Security Page - geosolutions-it/MapStore GitHub Wiki

General Information

MapStore allows configuring some security aspects, to integrate it with existing infrastructures or using its own. In this section we will se how to configure the different options, together with the GeoStore and OpenSDI-Manager components.

Authentication

Both Composer and Manager allow authentication, using a Login/Logout plugin. The Manager has the plugin enabled by default, while in Composer it has to be included explicitly.

Currently, two different login protocols are supported by the existing plugins:

  • GeoStore user details service
  • OpenSDI-Manager session service

These can be combined with two different authentication systems to communicate with MapStore services

  • Basic Authentication
  • Bearer Token

Basic configuration

Basic authentication configuration can be done editing the localConfig.js file.

var localConfig = {
   geoStoreBase: "http://myserver.com/geostore/rest/",
   adminUrl: "http://myserver.com/admin/",
   authenticationMethod: "token",
   sessionLogin: true,
   ...
};
  • geoStoreBase: url to commuicate with GeoStore
  • adminUrl: url to commuicate with OpenSDI-Manager
  • authenticationMethod: (basic / token) configures the authentication headers to be sent to recognized services (basically GeoStore and OpenSDI-Manager)

Only for Manager: (Composer uses different plugins for different login types)

  • sessionLogin: (true / false) if true OpenSDI-Manager session login will be used, if false GeoStore user details service

Authentication using tokens

Tokens are unique strings that can be used to get user identity without using its credentials. MapStore supports two kind of tokens:

  • GeoStore static tokens: these are implemented via a UUID attribute in the GeoStore user JSON descriptor, so the token is automatically fetched from GeoStore at login time and used for further communication
  • OpenSDI-Manager session tokens: these are implemented via a REST Session Service, that creates a unique session token at login time (the login service receives credentials via Basic Authentication only on the first call); both GeoStore and OpenSDI-Manager can then use the token as a Bearer token for following requests authentication, until the user logouts or the token expires (the token is destoyed in both cases and not recognized as valid anymore).

GeoServer integration using authkey

Composer supports the usage of tokens also for GeoServer authentication. This is enabled by the GeoServer authkey extension. The integration can be enabled by adding the authParam configuration to any WMS source. If a token is retrieved by the login plugin and the source has authParam configured, authkey will be automatically used.

In addition, GeoStore and GeoServer integration using GeoStore database format in a GeoServer JDBC UserGroup Service. See here for further details.

If OpenSDI-Manager dynamic tokens are used, the authkey module needs to be configured to use an external web service. See here for further details, configuring the OpenSDI-Manager session service url.

Common Scenarios

In this section We will see how some basic scenario can be configured, both in Composer and Manager.

GeoStore Login with Basic Authentication

This is the default configuration, but the less secure: username and password are sent with any request on the net, almost unencrypted.

GeoStore and OpenSDI-Manager can be used in their default configuration.

To enable this scenario in MapStore, edit localConfig.js:

var localConfig = {
   geoStoreBase: "http://myserver.com/geostore/rest/",
   adminUrl: "http://myserver.com/admin/",
   authenticationMethod: "basic",
   sessionLogin: false,
   ...
};

To enable this kind of login in Composer you can either:

{
    "ptype" : "gxp_geostore_login",
    "actionTarget": "paneltbar",
    "loginText": "MapStore Login",
    "reloadOnLogin": true
}

GeoStore Login with Static Token Authentication

This is a simple configuration, but still not so secure: a by user token is sent with any request on the net. The token is always the same for the same user (unless it is changed in the GeoStore database by some external procedure, but this requires custom code).

GeoStore and OpenSDI-Manager can be used in their default configuration (the GeoStore authenticationTokenProcessingFilter is automatically enabled together with Basic Authentication in latest versions).

To enable this scenario in MapStore, edit localConfig.js:

var localConfig = {
   geoStoreBase: "http://myserver.com/geostore/rest/",
   adminUrl: "http://myserver.com/admin/",
   authenticationMethod: "token",
   sessionLogin: false,
   ...
};

To enable this kind of login in Composer you can either:

{
    "ptype" : "gxp_geostore_login",
    "actionTarget": "paneltbar",
    "loginText": "MapStore Login",
    "reloadOnLogin": true
}

To enable GeoServer authkey integration:

  • Configure a geostore JDBC User / Group Service, see here
  • configure the related WMS source with the property "authParam": "authkey"
  • configure authkey to use the session service:
  • Authentication key to user mapper: User Property
  • User / Group service: geostore

OpenSDI-Manager Session Service Login with Dynamic Token Authentication

This is a more secure configuration: a by session token is sent with any request on the net. The token is automatically created at login time and destroyed at logout or after an expiration time.

GeoStore needs to be configured to use OpenSDI-Manager services for token verification. To do that the geostore-spring.security.xml file (in WEB-INF/classes) must be changed. The default configuration contains a commented authenticationTokenProcessingFilter for dynamic session check, just comment the standard one, uncomment this one and change the service url:

<bean class="it.geosolutions.geostore.services.rest.security.WebServiceTokenAuthenticationFilter"
        id="authenticationTokenProcessingFilter">
    <constructor-arg><value>http://myserver.com/admin/mvc/session/username/{token}</value></constructor-arg>
</bean>

To enable this scenario in MapStore, edit localConfig.js:

var localConfig = {
   geoStoreBase: "http://myserver.com/geostore/rest/",
   adminUrl: "http://myserver.com/admin/",
   authenticationMethod: "token",
   sessionLogin: true,
   ...
};

To enable this kind of login in Composer you can either:

{
    "ptype" : "gxp_session_login",
    "actionTarget": "paneltbar",
    "loginText": "Session Login",
    "reloadOnLogin": true
}

To enable GeoServer authkey integration:

  • Configure a geostore JDBC User / Group Service, see here
  • configure the related WMS source with the property "authParam": "authkey"
  • configure authkey to use the session service:
  • Authentication key to user mapper: Web Service
  • Web Service URL, with key placeholder: http://myserver.com/admin/mvc/session/username/{token}
  • User / Group service: geostore
⚠️ **GitHub.com Fallback** ⚠️