Hi Stephen After the user is logged in into your application (open layers) successfully, did you try to send a OGC request to GeoServer containing the proper basic auth headers in your java script code simulating a popup login. Not sure if this works, never tried.
Of course it would be possible to add a configuration option "Do not send WWW-Authenticate" to the filter, but this is not standard and as a consequence, I do not want to implement it. On the other side, it is possible to develop your own authentication filter as a plugin. The "authkey" module is a good example. http://docs.geoserver.org/stable/en/user/community/authkey/index.html Cheers Christian On Wed, Aug 13, 2014 at 6:26 PM, Stephen Brooke <sbro...@mdacorporation.com> wrote: > Now that I get the login popup in the browser for the first WMS request > I can see that this will not be very pleasant for the user who has already > been made to login to my application. According to several forum posts on > the subject it is the HTTP header ‘WWW-Authenticate:Basic realm="GeoServer > Realm“’ that causes this browser behavior. Is there a way to tell > GeoServer not to set the WWW-Authenticate response header when it sends > HTTP 401? Or is this something the “User-Agent”, that is, the browser > needs to deal with? According to the HTTP spec a “User-Agent” can set the > HTTP Authorization header with appropriate credentials in place of popping > up a login dialog, however, the consensus in the dev community seems to be > that preventing the browser to popup the dialog is not currently possible > unless the server deviates from the HTTP spec in some way (for example, if > the server omits the WWW-Authenticate header). > > > > Some forums suggest that it is becoming good practice for clients to set > the HTTP header “X-Requested-With: XMLHttpRequest” as a hint to the server > to not include the WWW-Authenticate header, and hence the browser would not > popup the login prompt. > > > > Anybody have any good solutions for preventing the browser to popup a > login dialog in response to HTTP 401 from GeoServer and instead have the > browser client (OpenLayers) respond with proper “Authorization” header? > > > > Here’s an explanation of this web browser HTTP 401 problem: > > http://www.freelock.com/2008/06/technical-note-http-auth-with-ajax > > > > Here’s a Chrome issue that talks about this issue a bit more. > > > https://code.google.com/p/chromium/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Pri%20Mstone%20ReleaseBlock%20OS%20Area%20Feature%20Status%20Owner%20Summary&groupby=&sort=&id=31582 > > > > For instance could I put a Servlet Filter in GeoServer web.xml such that > it causes the “WWW-Authenticate” header to not get set in certain situtions? > > > > --Steve > > > > *From:* Stephen Brooke > *Sent:* Tuesday, August 12, 2014 10:14 AM > *To:* 'Christian Mueller' > *Cc:* Andrea Aime; geoserver-users@lists.sourceforge.net > *Subject:* RE: [Geoserver-users] After period of GeoServer inactivity > client making WMS request gets HTTP 404 Not Found (pink no image tiles) > > > > Hi Christian, > > > > I tried opening a new browser window and making a WMS GetCapabilities > request and it did not popup a login panel which I thought was strange. I > then used the filter chain tester tool in the GeoServer Web Admin and > checked the WMS request URL and it said it was using the “default” filter > which had both “anonymous” and “basic” authentication providers selected so > I removed the “anonymous” authentication provider. After this I re-ran the > test and the WMS request caused a login panel to popup the first time I > tried to access the resource. > > > > I will try the scenario again to see if the timeout happens now that I > have the correct “default” service chain filter in place. > > > > --Steve > > > > *From:* Christian Mueller [mailto:christian.muel...@os-solutions.at > <christian.muel...@os-solutions.at>] > *Sent:* Tuesday, August 12, 2014 2:57 AM > *To:* Stephen Brooke > *Cc:* Andrea Aime; geoserver-users@lists.sourceforge.net > > *Subject:* Re: [Geoserver-users] After period of GeoServer inactivity > client making WMS request gets HTTP 404 Not Found (pink no image tiles) > > > > Hi Stephen > > > > Can you try the following. > > > > Open a browser and call a OGC service on a protected resource. The browser > should pop up a login panel (for basic or digest auth). After login, the > browser should send authentication header attributes for each request. To > stop sending this attributes, you must close your browser because there is > no explicit log out for stateless authentication. > > > > AFAIK it is not possible to disable "session integration". Would be a new > feature. > > > > Christian > > > > On Mon, Aug 11, 2014 at 6:58 PM, Stephen Brooke < > sbro...