GeoServer : Enhancing Geoserver Authentication
This page last changed on Apr 07, 2011 by email@example.com.
Geoserver authentication is based on Spring Security and offering a user id / password log in. After a successful log in process, the user has some predefined roles. Based on these roles, authorization takes place.
The new Geoserver authentication plugin should be capable of multiplexing between a set of concrete authentication plugins. The background for this is to have the possibility for different authentication mechanisms due to different clients. A typical scenario is access from a Web browsers and some desktop GIS systems. While browsers are capable of Http Digest Authentication, desktop software normally is not and needs another mechanism.
At a minimum, the multiplexer passes the HttpServletRequest object into the concrete authentication plugins and asks each concrete plugin if it is responsible for this request. Responsibility can be based on IP Addresses, user id patterns, HTTP header attributes and much more.
Proxy authentication is possible. The proxy should pass the user id and the roles (optional) in the HttpServletRequest object.
Geoserver users should be able to develop their own custom authentication module(s). A typical scenario is authentication against an user installed authentication database (SQL, LDAP).
If you are new to PAM, look here. The basic idea is that a concrete authentication module can also be a stack of other modules. A scenario is if you have to log in a user in two ore more security backends, all of the logins must be successful.
Care must be taken for such scenarios. OGC services are stateless and it does not make sense to create a HttpSession object only for the need of authentication. To make it short, even protected OGC services will remain stateless.
The admin GUI has to be extended to support configuration of the above concepts.
All configurations should be possible using REST services.
The new architecture will not break any already deployed geoserver installations using the current security subsystem.
|Document generated by Confluence on May 14, 2014 22:59|