Skip to content

Authentication section

Jump to bottom
mbarto edited this page Apr 23, 2015 · 5 revisions

Authentication Methods

In the current version, you can use different methods:

Spring security

This option is activated by default. You can change the configuration on geostore-spring-security.xml

Old methods

To use the old methods, you need to comment all Spring Security configurations. It means that you need to comment the Spring Security filter and the spring security import.

Then, you need to add the interceptors that you want to use.

Default interceptor

To use this interceptor, you must uncomment it on application context for each URL you want to secure.

GeoStore provide two default users:

  • admin with pw admin
  • user with pw user

With this option, the authorization in GeoStore is only at resource level. It means that there is a Security entity that provide the authorization mechanism according to a resource.

Every user can perform specific actions according to the own level of authorization:

  • admin: is the administrator of the system. This user can perform any kind of action on every stored resource.
  • user: this user can perform any kind of action on its own resource, but not in other user's resources.
  • guest (not authenticated): this user can only see all resources in the system, but not delete or modify them.

You can authenticate for a service prepending the string ?user=&psw= to the service URL.

About users creation

About the creation of new user, see the REST API section and Inizialize User and Categories

Auto create users

This option is disabled by default.

You can activate the auto create user interceptor in the configuration file:

            <!-- Auto create users interceptor (uncomment to allow users autocreation for /users requests)  -->
            <ref bean="autoCreateUsersInterceptor"/>
            <ref bean="geostoreAuthInterceptor"/>
            <bean class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
               <property name="securedObject" ref="restUserService"/>
            </bean>
        </jaxrs:inInterceptors>

When you uncomment the autoCreateUsersInterceptor, the first interceptor for the JAX requests is the AutoUserCreateGeostoreAuthenticationInterceptor and you can change the properties in the property overrider with:

autoCreateUsersInterceptor.autoCreateUsers=true
autoCreateUsersInterceptor.newUsersRole.role=USER
autoCreateUsersInterceptor.newUsersPassword=NONE|USERNAME|FROMHEADER
autoCreateUsersInterceptor.newUsersPasswordHeader=newUserPassword

Some documentation for this options:

  • autoCreateUsers: Flag to indicate if an user that not exists could be created when it's used
  • newUsersRole: New role for the user (default it's USER)
  • newUsersPassword: New password strategy. Can be: NONE --> empty password, USERNAME --> password = username, FROMHEADER --> see newUsersPasswordHeader
  • newUsersPasswordHeader: Header key for the new password if the selected strategy is FROMHEADER

Then, you can create a new user with a get user details call:

  • If newUsersPassword==USERNAME

Request : $ curl -u newUser:newUser -XGET http://localhost:9191/geostore/rest/users/user/details

Response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><User><id>3</id><name>newUser</name><role>USER</role></User>

  • If newUsersPassword==NONE

Request : $ curl -u newUser: -XGET http://localhost:9191/geostore/rest/users/user/details

Response: <?xml version="1.0" encoding="UTF-8" standalone="yes"?><User><id>3</id><name>newUser</name><role>USER</role></User>

If you want to active it on another request, you must add the interceptor for the rest path. For example, if you want to allow the user auto creation on the /data path, you must add the interceptor on the JAX interceptors configuration

Clone this wiki locally