@mdacorporation.com> wrote: > > Andrea, > > > > Here are some more details that should answer your questions: > > > > >Session? As in HTTP one? > > [Steve]: Yes I mean HTTP session > > > > >OGC services should create a session to start with, unless you configured > the security otherwise, or you are using the same browser > > >to admin and do OGC requests at the same time. > > [Steve]: Yes, I am using the same browser to admin GeoServer and also to > run a web client that uses OGC services. I will try running the web client > in a different browser and see if the problem is still reproducible in that > case. > > > > My web client can pass credentials each time so a session isn’t really > needed for the OGC services. Is there a stateless mode for the OGC > services? I see in the “GeoServer User Manual, Release 2.5-RC2” it states: > > > > ---------------------------------------- > > *16.2.3 Authentication to OWS and REST services* > > > > *“OWS and REST services are stateless and have no inherent awareness of > “session”, so the authentication* > > *scheme for these services requires the client to supply credentials on > every request. That said, “session integration”* > > *is supported, meaning that if a session already exists on the server > (from a concurrent **authenticated* > > *web admin session**) it will be used for authentication. This scheme > allows GeoServer to avoid the overhead* > > *of session creation for OWS and REST services.”* > > ---------------------------------------- > > > > Is there a way to disable “session integration” for OGC services? > > > > --Steve > > > > *From:* andrea.a...@gmail.com [mailto:andrea.a...@gmail.com] *On Behalf > Of *Andrea Aime > *Sent:* Saturday, August 09, 2014 1:07 AM > *To:* Stephen Brooke > *Cc:* geoserver-users@lists.sourceforge.net > *Subject:* Re: [Geoserver-users] After period of GeoServer inactivity > client making WMS request gets HTTP 404 Not Found (pink no image tiles) > > > > On Fri, Aug 8, 2014 at 10:38 PM, Stephen Brooke < > sbro...@mdacorporation.com> wrote: > > I’m running GeoServer 2.5.1 with OpenLayers client making WMS requests and > I have basic authentication turned on for all OGC services. > > > > After a period (say 30 minutes) of GeoServer inactivity due to client > inactivity, if the client is then used to make a WMS request it receives > HTTP 404 Not Found and I get the dreaded pink square tiles instead of my > imagery tiles. In the GeoServer log there are several warning log messages > of the form: > > > > 08 Aug 20:23:03 WARN [servlet.PageNotFound] - No mapping found for HTTP > request with URI [/geoserver/<workspace>/wms] in DispatcherServlet with > name 'dispatcher' > > > > > > If I go to the GeoServer web admin console and login as administrator or > simply refresh an existing timed-out session then the WMS requests work > fine again. Does anyone know what I need to do to get GeoServer to not do > this? > > > > Session? As in HTTP one? > > OGC services should create a session to start with, unless you configured > the security otherwise, or you are using the same browser > > to admin and do OGC requests at the same time. > > > > Is this your case? > > > > Can you provide more details on your setup? > > > > Cheers > > Andrea > > > > -- > > == > > GeoServer Professional Services from the experts! Visit > > http://goo.gl/NWWaa2 for more information. > > == > > > > Ing. Andrea Aime > > @geowolf > > Technical Lead > > > > GeoSolutions S.A.S. > > Via Poggio alle Viti 1187 > > 55054 Massarosa (LU) > > Italy > > phone: +39 0584 962313 > > fax: +39 0584 1660272 > > mob: +39 339 8844549 > > > > http://www.geo-solutions.it > > http://twitter.com/geosolutions_it > > > > ------------------------------------------------------- > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Geoserver-users mailing list > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > > > > > > -- > > DI Christian Mueller MSc (GIS), MSc (IT-Security) > > OSS Open Source Solutions GmbH > > > -- DI Christian Mueller MSc (GIS), MSc (IT-Security) OSS Open Source Solutions GmbH
------------------------------------------------------------------------------
_______________________________________________ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users