OpenPlans Authentication
This documentation is no longer maintained. Please see the new GeoServer documentation at http://docs.geoserver.org
The OpenPlans Authentication module provides an alternative means of authenticating users with Geoserver. In particular, it allows users already logged into sites powered by OpenCore (such as http://openplans.org/) to be authenticated with Geoserver without providing any further credentials.
Authentication Scheme
The OpenCore authentication scheme is fairly straightforward. When a user provides a valid username and password combination to the OpenPlans website, a cookie is set with a token. The token is formed by hashing the username against a known secret, concatenating the username with the hash (separated by a colon), and base64 encoding the result. In pseudocode, this is:
cookie = base64encode(username + "\0" + hash(username, secret));
Therefore, to test whether a user is logged in, we need to simply check for the cookie, base64 decode it, and verify that the hash of the username matches the provided hash. The Geoserver instance therefore must have access to the secret used for creating the tokens.
Running the Code
The code for the authentication module is entirely contained within the community/openplans-authentication directory in Geoserver SVN. However, there are a number of modifications that must be made to other modules to replace the default authentication module with the custom one.
1. Change GeoServer's Acegi configuration to use the OpenCore authentication code instead of the default (HTTP Basic Authentication). There is a patch in community/openplans-authentication/filters.patch that makes the needed changes. It should be applied in the root of your geoserver source tree.
$ cd $GEOSERVER_CHECKOUT $ patch -p0 < community/openplans-authentication/filters.patch
2. Build with -Popenplans-authentication to compile the community module that contains the OpenPlans authentication filter. Since the authentication mechanism has changed, many of GeoServer's automated tests fail; so you will need to disable those as well.
$ mvn clean install -Dmaven.test.skip -Popenplans-authentication
3. You should now have a war file in web/target/geoserver.war ready to use OpenPlans cookies for authentication. Keep in mind that you must include the -Popenplans-authentication when using the maven jetty target.
$ cd web $ mvn jetty:run -Popenplans-authentication
Configuration
There are two aspects of the authentication process that can be changed: the value of the OpenPlans secret to use for authentication, and the roles to assign to authenticated users. GeoServer must be restarted for changes to this configuration to take effect.
Setting the Secret
Simply place the OpenCore secret file (found in $OPENPLANS_DIR/var/secret.txt; see the OpenCore documentation for more detail) in your GeoServer data directory in security/secret.txt.
Assigning User Roles
By default, all users authenticated by this module are assigned the Acegi role of ROLE_ANONYMOUS. If you would like for particular users to have specific roles, you can specify them by entering the roles in a .properties file stored in $GEOSERVER_DATA_DIR/security/roles.properties. This file contains lines of the format username=roles, where roles is a comma-separated list of roles for the user to have. For example, if you wanted the user with username timmy to have the role of ROLE_ADMINISTRATOR as well as the default ROLE_ANONYMOUS, you would add a line to roles.properties that looked like so:
timmy=ROLE_ADMINISTRATOR,ROLE_ANONYMOUS