The issue I am solving currently is authenticating from Leaflet to
GeoServer. There is this post
<https://stackoverflow.com/questions/44640905/how-make-geoserver-and-leaflet-secure-in-a-web-applciation>
and
I'm pretty sure that is what I need to do but I don't completely understand
it. It doesn't really have much detail.
I am not completely sure what the difference is between these two things
from this documentation
<https://docs.geoserver.org/latest/en/user/security/tutorials/index.html>:
- Configuring HTTP Header Proxy Authentication
- Configuring Apache HTTPD Session Integration
My architecture is that leaflet is hosted in apache httpd and we are using
apache session variables to authenticate users into the site. GeoServer is
hosted on a different virtual machine. This user session variable is saved
as a cookie and can be retrieved from the system.
We are passing the session variables to PostgreSQL through PHP to establish
a POD connection such as:
# -------------------
# CREATE POD
# -------------------
$host = 'geoserver.myHost.com';
$port= '5432';
$db = 'myDB';
parse_str($_SERVER['HTTP_SESSION'], $SESSION);
$user = $SESSION['LDAP_secured-user'];
$pass = $SESSION['LDAP_secured-pw'];
$dsn = "pgsql:host=$host;dbname=$db;port=$port";
$options = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES => false,
];
try {
$pdo = new PDO($dsn, $user, $pass, $options);
} catch (\PDOException $e) {
throw new \PDOException($e->getMessage(), (int)$e->getCode());
}
For the WMS we are using the leaflet.wms.js plugin.
So my goal is to somehow authenticate the user to GeoServer using the
apache session variable from the web server. As far as I understand this
can happen in two different ways:
1. The user credentials can be passed with the URL
2. The user can be authenticated to GeoServer on the back end. This is
the PREFERED method as:
1. It is more secure as user credentials are not being passed in the
URL
2. User can be authenticated once per session instead of with each
request
3. Since the specific user is authenticated. GeoServer data security
rules apply. IF it is actually not possible to authenticate the specific
user but the authentication hapens server to server then we could manage
this through a secondary permissions table which specifies the user role.
Thanks much,
Vera
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
