Hi Stephen Using http://username:password@localhost:8080/geoserver/<workspace>/wms sends the password in plain text. If you are using basic auth, the password is sent Base64 encoded. Concerning security, Base64 encoding is the same as plain text. Both methods require HTTPS.
Even the form based login of the Web GUI sends the password in plain text. If HTTPS is not an option to you, you should switch to digest auth. Digest auth never sends the password over the wire but behaves likes basic auth. Let me know about your experience with the auth key module, I am planing to migrate this custom extension to an official GeoServer extension. Christian On Thu, Aug 14, 2014 at 7:05 PM, Stephen Brooke <sbro...@mdacorporation.com> wrote: > Hi Christian, > > > > Yes, after a user login into OpenLayers-based web client I can > successfully make a WMS GetCapabilities request as I provided the correct > “Authorization” header and this request was made by using the > OpenLayers.Request() construct which uses XMLHttpRequest object > underneath. However, even though I do this when OpenLayers makes WMS > GetMap requests when I enable a certain layer the browser (latest versions > of Chrome and Firefox) does not automatically send the credentials I > provided with the previous request and I still get the browser login > popup. From my online research it appears that you cannot send an > “Authorization” header for these WMS requests with OpenLayers because it > uses the HTML <img> tag. What did work is setting the URL for my layer to > http://username:password@localhost:8080/geoserver/<workspace>/wms, > however this means I would need to send the password in plain text across > the wire which is unacceptable. > > > > *Why doesn't the browser reuse the authorization headers after an > authenticated XMLHttpRequest?* > > > http://stackoverflow.com/questions/20617720/why-doesnt-the-browser-reuse-the-authorization-headers-after-an-authenticated-x > > > > However, the solution proposed in the above stackoverflow question cannot > be applied in this situation because the solution says to simply avoid > using the <img> tag altogether and instead load images with JS > XMLHttpRequest. > > > > > > The key problem I see here is that the browser will not send credentials > until a credential challenge (HTTP 401 server response) is sent back by the > server, and with little control over how OpenLayers renders the images from > WMS GetMap request, it doesn’t appear that I can provide a custom handling > for the HTTP 401 response to override this browser behavior on the > client-side from Javascript when the request is not an XMLHttpRequest. > > > > I’ve looked at the “authKey” plugin and it looks like it might work > out-of-the-box for me. I will attempt to try it today. > > > > Thanks, > > --Steve > > > > *From:* Christian Mueller [mailto:christian.muel...@os-solutions.at] > *Sent:* Thursday, August 14, 2014 7:03 AM > > *To:* Stephen Brooke > *Cc:* Andrea Aime; geoserver-users@lists.sourceforge.net > *Subject:* Re: [Geoserver-users] After period of GeoServer inactivity > client making WMS request gets HTTP 404 Not Found (pink no image tiles) > > > > Hi Stephen > > > > After the user is logged in into your application (open layers) > successfully, did you try to send a OGC request to GeoServer containing the > proper basic auth headers in your java script code simulating a popup > login. Not sure if this works, never tried. > > > > Of course it would be possible to add a configuration option "Do not send > WWW-Authenticate" to the filter, but this is not standard and as a > consequence, I do not want to implement it. > > > > On the other side, it is possible to develop your own authentication > filter as a plugin. The "authkey" module is a good example. > > http://docs.geoserver.org/stable/en/user/community/authkey/index.html > > > > Cheers > > Christian > > > > > > > > > > > > > > > > On Wed, Aug 13, 2014 at 6:26 PM, Stephen Brooke < > sbro...@mdacorporation.com> wrote: > > Now that I get the login popup in the browser for the first WMS request I > can see that this will not be very pleasant for the user who has already > been made to login to my application. According to several forum posts on > the subject it is the HTTP header ‘WWW-Authenticate:Basic realm="GeoServer > Realm“’ that causes this browser behavior. Is there a way to tell > GeoServer not to set the WWW-Authenticate response header when it sends > HTTP 401? Or is this something the “User-Agent”, that is, the browser > needs to deal with? According to the HTTP spec a “User-Agent” can set the > HTTP Authorization header with appropriate credentials in place of popping > up a login dialog, however, the consensus in the dev community seems to be > that preventing the browser to popup the dialog is not currently possible > unless the server deviates from the HTTP spec in some way (for example, if > the server omits the WWW-Authenticate header). > > > > Some forums suggest that it is becoming good practice for clients to set > the HTTP header “X-Requested-With: XMLHttpRequest” as a hint to the server > to not include the WWW-Authenticate header, and hence the browser would not > popup the login prompt. > > > > Anybody have any good solutions for preventing the browser to popup a > login dialog in response to HTTP 401 from GeoServer and instead have the > browser client (OpenLayers) respond with proper “Authorization” header? > > > > Here’s an explanation of this web browser HTTP 401 problem: > > http://www.freelock.com/2008/06/technical-note-http-auth-with-ajax > > > > Here’s a Chrome issue that talks about this issue a bit more. > > > https://code.google.com/p/chromium/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Pri%20Mstone%20ReleaseBlock%20OS%20Area%20Feature%20Status%20Owner%20Summary&groupby=&sort=&id=31582 > > > > For instance could I put a Servlet Filter in GeoServer web.xml such that > it causes the “WWW-Authenticate” header to not get set in certain situtions? > > > > --Steve > > > > *From:* Stephen Brooke > *Sent:* Tuesday, August 12, 2014 10:14 AM > *To:* 'Christian Mueller' > *Cc:* Andrea Aime; geoserver-users@lists.sourceforge.net > *Subject:* RE: [Geoserver-users] After period of GeoServer inactivity > client making WMS request gets HTTP 404 Not Found (pink no image tiles) > > > > Hi Christian, > > > > I tried opening a new browser window and making a WMS GetCapabilities > request and it did not popup a login panel which I thought was strange. I > then used the filter chain tester tool in the GeoServer Web Admin and > checked the WMS request URL and it said it was using the “default” filter > which had both “anonymous” and “basic” authentication providers selected so > I removed the “anonymous” authentication provider. After this I re-ran the > test and the WMS request caused a login panel to popup the first time I > tried to access the resource. > > > > I will try the scenario again to see if the timeout happens now that I > have the correct “default” service chain filter in place. > > > > --Steve > > > > *From:* Christian Mueller [mailto:christian.muel...