Hi Christian, Yes, after a user login into OpenLayers-based web client I can successfully make a WMS GetCapabilities request as I provided the correct “Authorization” header and this request was made by using the OpenLayers.Request() construct which uses XMLHttpRequest object underneath. However, even though I do this when OpenLayers makes WMS GetMap requests when I enable a certain layer the browser (latest versions of Chrome and Firefox) does not automatically send the credentials I provided with the previous request and I still get the browser login popup. From my online research it appears that you cannot send an “Authorization” header for these WMS requests with OpenLayers because it uses the HTML <img> tag. What did work is setting the URL for my layer to http://username:password@localhost:8080/geoserver/<workspace>/wms<http://username:password@localhost:8080/geoserver/%3cworkspace%3e/wms>, however this means I would need to send the password in plain text across the wire which is unacceptable.
Why doesn't the browser reuse the authorization headers after an authenticated XMLHttpRequest? http://stackoverflow.com/questions/20617720/why-doesnt-the-browser-reuse-the-authorization-headers-after-an-authenticated-x However, the solution proposed in the above stackoverflow question cannot be applied in this situation because the solution says to simply avoid using the <img> tag altogether and instead load images with JS XMLHttpRequest. The key problem I see here is that the browser will not send credentials until a credential challenge (HTTP 401 server response) is sent back by the server, and with little control over how OpenLayers renders the images from WMS GetMap request, it doesn’t appear that I can provide a custom handling for the HTTP 401 response to override this browser behavior on the client-side from Javascript when the request is not an XMLHttpRequest. I’ve looked at the “authKey” plugin and it looks like it might work out-of-the-box for me. I will attempt to try it today. Thanks, --Steve From: Christian Mueller [mailto:christian.muel...@os-solutions.at] Sent: Thursday, August 14, 2014 7:03 AM To: Stephen Brooke Cc: Andrea Aime; geoserver-users@lists.sourceforge.net Subject: Re: [Geoserver-users] After period of GeoServer inactivity client making WMS request gets HTTP 404 Not Found (pink no image tiles) Hi Stephen After the user is logged in into your application (open layers) successfully, did you try to send a OGC request to GeoServer containing the proper basic auth headers in your java script code simulating a popup login. Not sure if this works, never tried. Of course it would be possible to add a configuration option "Do not send WWW-Authenticate" to the filter, but this is not standard and as a consequence, I do not want to implement it. On the other side, it is possible to develop your own authentication filter as a plugin. The "authkey" module is a good example. http://docs.geoserver.org/stable/en/user/community/authkey/index.html Cheers Christian On Wed, Aug 13, 2014 at 6:26 PM, Stephen Brooke <sbro...@mdacorporation.com<mailto:sbro...@mdacorporation.com>> wrote: Now that I get the login popup in the browser for the first WMS request I can see that this will not be very pleasant for the user who has already been made to login to my application. According to several forum posts on the subject it is the HTTP header ‘WWW-Authenticate:Basic realm="GeoServer Realm“’ that causes this browser behavior. Is there a way to tell GeoServer not to set the WWW-Authenticate response header when it sends HTTP 401? Or is this something the “User-Agent”, that is, the browser needs to deal with? According to the HTTP spec a “User-Agent” can set the HTTP Authorization header with appropriate credentials in place of popping up a login dialog, however, the consensus in the dev community seems to be that preventing the browser to popup the dialog is not currently possible unless the server deviates from the HTTP spec in some way (for example, if the server omits the WWW-Authenticate header). Some forums suggest that it is becoming good practice for clients to set the HTTP header “X-Requested-With: XMLHttpRequest” as a hint to the server to not include the WWW-Authenticate header, and hence the browser would not popup the login prompt. Anybody have any good solutions for preventing the browser to popup a login dialog in response to HTTP 401 from GeoServer and instead have the browser client (OpenLayers) respond with proper “Authorization” header? Here’s an explanation of this web browser HTTP 401 problem: http://www.freelock.com/2008/06/technical-note-http-auth-with-ajax Here’s a Chrome issue that talks about this issue a bit more. https://code.google.com/p/chromium/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Pri%20Mstone%20ReleaseBlock%20OS%20Area%20Feature%20Status%20Owner%20Summary&groupby=&sort=&id=31582 For instance could I put a Servlet Filter in GeoServer web.xml such that it causes the “WWW-Authenticate” header to not get set in certain situtions? --Steve From: Stephen Brooke Sent: Tuesday, August 12, 2014 10:14 AM To: 'Christian Mueller' Cc: Andrea Aime; geoserver-users@lists.sourceforge.net<mailto:geoserver-users@lists.sourceforge.net> Subject: RE: [Geoserver-users] After period of GeoServer inactivity client making WMS request gets HTTP 404 Not Found (pink no image tiles) Hi Christian, I tried opening a new browser window and making a WMS GetCapabilities request and it did not popup a login panel which I thought was strange. I then used the filter chain tester tool in the GeoServer Web Admin and checked the WMS request URL and it said it was using the “default” filter which had both “anonymous” and “basic” authentication providers selected so I removed the “anonymous” authentication provider. After this I re-ran the test and the WMS request caused a login panel to popup the first time I tried to access the resource. I will try the scenario again to see if the timeout happens now that I have the correct “default” service chain filter in place. --Steve From: Christian Mueller [mailto:christian.muel...