-
Notifications
You must be signed in to change notification settings - Fork 91
Token Authentication
GeoStore supports authentication using a token specified with each request, through a specific header.
This is enabled by default with the following behaviour:
- the token is fetched from the Authorization HTTP Header
- the token is checked only if the header has a particular prefix, Bearer, for compatibility with OAuth 2.0
Both the header name and prefix can be configured through bean properties (in the geostore-spring-security.xml file).
<bean class="it.geosolutions.geostore.services.rest.security.UserAttributeTokenAuthenticationFilter"
id="authenticationTokenProcessingFilter">
<property name="tokenHeader" value="Authorization"/>
<property name="tokenPrefix" value="Bearer "/>
</bean>Currently, two different implementation for token validation exist:
- user attribute based (enabled by default)
- external web service based
It is possible to enable one of the two (or another custom filter) changing the default bean definition. In the standard geostore-spring-security.xml an example of both standard filters configuration can be found.
An internal cache is used to allow fast token validity check. The cache can be configured specifying:
- the maximum # of entries
- the entry expiration time (in seconds)
<bean class="it.geosolutions.geostore.services.rest.security.UserAttributeTokenAuthenticationFilter"
id="authenticationTokenProcessingFilter">
<property name="cacheSize" value="1000"/>
<property name="cacheExpiration" value="60"/>
</bean>This filter is implemented by the UserAttributeTokenAuthenticationFilter class and allows to store the token into the GeoStore user object, as an Attribute. The name of the attribute to be used can be configured, and by default is UUID.
<bean class="it.geosolutions.geostore.services.rest.security.UserAttributeTokenAuthenticationFilter"
id="authenticationTokenProcessingFilter">
<property name="attributeName" value="UUID"/>
</bean>This filter is implemented by the WebServiceTokenAuthenticationFilter class. Token validity is checked calling an external web service (for example the OpenSDI Session Service).
The url to call can be specified by configuration. The url must contain the {token} placeholder that will be replaced by the actual token.
The service validating the token must return the username bound to the token.
If the username is contained into a complex document (for example XML or JSON) a regular expression can be configured to extract it from the response. The username will be taken as the first matching group of the regular expression.
Timeouts for service connection and reading can be configured too.
An optional autoCreateUser property (defaults to false) allows automatic creation of unexisting users.
Newly created users will be given a role of USER, a null password, and an empty list of groups (except for the default everyone group).
An optional enableAutoCreatedUsers allows to disable newly created users (to introduce a validation step). The default is true.
An optional userMapper allows to fetch attributes automatically from the web service response.
Currently a JSONExpressionUserMapper is available for services producing a JSON response.
<bean class="it.geosolutions.geostore.services.rest.security.WebServiceTokenAuthenticationFilter"
id="authenticationTokenProcessingFilter">
<property name="url" value="http://<server>:<port>/<app>/mvc/session/username/{token}"/>
<property name="searchUser" value="^(.*)$"/>
<property name="autoCreateUser" value="true"/>
<property name="enableAutoCreatedUsers" value="true"/>
<property name="connectTimeout" value="5"/>
<property name="readTimeout" value="10"/>
<property name="userMapper" ref="oauthmapper"/>
</bean>
<bean class="it.geosolutions.geostore.core.security.JSONExpressionUserMapper"
id="oauthmapper">
<constructor-arg>
<map>
<entry key="email" value="email"/>
<entry key="logintype" value="'google'"/>
<entry key="UUID" value="T(java.util.UUID).randomUUID().toString()"/>
</map>
</constructor-arg>
</bean>-
^\\s*(.*)\\s*$: all text trimming spaces at both ends -
^.*?\"user\"\s*:\s*\"([^\"]+)\".*$: json response where the username is contained in a property named user -
^.*?<username>(.*?)</username>.*$: xml response where the username is contained in a tag named username