Chris, Thanks for your reply. We don't have the credentials of the end user that is logged into the web app, which is a good thing as you say, but at this point we really just need to impersonate the user to the WMS server based on a couple different authorization roles that apply. So we could pass credentials through the URL but our security standards won't allow us to do it in clear text.
To answer your other questions, we do use Active Directory for authentication but we do not yet have single sign-on. Both the web application using OpenLayers and the WMS server use AD authentication, but they run on different web servers. In fact, the web app runs on Apache and the WMS server runs on IIS. The web app uses an Open LDAP interface to perform authentication and the IIS server uses the out-of-the box Windows AD authentication when you disable anonymous access to your web site. Does that give you any other ideas? Thanks again, Paul -----Original Message----- From: Christopher Schmidt [mailto:[EMAIL PROTECTED] Sent: Thursday, April 03, 2008 8:15 PM To: Paul Angelino Cc: users@openlayers.org Subject: Re: [OpenLayers-Users] Authenticating against a secured WMS server under IIS On Thu, Apr 03, 2008 at 02:56:44PM -0400, Paul Angelino wrote: > Hello, > > > > I'm pretty new to OpenLayers. I recently began using it to add spatial > functionality to an existing non-spatial web app. We're publishing WMS > services from an ArcGIS Server 9.2 instance under IIS, configured to > prevent anonymous access. This is a good thing since some of the layers > we're serving contain sensitive data. I saw this previous post to the > user forum: > http://openlayers.org/pipermail/users/2007-February/000721.html, which > is exactly what is happening in my situation. The user gets prompted to > authenticate against the web server. The problem is that the user has > already been authenticated by the web application so I'd like to be able > to programmatically impersonate the user to our WMS server so there is > no prompting for credentials. Do you have their credentials? (I'd hope, for security reasons, that you wouldn't, but if you do, what you want is possible. Otherwise, it's not.) If you do have their credentials, you can generate URLs like: "http://username:[EMAIL PROTECTED]/wms/foo" And their credentials will be passed by the browser. > I don't see anything in the OpenLayers > 2.5 API to support this, but I did run across this: > http://trac.openlayers.org/browser/sandbox/tschaub/request/lib/OpenLayer > s/Request.js?rev=6351. This OpenLayers.Request method seems to support > username and password parameters for HTTP authentication. This isn't helpful for you. You can already do this for XMLHttpRequest in trunk (though you'd have to try harder): this doesn't really fix things in any way. > Is there a > way that this can be used instead of a call to OpenLayers.Layer.WMS to > instantiate a layer? Nope. > Is the OpenLayers.Request method something in the > underlying library that is not exposed in the public API, or is this > something slated for a future release? The latter. > Any information is greatly appreciated on how to access secured WMS > layers without getting the popup authentication dialog. Right answer: Use single signon: Kerberos, Active Directory, etc. Wrong answer: Integrate user credentials in the URL. Answer that helps you: Depends on how you're doing auth. Would need more information on that for you to get helped. Regards, -- Christopher Schmidt MetaCarta _______________________________________________ Users mailing list Users@openlayers.org http://openlayers.org/mailman/listinfo/users
