[GIS] Openlayers 3 getting 401 error from geoserver with secured layers

geoserveropenlayersSecurity

I have an OL3 webmap that is attempting to access services from Geoserver that is running on a server on our internal network that uses LDAP logins using windows credentials. I found this link (Accessing secure Geoserver layer with username password) and this link (https://stackoverflow.com/questions/10950747/authenticate-in-geoserver-with-asp-net-and-iis/13123640#13123640) and tried both but it is not resolving the 401 error issue.

This is the code I have from the second link:

//login function
function login (options) {
// url del servlet del geoserver
var url = options.server + "/geoserver/j_spring_security_check";
// parametros para el login
params = "username=" + options["user"] + "&password="
            + options["password"];

var contentType = "application/x-www-form-urlencoded";
//se inicializa la petición ajax
var ajax = $.ajax({
    data : params,
    type : "POST",
    contentType : contentType,
    url : url
});
// se ejecuta cuando la peticion finaliza
ajax.done(function() {

    if ($.cookie("JSESSIONID") != null && options && options.success) {
        options.success();
    }
});
// si ocurrio un error al realizar la peticion
ajax.fail(function(data) {
    if (options && options.failure) {
        options.failure(data);
    }
});
// se ejecuta siempre al final de la petición, sin importar que esta
// haya fallado
ajax.always(function() {
    if (options && options.always) {
        options.always();
    }
});
};
var un = prompt("enter your username","");
var pw = prompt("enter your password","");
login({
    user: un, //geoserver user  
    password: pw, 
    server : "http://(host server here):8080", //geoserver host
    success : function(){
        alert("Login OK!");
    },
    failure : function(){
        alert("Login fail!");
    }
});

Also, if I log into the geoserver admin webpage in a separate tab, I can then open the webmapping application with no issue. I would like to ideally remove this step by putting in the geoserver login into the actual webpage (and preferably not store the login credentials anywhere for security purposes).

Best Answer

I'm not familar with GeoServer, but I found this.

More generally spoken: HTTP-Status 401 means, that the server which receives your request is secured by "Basic Authentication" (hopefully via HTTPS). You have to put the credentials in the HTTP-Request Header "authorization" (this term is a bit misleading).

The content of header "authorization" looks like
Basic dXNlcjAxOnRvcFNlY3JldA==
The second word is the Base64 encoded presentation of user01:topSecret , with ':' as separator between username and password.

Related Solutions

[GIS] Programmatic authentication to ArcGIS Server secured layers via RESTful API

I finally found what I was looking for: a proper ArcGIS Server web endpoint that I could use to generate tokens!

The call is this:

GET http://<arcgisserver_host:port>/arcgis/tokens?request=getToken&username=<usr>&password=<usr>&expiration=<token_lifespan>

which gives back the token into the HTTP response body, and one can send it along to any further request to secured resources without being prompted for credentials again. The token must be the value for the Cookie request header, as it is currently stored into a cookie on the client side.

But...damn! This token generator is NOT part of the ArcGIS Server REST API!!! I couldn't find it in the online API documentation! Where in the world could I found it???

This means that ArcGIS Server does not have a RESTful authentication framework.

In example, if we have this mapservice exposed under the ArcGIS REST API: /arcgis/rest/services/myDir/myMapService/MapServer/layers and we try to GET this resource, what we get from ArcGIS Server is a response having a 200: OK status code and an HTML document in the body (the HTML is a login form). From a would-be-RESTful login, I would expect that the request gave me back a 401: Authentication Required status code along with a WWW-Authenticate header... I tested this whole thing out myself using a REST client program.

[GIS] GeoServer LDAP Authentication ‘Test Connection’ succeeds, but login fails

I got a solution working on GeoServer 2.7.2 that was very similar to @xcer however I didnt need to add an extra Group, as adding the users to the default User Group Service seemed to be enough for me.

In short:

I added an LDAP authentication provider (much the same as in the question above) with User Group Server pointing to `default'. Connection tested OK.
Under menu section 'Users, Groups, Roles' I opened tab 'Users/Groups' and proceeded to add each user manually with a random password and ADMIN role.
In the Provider Chain, I also had default listed first, and my ad-ldap authentication provider listed second.

I found that this:

Enabled me to log in using either password (ie the one via Active Directory / LDAP, as well as the manual password I provided for each user).
Once I logged in (using either password), the permissions that got applied were the ones in the default User Group Provider that can be added and modified manually via the interface.

Not sure if this was the intended way to get it working - it would have been a better solution overall if I could just apply permissions via LDAP groups. But after battling with Geoserver for 3 hours solid that was the best that I could manage.

Best Answer

Related Solutions

[GIS] Programmatic authentication to ArcGIS Server secured layers via RESTful API

[GIS] GeoServer LDAP Authentication ‘Test Connection’ succeeds, but login fails

Related Question