Re: [Geoserver-users] Leaflet to GeoServer Authentication

2020-06-11 Thread Vera Green 
Thanks Phil, yes I control the GeoServer and everything about the system.

On Thu, Jun 11, 2020 at 4:00 PM Phil Scadden  wrote:

> I have only ever used public geoserver instances, but I have had to use
> leaflet to access a protected ArcGIS servers. The process there is:
>
> 1/ At start of session, backend authenticates against AGS and receives a
> token (session-limited credentials).
>
> 2/ the token is passed by Leaflet with every call to the AGS server. (just
> adding it to layer params when setting up the layer).
>
>
>
> Do you control the geoserver server?
>
>
>
> The other thing I have had to deal with a hidden geoserver – the geoserver
> is setup as “public”, (no authentication required), but only accessible via
> an authenticating proxy. After examining a few options, I wrote the proxy
> myself as it fitted within larger service supporting the mapping
> application.
>
>
>
> *From:* Vera Green 
> *Sent:* Friday, 12 June 2020 03:40
> *To:* GeoServer Mailing List List 
> *Cc:* John Poole ; Rob Jones 
> *Subject:* [Geoserver-users] Leaflet to GeoServer Authentication
>
>
>
> The issue I am solving currently is authenticating from Leaflet to
> GeoServer. There is this post
> <https://stackoverflow.com/questions/44640905/how-make-geoserver-and-leaflet-secure-in-a-web-applciation>
>  and
> I'm pretty sure that is what I need to do but I don't completely understand
> it. It doesn't really have much detail.
>
> I am not completely sure what the difference is between these two things
> from this documentation
> <https://docs.geoserver.org/latest/en/user/security/tutorials/index.html>:
>
>- Configuring HTTP Header Proxy Authentication
>- Configuring Apache HTTPD Session Integration
>
> My architecture is that leaflet is hosted in apache httpd and we are using
> apache session variables to authenticate users into the site. GeoServer is
> hosted on a different virtual machine. This user session variable is saved
> as a cookie and can be retrieved from the system.
>
>
>
> We are passing the session variables to PostgreSQL through PHP to
> establish a POD connection such as:
>
> # ---
> # CREATE POD
> # ---
> $host = 'geoserver.myHost.com';
> $port= '5432';
> $db   = 'myDB';
>
> parse_str($_SERVER['HTTP_SESSION'], $SESSION);
> $user = $SESSION['LDAP_secured-user'];
> $pass = $SESSION['LDAP_secured-pw'];
>
> $dsn = "pgsql:host=$host;dbname=$db;port=$port";
> $options = [
> PDO::*ATTR_ERRMODE*=> PDO::*ERRMODE_EXCEPTION*,
> PDO::*ATTR_DEFAULT_FETCH_MODE *=> PDO::*FETCH_ASSOC*,
> PDO::*ATTR_EMULATE_PREPARES   *=> false,
> ];
> try {
>  $pdo = new PDO($dsn, $user, $pass, $options);
> } catch (\PDOException $e) {
>  throw new \PDOException($e->getMessage(), (int)$e->getCode());
> }
>
> For the WMS we are using the leaflet.wms.js plugin.
>
> So my goal is to somehow authenticate the user to GeoServer using the
> apache session variable from the web server. As far as I understand this
> can happen in two different ways:
>
>1. The user credentials can be passed with the URL
>2. The user can be authenticated to GeoServer on the back end. This is
>the PREFERED method as:
>
>
>1. It is more secure as user credentials are not being passed in the
>   URL
>   2. User can be authenticated once per session instead of with each
>   request
>   3. Since the specific user is authenticated. GeoServer data
>   security rules apply.  IF it is actually not possible to authenticate 
> the
>   specific user but the authentication hapens server to server then we 
> could
>   manage this through a secondary permissions table which specifies the 
> user
>   role.
>
> Thanks much,
>
> Vera
> Notice: This email and any attachments are confidential and may not be
> used, published or redistributed without the prior written consent of the
> Institute of Geological and Nuclear Sciences Limited (GNS Science). If
> received in error please destroy and immediately notify GNS Science. Do not
> copy or disclose the contents.
> ___
> Geoserver-users mailing list
>
> Please make sure you read the following two resources before posting to
> this list:
> - Earning your support instead of buying it, but Ian Turton:
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines:
> http://geoserver.org/comm/userlist-guidelines.html
>
> If you want to request a feature or an improvement, also see this:
> https://github.com/geoserver/geoserver/wiki/Successfully-requ

Re: [Geoserver-users] Leaflet to GeoServer Authentication

2020-06-11 Thread Phil Scadden 
I have only ever used public geoserver instances, but I have had to use leaflet 
to access a protected ArcGIS servers. The process there is:
1/ At start of session, backend authenticates against AGS and receives a token 
(session-limited credentials).
2/ the token is passed by Leaflet with every call to the AGS server. (just 
adding it to layer params when setting up the layer).

Do you control the geoserver server?

