Web Authentication Provider Community Module Proposal
#Community Module-Basic Authentication with external HTTP Authentication service.
A new community module providing an authentication provider that can be used to authenticate user through an external web service.
- Imran Rajjad
- Nuno Oliveira
This proposal is for GeoServer 2.18-RC, 2.17.1 and 2.16.4
- Under Discussion
- In Progress
- Completed
- Rejected
- Deferred
GeoServer already provides various Authentication Providers (e.g LDAP and JDBC). In addition there is also the Key authentication module. Taking motivation from these existing modules, a new authentication provider is proposed through which user credentials can be authenticated through an external web service. This is similar to the JDBC and LDAP providers with the difference of credentials being sent to a web service. This new provider will extend the integration capabilities of GeoServer to web service based authentication interfaces.
Web Service Authentication provider will perform the following main tasks when in use.
- Using a URL of web service to invoke, with placeholders
{user}and{password}. These place holders will be substituted with credentials present in the authentication chain. - Optionally credentials can be sent in
X-HTTP-AUTHORIZATIONheader value, if the service does not accept credentials part of URL.
It is proposed to accept HTTP response code 200 as successful authentication.
After successful authentication comes the authorization part, where the authenticated user will need to be linked with Authorities using any of the two explained options.
-
Option 1 : Authorities can be parsed from the Web response using a Regex expression
-
Option 2 : Any available role service in security catalog can be used to find the authorities of the user. This also includes the default role service.
GeoServer already provides interfaces and abstract classes to implement the proposed Authentication Provider. No new interface is required. The implementations and their context is described below.
Will provide the main implementation through abstract class org.geoserver.security.GeoServerAuthenticationProvider:
- sending credentials to external service for authentication
- obtaining authorities from the response or an existing role service
Will provide the configuration handling implementation through abstract class org.geoserver.security.config.BaseSecurityNamedServiceConfig . This implementation will encapsulate the configurations parameters such as external web service URL and authorities handling etc.
Will provides the configuration validation implementation by extending org.geoserver.security.validation.SecurityConfigValidator . This implementation will validate configuration submitted through GUI. The implementation will validate that:
- Place holders exist in URL if credentials are to be embedded into URL and the header.
- A valid regex has been configured if authorities are to be read from the web service response.
- A valid role service is selected should the user want to use built-in role services.
Will provide the implementation to integrate the new functionality into GeoServer authentication chain by implementing the abstract class org.geoserver.security.GeoServerSecurityProvider. This implementation will be responsible for:
- Registering the new implementation into GeoServer security eco-system.
- Deciding which Authentication Filter is compatible with Web Service Authentication
- Configuring Configuration validation
The Web Service Authentication provider will appear as a new option among the existing Authentication Providers.
A regex to parse authorities from the web service response.
Using existing role services to obtian authorities after successful authentication.
This is a new authentication provider with encapsulated implementation, there are no backward compatibility issues expected.
Project Steering Committee:
- Alessio Fabiani:
- Andrea Aime:
- Ian Turton:
- Jody Garnett:
- Jukka Rahkonen:
- Kevin Smith:
- Nuno Oliveira:
- Simone Giannecchini:
- Torben Barsballe: