Problem adding a secured wms layer from Geoserver to AGOL

SuzanaBarreto · ‎06-20-2019

Hi everyone,

I am having some unexpected behaviour when attempting to access a secured layer from Geoserver, in AGOL. I have a GEOSERVER instance that responds to both HTTP and HTTPS requests (it redirects http to https), it has both secured and unsecured layers and has CORS configured.

Problems with addition of domain to trusted server list:

I have tried to add the Geoserver domain to the trusted sites list with some issues -

Adding the domain eo4c-geoserver.envsys.co.uk to the trusted list, results in the following error when trying to add a layer to a map 'The WMS service, https://eo4c-geoserver.envsys.co.uk/geoserver/eo4c_data_delivery/wms?version=1.1.0, cannot be added to the map. It is either not available or you have entered an invalid URL for the type of layer you want to reference.'
Adding the http protocol to the domain (http://eo4c-geoserver.envsys.co.uk) in the trusted servers list seems to work in the sense that I can access and the layer but I am not prompted for a username or password - as this is a secured layer I want to be prompted for credentials.
If I add the domain with the https protocol (https://eo4c-geoserver.envsys.co.uk) it fails to find the resource when attempting to add a layer - the error is once again the same as in point 1 above.

If I don't add the domain to the trusted servers list, I am able to add the layer without any problems and am not prompted for passwords - again undesirable behaviour.

Can anyone please explain why the https protocol appears to be a problem, or for that matter why the domain on its own as in point 1 above fails and why I am able to access the resource without being prompted for a username and password as in point 2 above, or why the behaviour is the same whether the domain is in the trusted list or not.

If this is a CORS config issue, does anyone know what the correct CORS config should be (see my CORS config in attached file).

I have tested that this resource is indeed secured using both Qgis and via get requests in the browser, in both cases I am prompted for credentials.

Any help would be greatly appreciated.

ChrisWhitmore · ‎07-03-2019

Hi Suzana, great, good to hear! Glad to be of help. Let me know if you run into anything else.

Cheers,

Chris

Terralytics · ‎09-18-2022

The disadvantage of the solution mentioned above is that end-users always need to login when they want to request/see the WMS. In many occasions this is no option. I found some work-around for this: if you use SQLviews in Geoserver you can add parameters to your request. For example using a guid/projectid. In this way you can make the data freely accessible (so read/write by any roles in geoserver), but you won't see anything until you add a viewparam to your request (for example &viewparams=PROJECTID:f252e0e3fe7534a47989beffe36a291d0e. You can add this as parameter to the request within the mapviewer. In this way the data is secure and still visible without having to login.

PaulLohr · ‎03-11-2024

@Terralytics,

This sounds like it could be very helpful.

Do you know if the parameter can be saved with the WMS as an item in AGOL? If so, does this mean security can be handled entirely by AGOL?

Thanks for any help.

Terralytics · ‎03-11-2024

@PaulLohr , I didn't check it right now, but I would expect that you can add the parameter as part of the standard URL. I would not call it 'security handling' but more 'not able to guess the url'. It works perfectly for my situation, but if the data is more sensitive I would not go for this solution.