-
Notifications
You must be signed in to change notification settings - Fork 416
CAS Integration Options
CAS Integration
This page details several possible methods of integrating mapfish-print with CAS. This page contains concepts and brainstorming and thus some suggestions may not be useful in practice or in particular infrastructures. Please read the page and using the provided information decide what is the most useful solution for your particular case.
There are two integration levels to consider when integrating with CAS:
- Configure Mapfish Print to authenticate the current user with CAS and use that authentication and authorization to control access to the various protected resources within Mapfish Print.
- Configure Mapfish Print to authenticate the current user with CAS and use that authentication to access protected GeoServer Resources
In Mapfish Print certain resources (templates, configurations) can be secured so that only users with particular authorization (based on Roles) will be permitted to access the resources. The reason that one might decide to secure particular templates/configurations is because it is possible to configure templates to directly connect to databases or other servers. In these cases authentication information might be included in the templates and thus the resulting reports could include sensitive/private information.
The default configuration uses basic authentication to authenticate users. The users are explicitely declared in the spring application context. However the full power of Spring Security is available to those who wish to deploy Mapfish Print and secure particular resources.
CAS is one of the Spring Security options available. See http://docs.spring.io/spring-security/site/docs/4.0.1.RELEASE/reference/htmlsingle/#cas for details on configuring Mapfish Print to work with CAS.
At the time of this writing development work needs to be done to get MFP to authenticate with CAS and then send the authentication information to the GeoServer. See 255 for the status of the changes that are required for this topic.
GeoServer out-of-the-box can be easily configured (via GUI) to parse HTTP headers in order to obtain Authorization information. Because of this, if one can configure Mapfish Print to send the Authorization information to GeoServer through the headers. Naturally this assumes that other requests (from public internet) will have the headers cleared to prevent hacks that allow unauthorized access to protected layers and services.
The solution behaves as follows:
- The browser logs the user in by visiting one of the Mapfish Print secure pages. (User will be redirected to CAS Login page if the user has not been previously logged in)
- If the user has been previously logged in this step is skipped
- Each request to the secured GeoServer(s) is made with the authorization obtained during the login phase added to the request as HTTP headers
- GeoServer reads the HTTP headers and uses that information as authentication/authorization in order to determine which layers/services the user is allowed
In order to make this work the following configuration is required:
- Have Mapfish Print configured to authenticate with CAS (same as in the Access Protected Mapfish Print Resources section).
- Have Mapfish Print configured to forward the username and roles each request made to the selected GeoServers.
- Have GeoServer configured to read username and roles from headers
- Have GeoServer behind a proxy (or have a Servlet Filter configured) which removes the security header information from unauthorized requests. (IE any requests not from Mapfish Print).
A more complex (but ostensibly the correct) way is to use the Proxy Tickets functionality that is part of the CAS protocol.
The solution behaves as follows:
- The browser logs the user in by visiting one of the Mapfish Print secure pages. (User will be redirected to CAS Login page if the user has not been previously logged in)
- If the user has been previously logged in this step is skipped
- Mapfish Print is configured to request a Proxy ticket from CAS for the GeoServer it needs to communicate with
- Mapfish Print makes the request to GeoServer with the added cas proxy ticket added to the request
- GeoServer recognizes the ticket and checks with the CAS server to verify that it is a valid proxy ticket
- GeoServer uses the authorization obtained through the verification phase of the proxy ticket to apply the appropriate security rules to the request.
This solution is kind of a hack. It supposes that the Forward Authentication Headers can't be used. In this solution Mapfish Print has a set of User credentials that it is permitted to use in order to authenticate with GeoServer. Based on the actual user one of the User Credentials will be used when making requests to GeoServer.
The solution behaves as follows:
- The browser logs the user in by visiting one of the Mapfish Print secure pages. (User will be redirected to CAS Login page if the user has not been previously logged in)
- If the user has been previously logged in this step is skipped
- Mapfish Print Analyzes the authentication information and looks in a table of its known users to find credentials for a user that match those of the actual user
- Mapfish Print uses the credentials when making GeoServer Requests for authentication.
This solution requires that the Roles assigned to users can be matched to one of the users that is known to Mapfish Print.
Advantages: