Skip to content

Web Authentication Provider Community Module Proposal

Imran edited this page Apr 8, 2020 · 2 revisions

#Community Module-Basic Authentication with external HTTP Authentication service.

Overview

A new community module providing an authentication provider that can be used to authenticate user through an external web service.

Proposed By

  • Imran Rajjad
  • Nuno Oliveira

Assigned to Release

This proposal is for GeoServer 2.18-RC, 2.17.1 and 2.16.4

State

  • Under Discussion
  • In Progress
  • Completed
  • Rejected
  • Deferred

Motivation

GeoServer already provides various Authentication Providers (e.g LDAP and JDBC). In addition there is also the Key authentication module. Taking motivation from these existing modules, a new authentication provider is proposed through which user credentials can be authenticated through an external web service. This is similar to the JDBC and LDAP providers with the difference of credentials being sent to a web service. This new provider will extend the integration capabilities of GeoServer to web service based authentication interfaces.

Proposal

High Level Plan

Web Service Authentication provider will perform the following main tasks when in use.

Handling Credentials

  • Using a URL of web service to invoke, with placeholders {user} and {password}. These place holders will be substituted with credentials present in the authentication chain.
  • Optionally credentials can be sent in X-HTTP-AUTHORIZATION header value, if the service does not accept credentials part of URL.

It is proposed to accept HTTP response code 200 as successful authentication.

Handling Authorization / Roles

After successful authentication comes the authorization part, where the authenticated user will need to be linked with Authorities using any of the two explained options.

  • Option 1 : Authorities can be parsed from the Web response using a Regex expression

  • Option 2 : Any available role service in security catalog can be used to find the authorities of the user. This also includes the default role service.

Implementation

GeoServer already provides interfaces and abstract classes to implement the proposed Authentication Provider. No new interface is required. The implementations and their context is described below.

SimpleWebServiceAuthenticationProvider

Will provide the main implementation through abstract class org.geoserver.security.GeoServerAuthenticationProvider:

  • sending credentials to external service for authentication
  • obtaining authorities from the response or an existing role service

SimpleWebAuthenticationConfig

Will provide the configuration handling implementation through abstract class org.geoserver.security.config.BaseSecurityNamedServiceConfig . This implementation will encapsulate the configurations parameters such as external web service URL and authorities handling etc.

SimpleWebAuthenticationConfigValidator

Will provides the configuration validation implementation by extending org.geoserver.security.validation.SecurityConfigValidator . This implementation will validate configuration submitted through GUI. The implementation will validate that:

  • Place holders exist in URL if credentials are to be embedded into URL and the header.
  • A valid regex has been configured if authorities are to be read from the web service response.
  • A valid role service is selected should the user want to use built-in role services.

SimpleWebServiceSecurityProvider

Will provide the implementation to integrate the new functionality into GeoServer authentication chain by implementing the abstract class org.geoserver.security.GeoServerSecurityProvider. This implementation will be responsible for:

  • Registering the new implementation into GeoServer security eco-system.
  • Deciding which Authentication Filter is compatible with Web Service Authentication
  • Configuring Configuration validation

GUI

The Web Service Authentication provider will appear as a new option among the existing Authentication Providers.

image

Using Regex to parse authorities

A regex to parse authorities from the web service response.

image

Using existing Role Services for authorities

Using existing role services to obtian authorities after successful authentication.

image

Backwards Compatibility

This is a new authentication provider with encapsulated implementation, there are no backward compatibility issues expected.

Feedback

Voting

Project Steering Committee:

  • Alessio Fabiani:
  • Andrea Aime:
  • Ian Turton:
  • Jody Garnett:
  • Jukka Rahkonen:
  • Kevin Smith:
  • Nuno Oliveira:
  • Simone Giannecchini:
  • Torben Barsballe:

Links

Clone this wiki locally