Skip to content

Fix #10966 basic auth for services#11067

Merged
tdipisa merged 11 commits intogeosolutions-it:masterfrom
MV88:10966_credentials
May 5, 2025
Merged

Fix #10966 basic auth for services#11067
tdipisa merged 11 commits intogeosolutions-it:masterfrom
MV88:10966_credentials

Conversation

@MV88
Copy link
Copy Markdown
Contributor

@MV88 MV88 commented May 2, 2025
edited
Loading

Description

A new SecurityPopup plugin has been added to handle secured services using basic auth.

main features

  • you can defined protected services in the catalog service editor of main viewer through a new button
  • this button is injected from SecurityPlugin to enhance Catalog one
    image
  • when defined a new username and password for a particular service and you save the service all layers added now will be "secured"
    image
  • credentials are stored in session storage
  • security object of layers are stored, but it only stores the sourceId to be able to fetch from session storage an the type of method ("basic")
  • also services has a protectedId property that detemines if a service requires basic auth
  • this is applied to maps, dashboards and geostories
  • when resource page is loaded a check is done and if we find one or more services/layers protected we ask for introducing credentials if they are not present is session storage otherwise
  • all layers update functions have been considering a security change (rand property is used to trigger the refresh and therefore render the layer)

Please check if the PR fulfills these requirements

What kind of change does this PR introduce? (check one with "x", remove the others)

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Other... Please describe:

Issue

What is the current behavior?

Fix #10966

What is the new behavior?

Breaking change

Does this PR introduce a breaking change? (check one with "x", remove the other)

  • Yes, and I documented them in migration notes
  • No

Other useful information

This is how a secured service look like
image

For tester

We created a set of rules using GeoFence in gs-stable for testing. i have created a layer "linea costa basic" that has access using some credentials, can can ask in pvt. so you can try using it
image

the idea is that this will only work if a protected service is configured, and failing if not. This will be valid for many layer types in ol and cesium

with cesium test WMS and WMTS, TileProvider
with openlayers test WMS, WMTS, WFS, ARCGIS, TMS, TileProvider, COG

MV88 added 3 commits May 2, 2025 12:34
@MV88
# This is a combination of 2 commits.
e076cf3 
# This is the 1st commit message:

Fix geosolutions-it#10966 basic auth for services


# This is the commit message #2:

Wip
@MV88
Fix geosolutions-it#10966 basic auth for services
ec4d17e
@MV88
update config
eb61668
@MV88 MV88 added the New Feature used for new functionalities label May 2, 2025
@MV88 MV88 added this to the 2025.02.00 milestone May 2, 2025
@MV88 MV88 requested a review from tdipisa May 2, 2025 12:27
@MV88 MV88 self-assigned this May 2, 2025
@tdipisa tdipisa requested review from allyoucanmap and removed request for tdipisa May 2, 2025 16:29
allyoucanmap
allyoucanmap requested changes May 5, 2025
View reviewed changes
web/client/actions/layers.js Outdated
options
};
}
export function refreshSecurityLayers() {
Copy link
Copy Markdown
Contributor

@allyoucanmap allyoucanmap May 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a comment or jsdoc to explain this action?

web/client/actions/security.js
Comment on lines +177 to +196
/**
* set status to show modal for inserting credentials
* @param {boolean} status
*/
export const setShowModalStatus = (status) => {
return {
status,
type: SET_SHOW_MODAL_STATUS
};
};
/**
* set protected services to request to provide username and password
* @param {object[]} protectedServices
*/
export const setProtectedServices = (protectedServices) => {
return {
protectedServices,
type: SET_PROTECTED_SERVICES
};
};
Copy link
Copy Markdown
Contributor

@allyoucanmap allyoucanmap May 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These two actions seems specific for the SecurityPopup plugin but they are inside the security actions.

Copy link
Copy Markdown
Contributor

@allyoucanmap allyoucanmap May 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MV88 please ignore this comment

Copy link
Copy Markdown
Contributor Author

@MV88 MV88 May 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i did not want to create a securityPopop folder for just these actions but since the plugin is about security it might be good to have theme here

web/client/components/map/cesium/plugins/WMTSLayer.js Outdated
url: head(getURLs(isArray(options.url) ? options.url : [options.url], queryParametersString)),
proxy: proxy && new WMTSProxy(proxy) || new NoProxy()
proxy: proxy && new WMTSProxy(proxy) || new NoProxy(),
...(headers)
Copy link
Copy Markdown
Contributor

@allyoucanmap allyoucanmap May 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at the doc, headers should be an object not spread inside the Cesium.Resource class, could you double check if it's working?

web/client/components/map/openlayers/plugins/WMSLayer.js Outdated

import {optionsToVendorParams} from '../../../../utils/VendorParamsUtils';
import {addAuthenticationToSLD, addAuthenticationParameter, getAuthenticationHeaders} from '../../../../utils/SecurityUtils';
import {/* getCredentials, */addAuthenticationToSLD, addAuthenticationParameter, getAuthenticationHeaders} from '../../../../utils/SecurityUtils';
Copy link
Copy Markdown
Contributor