@os-solutions.at > <christian.muel...@os-solutions.at>] > *Sent:* Tuesday, August 12, 2014 2:57 AM > *To:* Stephen Brooke > *Cc:* Andrea Aime; geoserver-users@lists.sourceforge.net > > > *Subject:* Re: [Geoserver-users] After period of GeoServer inactivity > client making WMS request gets HTTP 404 Not Found (pink no image tiles) > > > > Hi Stephen > > > > Can you try the following. > > > > Open a browser and call a OGC service on a protected resource. The browser > should pop up a login panel (for basic or digest auth). After login, the > browser should send authentication header attributes for each request. To > stop sending this attributes, you must close your browser because there is > no explicit log out for stateless authentication. > > > > AFAIK it is not possible to disable "session integration". Would be a new > feature. > > > > Christian > > > > On Mon, Aug 11, 2014 at 6:58 PM, Stephen Brooke < > sbro...@mdacorporation.com> wrote: > > Andrea, > > > > Here are some more details that should answer your questions: > > > > >Session? As in HTTP one? > > [Steve]: Yes I mean HTTP session > > > > >OGC services should create a session to start with, unless you configured > the security otherwise, or you are using the same browser > > >to admin and do OGC requests at the same time. > > [Steve]: Yes, I am using the same browser to admin GeoServer and also to > run a web client that uses OGC services. I will try running the web client > in a different browser and see if the problem is still reproducible in that > case. > > > > My web client can pass credentials each time so a session isn’t really > needed for the OGC services. Is there a stateless mode for the OGC > services? I see in the “GeoServer User Manual, Release 2.5-RC2” it states: > > > > ---------------------------------------- > > *16.2.3 Authentication to OWS and REST services* > > > > *“OWS and REST services are stateless and have no inherent awareness of > “session”, so the authentication* > > *scheme for these services requires the client to supply credentials on > every request. That said, “session integration”* > > *is supported, meaning that if a session already exists on the server > (from a concurrent **authenticated* > > *web admin session**) it will be used for authentication. This scheme > allows GeoServer to avoid the overhead* > > *of session creation for OWS and REST services.”* > > ---------------------------------------- > > > > Is there a way to disable “session integration” for OGC services? > > > > --Steve > > > > *From:* andrea.a...@gmail.com [mailto:andrea.a...@gmail.com] *On Behalf > Of *Andrea Aime > *Sent:* Saturday, August 09, 2014 1:07 AM > *To:* Stephen Brooke > *Cc:* geoserver-users@lists.sourceforge.net > *Subject:* Re: [Geoserver-users] After period of GeoServer inactivity > client making WMS request gets HTTP 404 Not Found (pink no image tiles) > > > > On Fri, Aug 8, 2014 at 10:38 PM, Stephen Brooke < > sbro...@mdacorporation.com> wrote: > > I’m running GeoServer 2.5.1 with OpenLayers client making WMS requests and > I have basic authentication turned on for all OGC services. > > > > After a period (say 30 minutes) of GeoServer inactivity due to client > inactivity, if the client is then used to make a WMS request it receives > HTTP 404 Not Found and I get the dreaded pink square tiles instead of my > imagery tiles. In the GeoServer log there are several warning log messages > of the form: > > > > 08 Aug 20:23:03 WARN [servlet.PageNotFound] - No mapping found for HTTP > request with URI [/geoserver/<workspace>/wms] in DispatcherServlet with > name 'dispatcher' > > > > > > If I go to the GeoServer web admin console and login as administrator or > simply refresh an existing timed-out session then the WMS requests work > fine again. Does anyone know what I need to do to get GeoServer to not do > this? > > > > Session? As in HTTP one? > > OGC services should create a session to start with, unless you configured > the security otherwise, or you are using the same browser > > to admin and do OGC requests at the same time. > > > > Is this your case? > > > > Can you provide more details on your setup? > > > > Cheers > > Andrea > > > > -- > > == > > GeoServer Professional Services from the experts! Visit > > http://goo.gl/NWWaa2 for more information. > > == > > > > Ing. Andrea Aime > > @geowolf > > Technical Lead > > > > GeoSolutions S.A.S. > > Via Poggio alle Viti 1187 > > 55054 Massarosa (LU) > > Italy > > phone: +39 0584 962313 > > fax: +39 0584 1660272 > > mob: +39 339 8844549 > > > > http://www.geo-solutions.it > > http://twitter.com/geosolutions_it > > > > ------------------------------------------------------- > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Geoserver-users mailing list > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > > > > > > -- > > DI Christian Mueller MSc (GIS), MSc (IT-Security) > > OSS Open Source Solutions GmbH > > > > > > > > -- > > DI Christian Mueller MSc (GIS), MSc (IT-Security) > > OSS Open Source Solutions GmbH > > > -- DI Christian Mueller MSc (GIS), MSc (IT-Security) OSS Open Source Solutions GmbH
------------------------------------------------------------------------------
_______________________________________________ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
