Hi everyone,
I am having some unexpected behaviour when attempting to access a secured layer from Geoserver, in AGOL. I have a GEOSERVER instance that responds to both HTTP and HTTPS requests (it redirects http to https), it has both secured and unsecured layers and has CORS configured.
Problems with addition of domain to trusted server list:
I have tried to add the Geoserver domain to the trusted sites list with some issues -
If I don't add the domain to the trusted servers list, I am able to add the layer without any problems and am not prompted for passwords - again undesirable behaviour.
Can anyone please explain why the https protocol appears to be a problem, or for that matter why the domain on its own as in point 1 above fails and why I am able to access the resource without being prompted for a username and password as in point 2 above, or why the behaviour is the same whether the domain is in the trusted list or not.
If this is a CORS config issue, does anyone know what the correct CORS config should be (see my CORS config in attached file).
I have tested that this resource is indeed secured using both Qgis and via get requests in the browser, in both cases I am prompted for credentials.
Any help would be greatly appreciated.
Solved! Go to Solution.
Hi Suzana, great, good to hear! Glad to be of help. Let me know if you run into anything else.
Cheers,
Chris
The disadvantage of the solution mentioned above is that end-users always need to login when they want to request/see the WMS. In many occasions this is no option. I found some work-around for this: if you use SQLviews in Geoserver you can add parameters to your request. For example using a guid/projectid. In this way you can make the data freely accessible (so read/write by any roles in geoserver), but you won't see anything until you add a viewparam to your request (for example &viewparams=PROJECTID:f252e0e3fe7534a47989beffe36a291d0e. You can add this as parameter to the request within the mapviewer. In this way the data is secure and still visible without having to login.
This sounds like it could be very helpful.
Do you know if the parameter can be saved with the WMS as an item in AGOL? If so, does this mean security can be handled entirely by AGOL?
Thanks for any help.
@PaulLohr , I didn't check it right now, but I would expect that you can add the parameter as part of the standard URL. I would not call it 'security handling' but more 'not able to guess the url'. It works perfectly for my situation, but if the data is more sensitive I would not go for this solution.