Hi, please read below Quoting Andrea Aime <andrea.a...@geo-solutions.it>:
> On Fri, Mar 25, 2011 at 5:00 PM, <christian.muel...@nvoe.at> wrote: >> 4) I hope you are aware that you can cluster geoserver instances only for >> not authenticated access. If you want to cluster with user authentication, >> you need an authentication cluster concept, a single sign on for the >> cluster. This requires a group communication system like jgroups and some >> cryptographic techniques. At the moment I am investigating on this topic. > > Agree on the other points, have a doubt on this one, afaik the above > statement is not true in all cases. > > The majority of clients supports only basic authentication, that one > does not need explicit clustering support as it's always included by > the client > in the http headers, in every request. > I think digest works the same but I'm not sure. > Since it's part of each request it's also clustering friendly, you just need > a load balancer in front of the cluster, there is no session nor state to > be shared among the nodes. > > Of course there is a host of other auth schemes that are cluster unfriendly, > normally they also tend to be OGC client unfriendly (thinking desktop clients > here). > > The hard part that cannot be avoided is having ssl on the cluster afaik, > which can be solved by using high end load balancers that hide the ssl > from the cluster (ssl happens only betwen the load balancer and the client). > > Cheers > Andrea What you are describing here would work, but this is the "poor man solution" with many disadvantages. Let us assume a cluster with 32 nodes. a) In the worst case, you have 32 individual authentication processes. The geoserver authentication is not very expensive, but if you think on our future work about spring security, authentication itself can involve access to a db or a ldap server or other actions. Normally, on authentication for a role based access control, the following steps are necessary (at minimum). - check the secret - search for the groups the user belongs to - calculate the roles as union from user and group roles - create a session and attach this user profile Using the "poor man solution" , we have this procedure 32 times and create 32 different sessions for the same user. It is obviously better to execute this procedure once and send a multicast message containing the profile. The group communication system assures that all cluster members get the message or none (transactional). b) How do you achieve a logout ?. I see no possibility without a GCS. No idea how to handle this using the "poor man solution". c) How do you modify the user/group/role database keeping the user profiles consistent. Again, in the "poor man solution" you have to shut down the cluster. I dont want to dig deeper for the moment, this will be part of my master thesis, but I agree, concerning the situation of Martin, the "poor man solution" is a possibility. Cheers Christian > > -- > ------------------------------------------------------- > Ing. Andrea Aime > GeoSolutions S.A.S. > Tech lead > > Via Poggio alle Viti 1187 > 55054 Massarosa (LU) > Italy > > phone: +39 0584 962313 > fax: +39 0584 962313 > mob: +39 333 8128928 > > http://www.geo-solutions.it > http://geo-solutions.blogspot.com/ > http://www.youtube.com/user/GeoSolutionsIT > http://www.linkedin.com/in/andreaaime > http://twitter.com/geowolf > > ------------------------------------------------------- > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
