On Thu, Apr 03, 2008 at 10:32:29PM -0400, Paul Angelino wrote: > Thanks for your reply. We don't have the credentials of the end user > that is logged into the web app, which is a good thing as you say, but > at this point we really just need to impersonate the user to the WMS > server based on a couple different authorization roles that apply. So > we could pass credentials through the URL but our security standards > won't allow us to do it in clear text.
There's no reason that credentials as I stated need to be in clear text: the browser uses this username and password as auth for the request, it doesn't send them as part of the URL to the server. But it probably doesn't solve your problem anyway. If your application server has the ability to get to all the information (as in: it has superuser access) then you might be best off simply proxying the IIS requests through something on the Apache server. Apache server uses the superuser credentials to access the IIS, download the data, and must then enforce the security requirements of the remote server. > To answer your other questions, we do use Active Directory for > authentication but we do not yet have single sign-on. Both the web > application using OpenLayers and the WMS server use AD authentication, > but they run on different web servers. In fact, the web app runs on > Apache and the WMS server runs on IIS. The web app uses an Open LDAP > interface to perform authentication and the IIS server uses the > out-of-the box Windows AD authentication when you disable anonymous > access to your web site. I expect that what this means is: * The Apache server is doing authentication using LDAP, not Active Directory (with the AD server as an LDAP backend) * What you actually want is: http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true """Unlike Basic authentication, Integrated Windows authentication does not initially prompt for a user name and password. The current Windows user information on the client is used for Integrated Windows authentication.""" However, setting this up on both the IIS server and the Apache server would probably be a lesson in active directory that you may not be interested in: http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html might be a starting point for understanding it and making that decision on the Apache side. Regards, -- Christopher Schmidt MetaCarta _______________________________________________ Users mailing list Users@openlayers.org http://openlayers.org/mailman/listinfo/users
