I'd like to add a WMS data store to my geoserver instance and have had success with WMS servers that have no authentication or basic username/password authentication, but I am now attempting to add a data store that uses x509 as its authentication method and I'm stumped.
When adding a WMS datastore through the admin console UI, all that's available is the username/password authentication:
Connection Info Under for Creating a New WMS Connection
I have pored over the documentation and found the section detailing how to secure geoserver with x509 authentication, but haven't been able to turn up configuring geoserver as the x509 client.
I am familiar with and am using the properties for the ssl keystore and truststore but haven't been able to find anything indicating a client certificate store. I'm beginning to wonder if I need to setup a forward proxy that is configured with the proper client certs.
Any help would be greatly appreciated!
There is (currently) no support for more than basic authentication in the GeoTools WMS datastore that GeoServer uses for cascading. So you can either add a local proxy to handle the X509 authentication for GeoServer or extend the existing code to handle other authentication methods.
Related
I have an app running behind envoy proxy and working on enabling JWT auth for the same using okta. It would be of great help if someone can point me to appropriate example configuration or appropriate document.
I ended up using Gloo's ExtAuth functionality.
I'm running a managed PostgreSQL database, which has SSL encryption turned on by the service provider. This is all working fine.
Now I need to obtain some information on the algorithms used for SSL (and key length, etc.). How I get this as a client (similar to how you can inspect certificates for web pages in Firefox)?
Best
Lars
I have a requirement where i need to authenticate external request via IDP. Can this be done using envoy proxy or HA Proxy?
Currently the only way to achieve this is by using the ext_authz filter to send request metadata to an auth server.
https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter
There's currently work on implementing an OAuth filter that would work with any OAuth 2.0 compliant IdP but that work is not yet complete (https://github.com/envoyproxy/envoy/issues/8571)
I have deployed liberty app on IBM cloud. I have setup custom domain and selected "request client certificate" so that clients have to send certificate to access app over TLS. I see client authentication does work, but I do not get any client certificate information in my app. This makes client certificate authentication a bit useless, as I would want to know the id of client which accessed my app. Any help/pointers appreciated.
I looked at attributes of request. Two attributes are passed in request _com.ibm.websphere.servlet.uri_non_decoded_ with value /dummyRelPath and _javax.servlet.request.cipher_suite_ with value of ECDHE-RSA-AES256-GCM-SHA384 There's no attribute with name javax.servlet.request.X509Certificate passed in request.
Does:
X509Certificate[] certs = (X509Certificate[])
request.getAttribute("javax.servlet.request.X509Certificate");`
not return any certificates?
In cloud foundry on bluemix, your client should be handshaking with a DataPower proxy. That proxy adds a custom header to indicate the TLS client cert that was provided, then it is passed through the CF gorouter, then finally passed to the JVM.
WebSphere Liberty then surfaces that through the API above.
This is communicated through the $WSCC request header. If the API returns null, it's most likely that header was dropped or never set by the infrastructure, rather than making it all the way there and the API mysteriously losing track of it. You could dump the request headers, looking for this one in particular, and maybe something will stand out (some surprise hop/proxy).
which type of http authentication method is used by Graphdb Free 7? I've setup a user and enabled security via the GraphDB Free Workbench, and am trying to query my triple store using basic http authentication, but just getting 403: Forbidden responses.
From http://www.graphdb.net/Manual:
User authentication is configured using the Admin API and from the login/client point of view this is a transparent setting; whether the store is set up for internal or external authentication does have any side-effect on the client API. If the authentication is external you do need a configuration file however, which is part of the standard setup of the ASP.Net Membership mechanism.