I disable all anonymous requests (WMS/WFS/… ) to my GeoServer, but now I can't access to any layer from my OpenLayers app.
I want to know if it is possible authenticate on my GeoServer via PHP or JavaScript before any OpenLayers request.
If yes, what is the best option? Via PHP cURL, JavaScript or proxy (http://docs.geoserver.org/stable/en/user/security/tutorials/httpheaderproxy/index.html)
Best Answer
We do not use GeoServer Authentication, but we do use an ASP version of that Proxy Script we wrote ourselves with some tweaks.
Our script handles the authentication via a Hashtag we included in the WMS Client Calls.
The HashTag is set into a database at the Application Level User Login and removed at LogOut or Timeout. It is sent to the client via Ajax at Client logIn Time as well.
The Hashtag is used only once and is not repeated again for x amount of days. (we use one year)
We use a url format as follows (asp)
and parse out the hash between the
?and the:-:in the proxy script, check the tag is valid then rebuild the string to a new valid url pointing to the Geoserver instance.Of course, you have to handle the return posts from Geoserver and forward back to the client, the script you mentioned handles that.
If your Geoserver Instance is behind the proxy and only accessible via a local lan, then this is all you need, It is secure. If not, you need to set up a firewall rule on the Geoserver machine that only allows port 8080 from your proxy Ip Address.
This way, we do not have to keep track of hosts and we handle authentication at the Application Level. Invalid or no hash tag, no tiles.
We later enhanced our script to load balance over multiple GeoServer Instances and forward some requests to GeoWebCache and some to GeoServer depending on the application requirements. It does give you a great deal of control over your setup!