Hi all, this is a long mail, TOC first I) early adopters II) configuration III) discussion about the authentication entry point
I) Until now, I know about three early adopters sonya.dow...@dpipwe.tas.gov.au bre...@craig.fr gmi...@library.berkeley.edu I will send you a private mail with a zip file attached. This zip file contains 3 jar files which you have to put into the WEB-INF/lib folder of your GeoServer installation. II) Configuration The CAS authentication filter is able to validate proxy and service tickets. Configuration options: 1) Name (mandatory) The name of the filter 2) CAS Server URL (mandatory) The URL including the context root of the CAS server. This should be an HTTPS URL, otherwise users will be prompted for their credentials for each new service ticket. (No Single Sign on ) 3) No single sign on This option makes sense if 2) is an HTTPS URL. Activating this option will prompt users for credentals each time a ticket is needed. The normal mode of operation is disabling this option and use HTTPS as described in 2) 4) Proxy callback URL Only needed if GeoServer itself needs to generate a proxy ticket. This is not used at the moment, leave this field blank. For Geoserver custom extensions generating proxy tickts, this field must be filled with the URL of Geoserver including the context root. The CAS server will send reqeusts to GeoServer. This URL must use HTTPS. 5) Create HTTP Session Basically, there are 2 modes of operations a) Disallow HTTP session creation For each request, the client has to include a ticket parameter which can be validated by cas server Example request: http://mygeoserver/wms?request=getCapabilites&ticket=ST-abadsd Next request http://mygeoserver/wms?request=getMap&ticket=ST-efdafd&bbox=....... Normally, a CAS ticket may be validated only once. As a consequence, there are 2 additional requests to the CAS server for each Geoserver request. b) Allow HTTP session creation In this scenario, the client sends the ticket only once. Example request http://mygeoserver/wms?request=getCapabilites&ticket=ST-abadsd The clients gets back a session cookie called JSESSIONID. For future requests, the client has to include this cookie, no CAS ticket needed. (For clients running in a browser, the cookie is included automatically) http://mygeoserver/wms?request=getMap&bbox=....... No further requests to the CAS server are necessary, but an HTTP session was created for stateless services. 6) Role Source Determines where to look for the roles of the user. a) request header The name of the request header attribue has to be specified. The client has to send the roles of the user as String delimted by ";". b) User group service. This is the standard role source. c) Role service Used if a special role service was created for the CAS authentication. After configuring the CAS authentication filter, add this filter to the default filter chain. For testing, you could remove the basic auth filter. III) Authentication Entry Point Here I am not sure about a good solution. What happens if GeoServer receives a request without a session cookie and without a "ticket" parameter. At the moment, HTTP response code 401 (not authorized) is returned. This is nice for application clients doing proxy authentication, it is not nice for clients running in a browser. Clients in a browser have to contact the CAS server first for a valid ticket. Another possibility is to work with HTTP redirects. This is nice for browser applications, since a request without a ticket is redirected to the CAS server and after a successful login, the browser is redirected to the original request. But this is not nice for applications clients doing proxy authentications getting back and HTML form. IMHO, this problem is not resolvable, the only idea I have is to make the redirect the standard and if a client wants a 401 response, it has to send an additional http parameter like NOCASREDIRECT=true. Opinions ? Cheers Christian Zitat von Landry Breuil <bre...@craig.fr>: > On 09/22/12 16:24, christian.muel...@nvoe.at wrote: >> Unfortunately, the CAS module did not find its way into 2.2.0, it is >> scheduled for 2.2.1 next month. >> >> If there is some interest, I can send a custom jar which has to be >> dropped into the WEB-INF/lib directory of the GeoServer installation. >> >> If there is some interest, I will formulate a short description of the >> configuration. >> >> The CAS authentication works for OGC services and accepts >> service/proxy tickets with an optional (but recommended) creation of >> an HTTP session. > > Yes, i'd be definitely interested in testing such a setup. We're using > georchestra which provides a CAS authentification server, and i'd like > to test geoserver 2.2 with it. We're not going in production before > 2.2.1 anyway, but early testing is definitely planned. > > -- > Landry Breuil > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Geoserver-users mailing list > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
