-
Notifications
You must be signed in to change notification settings - Fork 55
Proposal #1: implement an authentication REST API to be used from GeoServer
Andrea Aime edited this page Oct 6, 2014
·
1 revision
To improve the GeoFence - GeoServer integration, we think we should add the possibility to share the users configured in GeoFence with the GeoServer instances bounded to it, to avoid the duplication of user configuration.
We propose to:
- add a new REST API to GeoFence for authentication purposes: the API should have a GET endpoint to authenticate a user with its username and password (eventually encrypted), with a YES/NO response type
- create a new GeoServerAuthenticationProvider to be integrated in the GeoFence - GeoServer probe: this should be able to call the new GeoFence REST authentication API to authenticate a GeoServer user
The authentication API has the following specification:
CRUD operations on Authentication.
Service base path: /authenticate
Returns and empty response (the real response is in the HTTP response status code).
HTTP method: GET
Path: /
Query params (mandatory):
- username the username of the user to be authenticated
- password the password of the user
HTTP return codes
- 200: user authenticated
- 401: user not authenticated
- 500: generic internal error
The custom AuthenticationProvider will:
- transfer authentication requests received by GeoServer (for example via Basic HTTP Authentication) to GeoFence via the Authentication REST API
- implement a cache mechanism similar to the one implemented in the Authorization service, to improve performance of authenticated requests.
In a second phase we could think to:
- implement some form of password encryption / hashing, or even more complex flows, such as one time passwords
- introduce a pluggable mechanism to delegate GeoFence user management to an external service, such as LDAP