The other thing I have had to deal with a hidden geoserver – the geoserver is 
setup as “public”, (no authentication required), but only accessible via an 
authenticating proxy. After examining a few options, I wrote the proxy myself 
as it fitted within larger service supporting the mapping application.

From: Vera Green 
Sent: Friday, 12 June 2020 03:40
To: GeoServer Mailing List List 
Cc: John Poole ; Rob Jones 
Subject: [Geoserver-users] Leaflet to GeoServer Authentication

The issue I am solving currently is authenticating from Leaflet to GeoServer. 
There is this 
post<https://stackoverflow.com/questions/44640905/how-make-geoserver-and-leaflet-secure-in-a-web-applciation>
 and I'm pretty sure that is what I need to do but I don't completely 
understand it. It doesn't really have much detail.
I am not completely sure what the difference is between these two things from 
this 
documentation<https://docs.geoserver.org/latest/en/user/security/tutorials/index.html>:

  *   Configuring HTTP Header Proxy Authentication
  *   Configuring Apache HTTPD Session Integration
My architecture is that leaflet is hosted in apache httpd and we are using 
apache session variables to authenticate users into the site. GeoServer is 
hosted on a different virtual machine. This user session variable is saved as a 
cookie and can be retrieved from the system.

We are passing the session variables to PostgreSQL through PHP to establish a 
POD connection such as:

# ---
# CREATE POD
# ---
$host = 'geoserver.myHost.com<http://geoserver.myHost.com>';
$port= '5432';
$db   = 'myDB';

parse_str($_SERVER['HTTP_SESSION'], $SESSION);
$user = $SESSION['LDAP_secured-user'];
$pass = $SESSION['LDAP_secured-pw'];

$dsn = "pgsql:host=$host;dbname=$db;port=$port";
$options = [
PDO::ATTR_ERRMODE=> PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES   => false,
];
try {
 $pdo = new PDO($dsn, $user, $pass, $options);
} catch (\PDOException $e) {
 throw new \PDOException($e->getMessage(), (int)$e->getCode());
}
For the WMS we are using the leaflet.wms.js<http://leaflet.wms.js> plugin.
So my goal is to somehow authenticate the user to GeoServer using the apache 
session variable from the web server. As far as I understand this can happen in 
two different ways:

  1.  The user credentials can be passed with the URL
  2.  The user can be authenticated to GeoServer on the back end. This is the 
PREFERED method as:

 *   It is more secure as user credentials are not being passed in the URL
 *   User can be authenticated once per session instead of with each request
 *   Since the specific user is authenticated. GeoServer data security 
rules apply.  IF it is actually not possible to authenticate the specific user 
but the authentication hapens server to server then we could manage this 
through a secondary permissions table which specifies the user role.
Thanks much,
Vera
Notice: This email and any attachments are confidential and may not be used, 
published or redistributed without the prior written consent of the Institute 
of Geological and Nuclear Sciences Limited (GNS Science). If received in error 
please destroy and immediately notify GNS Science. Do not copy or disclose the 
contents.
___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

[Geoserver-users] Leaflet to GeoServer Authentication

2020-06-11 Thread Vera Green 
The issue I am solving currently is authenticating from Leaflet to
GeoServer. There is this post

and
I'm pretty sure that is what I need to do but I don't completely understand
it. It doesn't really have much detail.
I am not completely sure what the difference is between these two things
from this documentation
:

   - Configuring HTTP Header Proxy Authentication
   - Configuring Apache HTTPD Session Integration

My architecture is that leaflet is hosted in apache httpd and we are using
apache session variables to authenticate users into the site. GeoServer is
hosted on a different virtual machine. This user session variable is saved
as a cookie and can be retrieved from the system.

We are passing the session variables to PostgreSQL through PHP to establish
a POD connection such as:

# ---
# CREATE POD
# ---
$host = 'geoserver.myHost.com';
$port= '5432';
$db   = 'myDB';

parse_str($_SERVER['HTTP_SESSION'], $SESSION);
$user = $SESSION['LDAP_secured-user'];
$pass = $SESSION['LDAP_secured-pw'];

$dsn = "pgsql:host=$host;dbname=$db;port=$port";
$options = [
PDO::ATTR_ERRMODE=> PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES   => false,
];
try {
 $pdo = new PDO($dsn, $user, $pass, $options);
} catch (\PDOException $e) {
 throw new \PDOException($e->getMessage(), (int)$e->getCode());
}

For the WMS we are using the leaflet.wms.js plugin.
So my goal is to somehow authenticate the user to GeoServer using the
apache session variable from the web server. As far as I understand this
can happen in two different ways:

   1. The user credentials can be passed with the URL
   2. The user can be authenticated to GeoServer on the back end. This is
   the PREFERED method as:
  1. It is more secure as user credentials are not being passed in the
  URL
  2. User can be authenticated once per session instead of with each
  request
  3. Since the specific user is authenticated. GeoServer data security
  rules apply.  IF it is actually not possible to authenticate the specific
  user but the authentication hapens server to server then we could manage
  this through a secondary permissions table which specifies the user role.

Thanks much,
Vera
___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users