@allyoucanmap allyoucanmap May 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please remove the commented method

web/client/actions/security.js
Comment on lines +211 to +222
export const setCredentialsAction = (protectedService, creds) => {
if (creds && protectedService.protectedId) {
setCredentials(protectedService.protectedId, {
...creds,
url: protectedService.url
});
}
return {
protectedService,
type: SET_CREDENTIALS
};
};
Copy link
Copy Markdown
Contributor

@allyoucanmap allyoucanmap May 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if it would be better to have the setCredentials side effect inside the reducer instead of the action

@MV88 MV88 requested a review from allyoucanmap May 5, 2025 11:42
allyoucanmap
allyoucanmap reviewed May 5, 2025
View reviewed changes
MV88 and others added 2 commits May 5, 2025 14:41
@MV88 @allyoucanmap
Update web/client/plugins/MetadataExplorer.jsx
a0fc468 
Co-authored-by: stefano bovio <stefano.bovio@geosolutionsgroup.com>
@MV88 @allyoucanmap
Update web/client/plugins/MetadataExplorer.jsx
d3a1987 
Co-authored-by: stefano bovio <stefano.bovio@geosolutionsgroup.com>
@allyoucanmap allyoucanmap self-requested a review May 5, 2025 12:42
@tdipisa tdipisa enabled auto-merge (squash) May 5, 2025 12:48
@tdipisa tdipisa merged commit 0bb73f5 into geosolutions-it:master May 5, 2025
5 checks passed
MV88 added a commit to MV88/MapStore2 that referenced this pull request May 5, 2025
@MV88
Fix geosolutions-it#10966 basic auth for services (geosolutions-it#11067
09515bd 
)

* # This is a combination of 2 commits.

Fix geosolutions-it#10966 basic auth for services

Wip

* Fix geosolutions-it#10966 basic auth for services

* update config

* fix jsdoc

* fix jsdoc

* fix tests

* update review

* clean up

* fix tests

* Update web/client/plugins/MetadataExplorer.jsx

Co-authored-by: stefano bovio <stefano.bovio@geosolutionsgroup.com>

* Update web/client/plugins/MetadataExplorer.jsx

Co-authored-by: stefano bovio <stefano.bovio@geosolutionsgroup.com>

---------

Co-authored-by: stefano bovio <stefano.bovio@geosolutionsgroup.com>
@MV88 MV88 mentioned this pull request May 5, 2025
Merged
@ElenaGallo
Copy link
Copy Markdown
Contributor

ElenaGallo commented May 6, 2025

@MV88
1_ If the credentials are not entered in the service, it is still possible to add the "basic coastline" level to the map

1.mp4

2_ when I set the credentials and click on the Confirm button, the credentials popup does not close automatically. You have to click on Cancel

2.mp4

3_ Once the Authentication button turns green, when you open it, the username and password are not visible

3.mp4

@MV88
Copy link
Copy Markdown
Contributor Author

MV88 commented May 6, 2025

1_ If the credentials are not entered in the service, it is still possible to add the "basic coastline" level to the map

@tdipisa do we have to check this before adding the layer? from getCapabilities id no not know if a layer is protected via basic auth, the admin should know it, otherwise we have to try to make a request per each record to see if the getMap will fail or not without basic auth, but i',m not sure if we want this now or in the future

2_ when I set the credentials and click on the Confirm button, the credentials popup does not close automatically. You have to click on Cancel

checking probably a quick issue

3_ Once the Authentication button turns green, when you open it, the username and password are not visible

this is because credentials are not persisted in the application, but only if a service / layers is protected using ids

@tdipisa
Copy link
Copy Markdown
Member

tdipisa commented May 7, 2025

1_ If the credentials are not entered in the service, it is still possible to add the "basic coastline" level to the map

@tdipisa do we have to check this before adding the layer? from getCapabilities id no not know if a layer is protected via basic auth, the admin should know it, otherwise we have to try to make a request per each record to see if the getMap will fail or not without basic auth, but i',m not sure if we want this now or in the future

2_ when I set the credentials and click on the Confirm button, the credentials popup does not close automatically. You have to click on Cancel

checking probably a quick issue

3_ Once the Authentication button turns green, when you open it, the username and password are not visible

this is because credentials are not persisted in the application, but only if a service / layers is protected using ids

Status after last sync reported in #10966 (comment)

allyoucanmap pushed a commit that referenced this pull request May 13, 2025
@MV88
backport c027-2024.01.xx - Fix #10966 basic auth for services (#11067) (
51ca3d0 
#11070)
@dsuren1 dsuren1 mentioned this pull request Jul 11, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@allyoucanmap allyoucanmap allyoucanmap approved these changes

Assignees

@MV88 MV88

Labels

New Feature used for new functionalities

Projects

None yet

Milestone

2025.02.00

Development

Successfully merging this pull request may close these issues.

Insert credentials at runtime when connecting to secured services

4 participants

@MV88 @ElenaGallo @tdipisa @allyoucanmap