mapfish-print icon indicating copy to clipboard operation
mapfish-print copied to clipboard
verified publisher icon mapfish

Provide strategies for authenticating with remote servers like Geoserver

Open jesseeichar opened this issue 10 years ago • 3 comments

Consider the case where CAS is used to authentication users. What we want to be able to do in this case is have the user be able to authenticate with Mapfish Print and have Mapfish Print be able to act on behalf of the user. Mapfish print needs to be able to print protected layers from Geoserver if (and only if) the user has access to the layers. But of course the security of Geoserver must be maintained in that the users should not be able to print layers they do not have access to.

Thoughts and possible designs for this are discussed at:

https://github.com/mapfish/mapfish-print/wiki/CAS-Integration-Options

jesseeichar avatar Jun 16 '15 10:06 jesseeichar

What's not possible actually with http://mapfish.github.io/mapfish-print-doc/#/processors#!forwardHeaders ? Actually I solve all cases with that... witch cases don't work ?

For Access Protected Mapfish Print Resources to a role I don't know how the spring security works but we shouldn't forget the pyramid application.

sbrunner avatar Jun 16 '15 11:06 sbrunner

In the case of CAS forwarding headers is not typically sufficient. In some very carefully configured settings one might be able to work but typically not in the normal case. I have not completed the linked page yet (I am working on it) but it should give more clarification.

In addition to the specific problem with CAS forward headers can leak security information to external servers. We should change the forward headers processor so that the information is only sent to specific servers so as to be able to control this leakage.

jesseeichar avatar Jun 16 '15 13:06 jesseeichar

Thanks,

... can leak security information to external servers

good point effectively :-)

sbrunner avatar Jun 16 '15 14:06 sbrunner