[OpenLayers-Users] Authenticating against a secured WMS server under IIS

Paul Angelino pangelino at tnc.org
Thu Apr 3 22:32:29 EDT 2008 

Chris,

Thanks for your reply.  We don't have the credentials of the end user
that is logged into the web app, which is a good thing as you say, but
at this point we really just need to impersonate the user to the WMS
server based on a couple different authorization roles that apply.  So
we could pass credentials through the URL but our security standards
won't allow us to do it in clear text.

To answer your other questions, we do use Active Directory for
authentication but we do not yet have single sign-on.  Both the web
application using OpenLayers and the WMS server use AD authentication,
but they run on different web servers.  In fact, the web app runs on
Apache and the WMS server runs on IIS.  The web app uses an Open LDAP
interface to perform authentication and the IIS server uses the
out-of-the box Windows AD authentication when you disable anonymous
access to your web site.

Does that give you any other ideas?

Thanks again,

Paul

-----Original Message-----
From: Christopher Schmidt [mailto:crschmidt at metacarta.com] 
Sent: Thursday, April 03, 2008 8:15 PM
To: Paul Angelino
Cc: users at openlayers.org
Subject: Re: [OpenLayers-Users] Authenticating against a secured WMS
server under IIS

On Thu, Apr 03, 2008 at 02:56:44PM -0400, Paul Angelino wrote:
> Hello,
> 
>  
> 
> I'm pretty new to OpenLayers.  I recently began using it to add
spatial
> functionality to an existing non-spatial web app.  We're publishing
WMS
> services from an ArcGIS Server 9.2 instance under IIS, configured to
> prevent anonymous access.  This is a good thing since some of the
layers
> we're serving contain sensitive data.  I saw this previous post to the
> user forum: 
> http://openlayers.org/pipermail/users/2007-February/000721.html, which
> is exactly what is happening in my situation.  The user gets prompted
to
> authenticate against the web server.  The problem is that the user has
> already been authenticated by the web application so I'd like to be
able
> to programmatically impersonate the user to our WMS server so there is
> no prompting for credentials. 

Do you have their credentials? (I'd hope, for security reasons, that you
wouldn't, but if you do, what you want is possible. Otherwise, it's
not.) 

If you do have their credentials, you can generate URLs like:

  "http://username:password@example.com/wms/foo"

And their credentials will be passed by the browser.
> I don't see anything in the OpenLayers
> 2.5 API to support this, but I did run across this: 
>
http://trac.openlayers.org/browser/sandbox/tschaub/request/lib/OpenLayer
> s/Request.js?rev=6351.  This OpenLayers.Request method seems to
support
> username and password parameters for HTTP authentication.  

This isn't helpful for you. You can already do this for XMLHttpRequest
in trunk (though you'd have to try harder): this doesn't really fix
things in any way. 

> Is there a
> way that this can be used instead of a call to OpenLayers.Layer.WMS to
> instantiate a layer?  

Nope.

> Is the OpenLayers.Request method something in the
> underlying library that is not exposed in the public API, or is this
> something slated for a future release?

The latter.

> Any information is greatly appreciated on how to access secured WMS
> layers without getting the popup authentication dialog.

Right answer: Use single signon: Kerberos, Active Directory, etc.  
Wrong answer: Integrate user credentials in the URL.

Answer that helps you: Depends on how you're doing auth. Would need more
information on that for you to get helped. 

Regards,
-- 
Christopher Schmidt
MetaCarta

More information about the Users mailing list