From: Jamie P. <po...@li...> - 2010-11-17 16:18:24
|
Thanks Christian. I'm glad to see you're working on porting the authentication to Spring. I had similar concerns. That's why I moved to a CGI script doing a local request. The credentials are passed through a http://localhost:8080 call... ie. nothing is passed over the internet. I let another (MD5 protected) form based authentication handle the user's initial login. I'd like to move to https in the future. That would be even better I think. Jamie On Wed, Nov 17, 2010 at 2:27 AM, <chr...@nv...> wrote: > But you are aware the Basic Authentication does not encrypt the password. > The password is base64 encoded which is the same security level as sending > passwords in plain text. > > I am working on such issues, look here > http://jira.codehaus.org/browse/GEOS-4215 > > For the moment I am still waiting for some feedback. > > > > Quoting Jamie Popkin <po...@li...>: > > Thanks Arne. >> That's good news for me... It means I'm heading in the right direction. :) >> >> I believe I have the format of the cookie correct. I'm starting to wonder >> if >> the port number :8080 is tripping up the domain setting of the cookie??? >> That's a shot in the dark though. >> >> I'm going to start testing different ways of inserting the cookie into the >> browser. I'll post back here with my progress. >> >> Jamie >> >> On Tue, Nov 16, 2010 at 1:30 PM, Arne Kepp <ar...@ti...> wrote: >> >> The trick with the "remember me" cookie should work. >>> >>> Note that the value of the cookie starts and ends with a double quote, >>> and contains ==. Normally these four characters would be URL escaped >>> (%20, %D3), but then acegi will not accept them. So make sure they're >>> set exactly like you receive them, I think the cookie is just deleted if >>> it's rejected. >>> >>> Technically, the best practice is probably to write acegi / Spring >>> Security plugins linked to your frontend application. I found it quite >>> challenging though. >>> >>> -Arne >>> >>> >>> On 11/16/10 10:01 PM, Jamie Popkin wrote: >>> > I'm trying to access some secured wms services through basic >>> authentication. >>> > I figured the most secure way to do this was have a cgi script grab the >>> > "remember me" authentication cookie through a local curl request. Then >>> have >>> > that returned to the user and entered as a cookie. >>> > >>> > I've been unsuccessful at getting this to work. Can anyone see a >>> problem >>> > with this set-up? >>> > >>> > What is the best (and proper) way to authenticate with Geoserver and >>> then >>> > access the protected layers. In particular through OpenLayers? It can't >>> seem >>> > to find any examples that work. >>> > >>> > Thanks in advance. >>> > Jamie >>> >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Beautiful is writing same markup. Internet Explorer 9 supports >>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >>> Spend less time writing and rewriting code and more time creating great >>> experiences on the web. Be a part of the beta today >>> http://p.sf.net/sfu/msIE9-sfdev2dev >>> _______________________________________________ >>> Geoserver-users mailing list >>> Geo...@li... >>> https://lists.sourceforge.net/lists/listinfo/geoserver-users >>> >>> >> >> >> -- >> Jamie Popkin >> Little Earth >> 250 390 6816 >> http://littleearth.ca >> >> > > > ---------------------------------------------------------------- > This message was sent using IMP, the Internet Messaging Program. > > > -- Jamie Popkin Little Earth 250 390 6816 http://littleearth.ca |