>/wms] in DispatcherServlet with name 'dispatcher' If I go to the GeoServer web admin console and login as administrator or simply refresh an existing timed-out session then the WMS requests work fine again. Does anyone know what I need to do to get GeoServer to not do this? Session? As in HTTP one? OGC services should create a session to start with, unless you configured the security otherwise, or you are using the same browser to admin and do OGC requests at the same time. Is this your case? Can you provide more details on your setup? Cheers Andrea -- == GeoServer Professional Services from the experts! Visit http://goo.gl/NWWaa2 for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via Poggio alle Viti 1187 55054 Massarosa (LU) Italy phone: +39 0584 962313<tel:%2B39%200584%20962313> fax: +39 0584 1660272<tel:%2B39%200584%201660272> mob: +39 339 8844549<tel:%2B39%20%C2%A0339%208844549> http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- ------------------------------------------------------------------------------ _______________________________________________ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/geoserver-users -- DI Christian Mueller MSc (GIS), MSc (IT-Security) OSS Open Source Solutions GmbH
------------------------------------------------------------------------------
_______________________________________________ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users