I am trying to build a web application using html and javascript from which I want to login to geoserver hosted at: https://weaveprod.ucdp.utah.edu/geoserver/web/
I have written the following code for authentication using javascript.But it is always giving login failed.Kindly help me out.
HTML code:
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Untitled Document</title>
<script src="//code.jquery.com/jquery-1.10.2.js"></script>
<link rel="stylesheet" type="text/css" href="login.css">
<script type="text/javascript" src="login_auth.js" ></script>
<script type="text/javascript">
var option;
option = {
user: "****",
password: "****",
server: 'https://weaveprod.ucdp.utah.edu/geoserver/web/?wicket:bookmarkablePage=:org.geoserver.web.GeoServerLoginPage',
success: function () {
alert("Login OK!");
},
failure: function () {
alert("Login fail!");
}
};
</script>
</head>
<body>
<!-- Begin Page Content -->
<div id="container">
<form>
<label for="username">Username:</label>
<input type="text" id="username" name="username">
<label for="password">Password:</label>
<input type="password" id="password" name="password">
<div id="lower">
<input type="checkbox" id="checkbox" name="checkbox"><label class="check" for="checkbox">Keep me logged
in</label>
<input type="submit" value="Login" onclick="login(option)">
</div>
<!--/ lower-->
</form>
</div><!--/ container-->
<!-- End Page Content -->
</body>
</html>
Javascript code:
function login (options) {
// url del servlet del geoserver
var url = options.server;
// parametros para el login
params = "username=" + options["user"] + "&password=" + options["password"];
var contentType = "application/x-www-form-urlencoded";
//se inicializa la peticiĆ³n ajax
var ajax = $.ajax({
data : params,
type : "GET",
crossDomain: true,
dataType: "jsonp",
contentType : contentType,
url : url
});
// se ejecuta cuando la peticion finaliza
ajax.done(function() {
if ($.cookie("JSESSIONID") != null && options && options.success) {
options.success();
}
});
// si ocurrio un error al realizar la peticion
ajax.fail(function() {
if (options && options.failure) {
options.failure();
}
});
// se ejecuta siempre al final de la peticiĆ³n, sin importar que esta
// haya fallado
ajax.always(function() {
if (options && options.always) {
options.always();
}
});
};
NOTE: Earlier in the javascript code, I used a POST request.But it is still giving a login failed message.The webpage and the server are in different domains and I do not have access to the source code of the server.
Thanks,
Sayan
Best Answer
There are some security issues here.
I guess the reason you got the "different domain" message is because of the same origin policy, which is something browsers enforce to ensure that javascript does not execute scrips coming from other sites than the one you are currently on. This is mitigating the possibility of XSS (google it).
The second "issue" I see for you here is that you store the password in cleartext in javascript. It is fairly simple for an attacker to find the geoserver username/password then, all one needs to do is to take a short look at the javascript code that you send out (and yes, anyone can do that). Of course, I assume that only authenticated and authorized users will get this code sendt to their browsers? Do you also use ssl to prevent sniffing of the password?