Support for Basic authentication for Layers and catalog Services

[offtherailz]

Description

Actually the services that require a sort of authentication different from auth-key system can not be added to MapStore Maps. Also feasibility of this task have to be investigated.

Here a draft of the required tasks

• Investigate feasibility:
  • Does leaflet/openlayers/cesium support the basic authentication ? This means add the header Authentication: Basic ... to the request of the images (some libraries use img tags instead of ajax, so this may be not feasable).
• A catalog (CSW, WMS, WMTS) may require basic authentication (for full access or to add to restricted access layers). So the advanced setting of the catalog configuration should allow to add username and password. This credentials must not be saved in the catalog when .
• Investigation: When a layer added from a catalog to the map it may need authentication, and the catalog may have username/password access configured too. An analysis of various use cases to reuse the credentials is required. Here a list of (some, not all) possible cases:
  • Catalog has the same credentials of the layer. In this case we would like to re-use the same credentials of the catalog, without to prompt again authentication during the user session
  • Catalog has credentials but the layer is not restricted. This may happen when a privileged user access to the catalog with his credential but he wants to create maps for the public. In this case the layer may be flagged as access-restricted anyway (see restricted layers in saved maps) but is in fact free
  • Catalog and layer has different access system. This make sense in case of CSW that may collect layers from different services.
• The layer added that have some restriction in access should be flagged somehow, so if the map is saved, the next time the current user (or another) access to the map, the username-password is prompted. This because there is no way to inspect accessibility of layers. We should investigate if the prompt can be triggered somehow instead of "flagging" layers as restricted ( @offtherailz comment: I don't think so because most of the catalogs return some "not found" errors if resources are not accessible, instead of access denied, depending on catalog mode).
• The credentials should be configurable also inside layer properties (or with aspecific interface), so the user can change them anytime. In any case, these credentials must not be saved as layer properties.
• Ideally credentials insert should be prompted once per service, not once for each layer.

A good strategy to avoid credentials saving may be to store in the state temporary access rules to the services, appended to the configured ones, if they exists (e.g. auth-key rules). This should guarantee the rules are applied every time the user access to that service, from ajax or image requests, and also have to have a local list of credentials inserted.

[mbarto]

Both OpenLayers and leaflet allow customizing images loading by extending existing layers, so we could create our own extensions of the impacted layers (WMS and tiled WMS, eventually WMTS ones also) to use custom loaders.
The custom loaders could use axios to load images through XHR, so that we can also take advantage of existing interceptors, eventually. Using XHR we can add all the headers we need.
We need to check if this has any secondary issue and if we should enable/use custom loaders only when needed, switching back to default ones in other cases.
For saving credentials: we can think of temporarily storing them on localStorage as a cache to avoid asking the user credentials each time he loads the page again.

[gisnederland]

The prompting "once per service" (and not "per layer") is almost essential.
All secured (Dutch) services I use have a password policy where account get blocked after 5 wrong tries. That would easily happen if the check was on a per layer base.