[Qgis-user] QGIS and GeoServer security - accessing protected layers

[Chris Berkhout]

Hi all,

I've been working on accessing protected layers in GeoServer via WFS from
QGIS. I ran into some problems, similar to those described by someone on
the mailing list a couple of years ago (except I'm using WFS rather than
WMS). I've found a workaround that is enough for my current needs.

First off, as far as I can tell, entering WFS basic auth credentials when
creating the layer does not help in any way. Auth won't be done unless the
server demands it, and then it will always ask the user for them again
anyway (I'm using QGIS from master, at commit d68524). There is an open bug
related to this:
    http://hub.qgis.org/issues/6609

As for accessing protected layers, I found that the problem was that QGIS
first tries to do the GetCapabilities without credentials, and only prompts
the user for them if the anonymous request was denied by the server.
Usually an anonymous request will succeed, showing all the public layers,
and the user won't have a chance to get at the protected layers. The same
thing is done by MapInfo, by the way.

My workaround for this was to have the Apache running in front of GeoServer
force authentication in certain cases.

Instead of using a WFS url like:
    http://myserver.com/geoserver/wfs

I enter it as:
    http://myserver.com/geoserver/wfs?forcebasicauth=true

Then I have apache intercept requests with that special query string as
follows:

        RewriteEngine     On
        RewriteCond %{HTTP:Authorization} ^$
        RewriteCond %{QUERY_STRING} forcebasicauth=true
        RewriteRule .* /var/www/forcebasicauth.php [L]

So that if the request has no auth details, it will be passed to a small
PHP handler that will request them:

        <?php header('WWW-Authenticate: Basic realm="main"', true, 401); ?>

All requests with auth details will get passed through to GeoServer as
usual, as wil anything without the forcebasicauth key.
I tried to do this without PHP but couldn't get both the 401 http code and
the header to be returned conditionally in pure Apache config (the code is
enough for MapInfo, QGIS needs the correct header too).

Cheers,
Chris


========================================
http://lists.osgeo.org/pipermail/qgis-user/2011-March/011580.html

[Qgis-user] qGIS and GeoServer security

Jeff Dege jeff.dege at korterra.com
Thu Mar 24 14:13:21 EDT 2011

Previous message: [Qgis-user] qgis microblogging
Next message: [Qgis-user] Arbitrary CRS
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

________________________________

I'm playing around with the security settings on a GeoServer site.

In GeoServer, I can set the "Catalog mode":
Catalog mode configuration - mode=HIDE|CHALLENGE|MIXED
Set the catalog mode level

hide (default): does not show to the user the layers that he cannot access,
behaves as if a layer was read only if the user does not have write
permissins. The capabilities document do not contain the clayers the
current user cannot access to. This is the highest security mode, it
assumes a privileged user has logged in before showing him the secured
layers. Because of this, it does not work very well with clients such as
uDig or Google Earth, where the authentication dialog pops up only if the
server returns a HTTP 401 after attempting to access a secured resource.

challenge: allows free access to metadata, any attempt at accessing actual
data is metby a HTTP 401 code that forces most clients to show an
authentication dialog. The capabilities do contain the full list of layers,
DescribeFeatureType and DescribeCoverage do work fine, the first attempt to
access the actual data without the necessary privileges is met with a 401
error. This mode works fine with capabilities driven clients such as uDig,
and with any client that needs a 401 in order to trigger an authentication
dialog.

mixed: hides the layers the user cannot read from the capabilities, but
triggers authentication for any other attempt to access the data or the
metadata. Useful if you don't want the world to see the very existence of
some of your data, but you still want selected people whom you give direct
data access links to get the data after authentication.

When I set the mode to challenge, and do a Connect from the "Add Layer(s)
from a Server" dialog, I see all the layers.  If I try to add one to the
map, I get a "Enter Credentials" dialog, where I can enter Username and
Password, and if correct I see the layer in the map.

When I set the mode to hide, and do a Connect, I don't see the layers.

But here's the thing.  All of the above is with the User name and Password
fields of the "Create a new WMS connection" dialog blank.  And the above is
the behavior I'd expect, with those fields blank.

But if I fill in username and password, in the connection dialog, I still
get the same behavior.  I'd expect to be able to see the authenticated-only
layers, in the getCapabilities XML, and hence in the layer list in the qGIS
dialog, if the user name and password are correct.  I'm not seeing that.

In fact, it looks as if it makes no difference whatsoever whether I enter a
username and password when defining a WMS connection.

Am I misunderstanding what the username and password fields are for?  Or
are they not working?  Or is GeoServer handling something incorrectly?

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.osgeo.org/pipermail/qgis-user/attachments/20110324/6fd68d4f/attachment.html

________________________________

Previous message: [Qgis-user] qgis microblogging
Next message: [Qgis-user] Arbitrary CRS
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

________________________________
More information about the Qgis-user mailing list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-user/attachments/20130527/23a42cc2/attachment.html>