Geoserver is an amazing tool which allows users to share spatial data of vector and raster type using OGC services like WMS, WFS, GWC, etc. If you are interested in learning more about geoserver, do checkout my videos and blogs.
By default Geoserver uses username and password for authentication. Which means you need to pass is as Authentication as headers and it also exposes your password as a string. In this blog we'll explore simpler way to authenticate.
Using Key authentication for Geoserver
This idea behind this is to maintain a file or web-service which can store a pair of usernames and UUID. Later this UUID can be used instead of username and password for authentication.
🔌 Installation
Authkey plugin can be found easily on extension list . Once you download it, unzip it and put it in geoserver/webapps/geoserver/WEB-INF/lib folder , restart Geoserver to use authkey in action.
🛠️ Setting up - Authentication Filter
Authkey is type of Authentication, thus it can be found under settings ➡️ Authentication ➡️ Authentication Filters. Here you'll see list of all available filters in your Geoserver. Click on Add new
Select AuthKey which will open the Auth Key form. Put a name that you want your filter to be called. e.g. customauthkey. Under the properties of Authentication key authentication first select the URL parameter, by default authkey is selected but it can be anything. e.g. lock. This string will be used in URL
https://GEOSERVERURL/service?lock=<uuid>
This string can be anything that you want.
After this we'll be using Property file so that all UUIDs and their respective usernames in the data_dir/security/usergroup/default/authkeys.properties
Once you click on Synchronize user/group service , Geoserver will create UUID for all available usernames.
This gives us confirmation that authkey plugin and we have a UUID for admin user.
⛓️ Setting up - Filter chain
Once the authentication filter is created, next step is to add it to the chain so that we can use it at various end points.
For this blog example, we'll make changes to rest chain.
Recommended by LinkedIn
By saving this, we are allowing Geoserver to use either username and password or authkey for authentication.
🧪 Testing
We'll try by getting all layers of geoserver via REST API
http://localhost:8080/geoserver/rest/layers.json
Now we'll try same URL by adding lock in the URL as parameter
http://localhost:8080/geoserver/rest/layers.json?lock=5c6c17d7-64ac-476c-8247-06449c7ae63b
⏭️ Further development
One thing you'll immediately notice that is pain point is the synchronisation . Every time new user is added, you manually have to go in filter chain ➡️ customauthkey and click on Synchronize user/group service button.
To overcome this, we can use resource REST APIs, which essentially allows us to read/write files present in data_dir based on it's path.
Which means to update authkeys.properties, we'll take following steps
1️⃣ Get content of current authkeys.properties
http://localhost:8080/geoserver/rest/resource/security/usergroup/default/authkeys.properties?lock=3d67c03a-c313-4e91-9d33-40b742bf5f5d
2️⃣ Put content back with new user and it's respective UUID
We'll copy this content and create a PUT request
Here in this example we changes the UUID of admin to new string
You can test thing by passing new UUID
http://localhost:8080/geoserver/rest/layers.json?lock=thenewuuid-for-ad123432
