[OpenLayers-Users] Authenticating against a secured WMS server
under IIS
Christopher Schmidt
crschmidt at metacarta.com
Fri Apr 4 07:48:11 EDT 2008
On Thu, Apr 03, 2008 at 10:32:29PM -0400, Paul Angelino wrote:
> Thanks for your reply. We don't have the credentials of the end user
> that is logged into the web app, which is a good thing as you say, but
> at this point we really just need to impersonate the user to the WMS
> server based on a couple different authorization roles that apply. So
> we could pass credentials through the URL but our security standards
> won't allow us to do it in clear text.
There's no reason that credentials as I stated need to be in clear text:
the browser uses this username and password as auth for the request, it
doesn't send them as part of the URL to the server. But it probably
doesn't solve your problem anyway.
If your application server has the ability to get to all the information
(as in: it has superuser access) then you might be best off simply
proxying the IIS requests through something on the Apache server. Apache
server uses the superuser credentials to access the IIS, download the
data, and must then enforce the security requirements of the remote
server.
> To answer your other questions, we do use Active Directory for
> authentication but we do not yet have single sign-on. Both the web
> application using OpenLayers and the WMS server use AD authentication,
> but they run on different web servers. In fact, the web app runs on
> Apache and the WMS server runs on IIS. The web app uses an Open LDAP
> interface to perform authentication and the IIS server uses the
> out-of-the box Windows AD authentication when you disable anonymous
> access to your web site.
I expect that what this means is:
* The Apache server is doing authentication using LDAP, not Active
Directory (with the AD server as an LDAP backend)
* What you actually want is:
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/523ae943-5e6a-4200-9103-9808baa00157.mspx?mfr=true
"""Unlike Basic authentication, Integrated Windows authentication does
not initially prompt for a user name and password. The current Windows
user information on the client is used for Integrated Windows
authentication."""
However, setting this up on both the IIS server and the Apache server
would probably be a lesson in active directory that you may not be
interested in:
http://www.onlamp.com/pub/a/onlamp/2003/09/11/kerberos.html
might be a starting point for understanding it and making that decision
on the Apache side.
Regards,
--
Christopher Schmidt
MetaCarta
More information about the Users
mailing list