Re: [Geoserver-users] Basic authentication best practices

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Thanks Christian.
I'm glad to see you're working on porting the authentication to Spring.

I had similar concerns. That's why I moved to a CGI script doing a local
request. The credentials are passed through a http://localhost:8080 call...
ie. nothing is passed over the internet. I let another (MD5 protected) form
based authentication handle the user's initial login.

I'd like to move to https in the future. That would be even better I think.

Jamie

On Wed, Nov 17, 2010 at 2:27 AM, <chr...@nv...> wrote:

> But you are aware the Basic Authentication does not encrypt the password.
> The password is base64 encoded which is the same security level as sending
> passwords in plain text.
>
> I am working on such issues, look here
> http://jira.codehaus.org/browse/GEOS-4215
>
> For the moment I am still waiting for some feedback.
>
>
>
> Quoting Jamie Popkin <po...@li...>:
>
>  Thanks Arne.
>> That's good news for me... It means I'm heading in the right direction. :)
>>
>> I believe I have the format of the cookie correct. I'm starting to wonder
>> if
>> the port number :8080 is tripping up the domain setting of the cookie???
>> That's a shot in the dark though.
>>
>> I'm going to start testing different ways of inserting the cookie into the
>> browser. I'll post back here with my progress.
>>
>> Jamie
>>
>> On Tue, Nov 16, 2010 at 1:30 PM, Arne Kepp <ar...@ti...> wrote:
>>
>>  The trick with the "remember me" cookie should work.
>>>
>>> Note that the value of the cookie starts and ends with a double quote,
>>> and contains ==. Normally these four characters would be URL escaped
>>> (%20, %D3), but then acegi will not accept them. So make sure they're
>>> set exactly like you receive them, I think the cookie is just deleted if
>>> it's rejected.
>>>
>>> Technically, the best practice is probably to write acegi / Spring
>>> Security plugins linked to your frontend application. I found it quite
>>> challenging though.
>>>
>>> -Arne
>>>
>>>
>>> On 11/16/10 10:01 PM, Jamie Popkin wrote:
>>> > I'm trying to access some secured wms services through basic
>>> authentication.
>>> > I figured the most secure way to do this was have a cgi script grab the
>>> > "remember me" authentication cookie through a local curl request. Then
>>> have
>>> > that returned to the user and entered as a cookie.
>>> >
>>> > I've been unsuccessful at getting this to work. Can anyone see a
>>> problem
>>> > with this set-up?
>>> >
>>> > What is the best (and proper) way to authenticate with Geoserver and
>>> then
>>> > access the protected layers. In particular through OpenLayers? It can't
>>> seem
>>> > to find any examples that work.
>>> >
>>> > Thanks in advance.
>>> > Jamie
>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Beautiful is writing same markup. Internet Explorer 9 supports
>>> standards for HTML5, CSS3, SVG 1.1,  ECMAScript5, and DOM L2 & L3.
>>> Spend less time writing and  rewriting code and more time creating great
>>> experiences on the web. Be a part of the beta today
>>> http://p.sf.net/sfu/msIE9-sfdev2dev
>>> _______________________________________________
>>> Geoserver-users mailing list
>>> Geo...@li...
>>> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>>>
>>>
>>
>>
>> --
>> Jamie Popkin
>> Little Earth
>> 250 390 6816
>> http://littleearth.ca
>>
>>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
>

-- 
Jamie Popkin
Little Earth
250 390 6816
http://littleearth.ca