Proposal #1: implement an authentication REST API to be used from GeoServer - geoserver/geofence GitHub Wiki
To improve the GeoFence - GeoServer integration, we think we should add the possibility to share the users configured in GeoFence with the GeoServer instances bounded to it, to avoid the duplication of user configuration.
Proposal
We propose to:
- add a new REST API to GeoFence for authentication purposes: the API should have a GET endpoint to authenticate a user with its username and password (eventually encrypted), with a YES/NO response type
- create a new GeoServerAuthenticationProvider to be integrated in the GeoFence - GeoServer probe: this should be able to call the new GeoFence REST authentication API to authenticate a GeoServer user
Authentication API
The authentication API has the following specification:
Authentication operations
CRUD operations on Authentication.
Service base path: /authenticate
Login
Returns and empty response (the real response is in the HTTP response status code).
HTTP method: GET
Path: /
Query params (mandatory):
- username the username of the user to be authenticated
- password the password of the user
HTTP return codes
- 200: user authenticated
- 401: user not authenticated
- 500: generic internal error
GeoServer AuthenticationProvider
The custom AuthenticationProvider will:
- transfer authentication requests received by GeoServer (for example via Basic HTTP Authentication) to GeoFence via the Authentication REST API
- implement a cache mechanism similar to the one implemented in the Authorization service, to improve performance of authenticated requests.
Additional Development
In a second phase we could think to:
- implement some form of password encryption / hashing, or even more complex flows, such as one time passwords
- introduce a pluggable mechanism to delegate GeoFence user management to an external service, such as LDAP