Thanks Phil, yes I control the GeoServer and everything about the system. On Thu, Jun 11, 2020 at 4:00 PM Phil Scadden <p.scad...@gns.cri.nz> wrote:
> I have only ever used public geoserver instances, but I have had to use > leaflet to access a protected ArcGIS servers. The process there is: > > 1/ At start of session, backend authenticates against AGS and receives a > token (session-limited credentials). > > 2/ the token is passed by Leaflet with every call to the AGS server. (just > adding it to layer params when setting up the layer). > > > > Do you control the geoserver server? > > > > The other thing I have had to deal with a hidden geoserver – the geoserver > is setup as “public”, (no authentication required), but only accessible via > an authenticating proxy. After examining a few options, I wrote the proxy > myself as it fitted within larger service supporting the mapping > application. > > > > *From:* Vera Green <vera.green...@gmail.com> > *Sent:* Friday, 12 June 2020 03:40 > *To:* GeoServer Mailing List List <geoserver-users@lists.sourceforge.net> > *Cc:* John Poole <jdpo...@gmail.com>; Rob Jones <r...@lions.com> > *Subject:* [Geoserver-users] Leaflet to GeoServer Authentication > > > > The issue I am solving currently is authenticating from Leaflet to > GeoServer. There is this post > <https://stackoverflow.com/questions/44640905/how-make-geoserver-and-leaflet-secure-in-a-web-applciation> > and > I'm pretty sure that is what I need to do but I don't completely understand > it. It doesn't really have much detail. > > I am not completely sure what the difference is between these two things > from this documentation > <https://docs.geoserver.org/latest/en/user/security/tutorials/index.html>: > > - Configuring HTTP Header Proxy Authentication > - Configuring Apache HTTPD Session Integration > > My architecture is that leaflet is hosted in apache httpd and we are using > apache session variables to authenticate users into the site. GeoServer is > hosted on a different virtual machine. This user session variable is saved > as a cookie and can be retrieved from the system. > > > > We are passing the session variables to PostgreSQL through PHP to > establish a POD connection such as: > > # ------------------- > # CREATE POD > # ------------------- > $host = 'geoserver.myHost.com'; > $port= '5432'; > $db = 'myDB'; > > parse_str($_SERVER['HTTP_SESSION'], $SESSION); > $user = $SESSION['LDAP_secured-user']; > $pass = $SESSION['LDAP_secured-pw']; > > $dsn = "pgsql:host=$host;dbname=$db;port=$port"; > $options = [ > PDO::*ATTR_ERRMODE *=> PDO::*ERRMODE_EXCEPTION*, > PDO::*ATTR_DEFAULT_FETCH_MODE *=> PDO::*FETCH_ASSOC*, > PDO::*ATTR_EMULATE_PREPARES *=> false, > ]; > try { > $pdo = new PDO($dsn, $user, $pass, $options); > } catch (\PDOException $e) { > throw new \PDOException($e->getMessage(), (int)$e->getCode()); > } > > For the WMS we are using the leaflet.wms.js plugin. > > So my goal is to somehow authenticate the user to GeoServer using the > apache session variable from the web server. As far as I understand this > can happen in two different ways: > > 1. The user credentials can be passed with the URL > 2. The user can be authenticated to GeoServer on the back end. This is > the PREFERED method as: > > > 1. It is more secure as user credentials are not being passed in the > URL > 2. User can be authenticated once per session instead of with each > request > 3. Since the specific user is authenticated. GeoServer data > security rules apply. IF it is actually not possible to authenticate > the > specific user but the authentication hapens server to server then we > could > manage this through a secondary permissions table which specifies the > user > role. > > Thanks much, > > Vera > Notice: This email and any attachments are confidential and may not be > used, published or redistributed without the prior written consent of the > Institute of Geological and Nuclear Sciences Limited (GNS Science). If > received in error please destroy and immediately notify GNS Science. Do not > copy or disclose the contents. > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users