@os-solutions.at] Sent: Tuesday, August 12, 2014 2:57 AM To: Stephen Brooke Cc: Andrea Aime; geoserver-users@lists.sourceforge.net<mailto:geoserver-users@lists.sourceforge.net> Subject: Re: [Geoserver-users] After period of GeoServer inactivity client making WMS request gets HTTP 404 Not Found (pink no image tiles) Hi Stephen Can you try the following. Open a browser and call a OGC service on a protected resource. The browser should pop up a login panel (for basic or digest auth). After login, the browser should send authentication header attributes for each request. To stop sending this attributes, you must close your browser because there is no explicit log out for stateless authentication. AFAIK it is not possible to disable "session integration". Would be a new feature. Christian On Mon, Aug 11, 2014 at 6:58 PM, Stephen Brooke <sbro...@mdacorporation.com<mailto:sbro...@mdacorporation.com>> wrote: Andrea, Here are some more details that should answer your questions: >Session? As in HTTP one? [Steve]: Yes I mean HTTP session >OGC services should create a session to start with, unless you configured the >security otherwise, or you are using the same browser >to admin and do OGC requests at the same time. [Steve]: Yes, I am using the same browser to admin GeoServer and also to run a web client that uses OGC services. I will try running the web client in a different browser and see if the problem is still reproducible in that case. My web client can pass credentials each time so a session isn’t really needed for the OGC services. Is there a stateless mode for the OGC services? I see in the “GeoServer User Manual, Release 2.5-RC2” it states: ---------------------------------------- 16.2.3 Authentication to OWS and REST services “OWS and REST services are stateless and have no inherent awareness of “session”, so the authentication scheme for these services requires the client to supply credentials on every request. That said, “session integration” is supported, meaning that if a session already exists on the server (from a concurrent authenticated web admin session) it will be used for authentication. This scheme allows GeoServer to avoid the overhead of session creation for OWS and REST services.” ---------------------------------------- Is there a way to disable “session integration” for OGC services? --Steve From: andrea.a...@gmail.com<mailto:andrea.a...@gmail.com> [mailto:andrea.a...@gmail.com<mailto:andrea.a...@gmail.com>] On Behalf Of Andrea Aime Sent: Saturday, August 09, 2014 1:07 AM To: Stephen Brooke Cc: geoserver-users@lists.sourceforge.net<mailto:geoserver-users@lists.sourceforge.net> Subject: Re: [Geoserver-users] After period of GeoServer inactivity client making WMS request gets HTTP 404 Not Found (pink no image tiles) On Fri, Aug 8, 2014 at 10:38 PM, Stephen Brooke <sbro...@mdacorporation.com<mailto:sbro...@mdacorporation.com>> wrote: I’m running GeoServer 2.5.1 with OpenLayers client making WMS requests and I have basic authentication turned on for all OGC services. After a period (say 30 minutes) of GeoServer inactivity due to client inactivity, if the client is then used to make a WMS request it receives HTTP 404 Not Found and I get the dreaded pink square tiles instead of my imagery tiles. In the GeoServer log there are several warning log messages of the form: 08 Aug 20:23:03 WARN [servlet.PageNotFound] - No mapping found for HTTP request with URI [/geoserver/<workspace>/wms] in DispatcherServlet with name 'dispatcher' If I go to the GeoServer web admin console and login as administrator or simply refresh an existing timed-out session then the WMS requests work fine again. Does anyone know what I need to do to get GeoServer to not do this? Session? As in HTTP one? OGC services should create a session to start with, unless you configured the security otherwise, or you are using the same browser to admin and do OGC requests at the same time. Is this your case? Can you provide more details on your setup? Cheers Andrea -- == GeoServer Professional Services from the experts! Visit http://goo.gl/NWWaa2 for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via Poggio alle Viti 1187 55054 Massarosa (LU) Italy phone: +39 0584 962313<tel:%2B39%200584%20962313> fax: +39 0584 1660272<tel:%2B39%200584%201660272> mob: +39 339 8844549<tel:%2B39%20%C2%A0339%208844549> http://www.geo-solutions.it http://twitter.com/geosolutions_it ------------------------------------------------------- ------------------------------------------------------------------------------ _______________________________________________ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/geoserver-users -- DI Christian Mueller MSc (GIS), MSc (IT-Security) OSS Open Source Solutions GmbH -- DI Christian Mueller MSc (GIS), MSc (IT-Security) OSS Open Source Solutions GmbH
------------------------------------------------------------------------------
_______________________________________________ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
