[Qgis-developer] PyQGIS: do WMS and WFS providers use QgsNetworkAccessManager.instance()?

Luigi Pirelli luipir at gmail.com
Fri May 27 09:11:15 PDT 2016 

Ho!... I forgot to say that future removing of PyQGIS access to
AuthManager api would be removed to have a better security model in
QGIS. No one would be able to create a plugin to export qgis_auth.db
stored credentials or certificates.

regards
Luigi Pirelli

**************************************************************************************************
* Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
* LinkedIn: https://www.linkedin.com/in/luigipirelli
* Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
* GitHub: https://github.com/luipir
* Mastering QGIS:
https://www.packtpub.com/application-development/mastering-qgis
**************************************************************************************************


On 27 May 2016 at 17:28, Luigi Pirelli <luipir at gmail.com> wrote:
> Hi Enzo
>
> AFAIK Shibboleth it's still not (still) supported by
> AuthenticationManager, and Auth Manager have to be better integrated
> in QgsConnectionManager class.
>
> thanks for the workaroud, but a good procedure would be:
>
> 1) Create a Shibboleth authentication plugin for Auth Manager (in a
> while will be available the single sign-on OAuth authentication).
> Larry Shaffer by Boundless just did a proof of concept during these
> days in Girona Hackfest that can be used as development base.
>
> 2) Support the complete integration of the AuthManager in
> QgsNetworkAccessManager that would become THE way to use any
> connection. Future QGIS will have PyQGIS access to AuthManager almost
> removed to leave the auth access only managed by NetworkManager.
> This integration will request a refactory of OWS providers that
> actually use directly AuthManager (and also PostGis provider)
>
> btw code snippets and use cases are always really useful :)
>
> I'm just investigating how to integrate AuthManager and NetworkManager
> (Qt) with Windows key store (Credential Management). If you have
> suggestions are really welcome :)
>
> regards
> Luigi Pirelli
>
> **************************************************************************************************
> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
> * LinkedIn: https://www.linkedin.com/in/luigipirelli
> * Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
> * GitHub: https://github.com/luipir
> * Mastering QGIS:
> https://www.packtpub.com/application-development/mastering-qgis
> **************************************************************************************************
>
>
> On 27 May 2016 at 13:24, enzogis <enzo.ciarmoli at csi.it> wrote:
>> Hi all,
>> The main goal is to access to WMS/WFS exposed  behind Shibboleth
>> authentication page.
>> I made many tests and partially I have success with a workaround: not sure
>> but if I'm not wrong then I could signal a strange behaviour of wms provider
>> with QgsNetworkAccessManager.instance()
>>
>> The problem is complex, I try to shortly explain:
>>
>> I need to load WMS/WFS layers that are exposed behind Shibboleth (SAML2)
>> authentication page.
>> From a web browser, the authentication system consists of these steps:
>> - call the url
>> http://example/wms?service=WMS&version=1.1.0&request=GetCapabilities
>> - the system redirect to main authentication page https://secure/login.jsp
>> with many options
>> - the user indicates a valid PKCS#12 certificate
>> - only after success it redirect to the first url and the user could see the
>> wms response.
>>
>> In QGIS 2.14.3 I imported certificate but when I try to load that WMS layer,
>> it shows an error: it expected wms capabilties response but it receive an
>> html from main authentication page.
>>
>> Workaround:
>> Thus, to achieve the goal, I replicated in Python the authentication process
>> with a custom QWebView and extended QNetworkAccessManager with SSL support
>> to use certificate.
>> After succesfully access, the script dump cookies from the CookieJar and
>> transfers them to  QgsNetworkAccessManager.instance().
>> In that situation, the instance is authenticated and i can manually load
>> layers and Shibboleth trusts cookies.
>>
>> That workaround works fine for WFS , but it fails for WMS.
>>
>> When i try to connect to WMS manually it have success and it shows a list of
>> capabilities , but when i select a layer and  i try to load it shows an
>> error: in error logs there are html tags from the main authentication page.
>> It seems that WMS provider uses QgsNetworkAccessManager.instance() only for
>> get capabilities but not for loading each layer.
>>
>> Instead, the same solution works fine for WFS:  from the dialog that show
>> capabilities I can load a layer in QGIS and I assume that it uses
>> authenticated QgsNetworkAccessManager.instance().
>>
>> That different behaviour of wms and wfs providers is correct?
>> It is a bug or I misunderstand something?
>>
>> Any suggestion would be greatly appreciated.
>> If necessary for details I will attach code snippet.
>>
>> TIA
>> --
>> Enzo Ciarmoli
>>
>>
>>
>> --
>> View this message in context: http://osgeo-org.1560.x6.nabble.com/PyQGIS-do-WMS-and-WFS-providers-use-QgsNetworkAccessManager-instance-tp5268513.html
>> Sent from the Quantum GIS - Developer mailing list archive at Nabble.com.
>> _______________________________________________
>> Qgis-developer mailing list
>> Qgis-developer at lists.osgeo.org
>> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer

More information about the Qgis-developer mailing list