Skip to content

CAS Integration Options

Jump to bottom Edit New page
Jesse Eichar edited this page Jun 16, 2015 · 4 revisions

CAS Integration

This page details several possible methods of integrating mapfish-print with CAS. This page contains concepts and brainstorming and thus some suggestions may not be useful in practice or in particular infrastructures. Please read the page and using the provided information decide what is the most useful solution for your particular case.

There are two integration levels to consider when integrating with CAS:

  • Configure Mapfish Print to authenticate the current user with CAS and use that authentication and authorization to control access to the various protected resources within Mapfish Print.
  • Configure Mapfish Print to authenticate the current user with CAS and use that authentication to access protected GeoServer Resources

Access Protected Mapfish Print Resources

In Mapfish Print certain resources (templates, configurations) can be secured so that only users with particular authorization (based on Roles) will be permitted to access the resources. The reason that one might decide to secure particular templates/configurations is because it is possible to configure templates to directly connect to databases or other servers. In these cases authentication information might be included in the templates and thus the resulting reports could include sensitive/private information.

The default configuration uses basic authentication to authenticate users. The users are explicitely declared in the spring application context. However the full power of Spring Security is available to those who wish to deploy Mapfish Print and secure particular resources.

CAS is one of the Spring Security options available. See http://docs.spring.io/spring-security/site/docs/4.0.1.RELEASE/reference/htmlsingle/#cas for details on configuring Mapfish Print to work with CAS.

Forward Authorization to GeoServer

At the time of this writing development work needs to be done to get MFP to authenticate with CAS and then send the authentication information to the GeoServer. See 255 for the status of the changes that are required for this topic.

Forward Authentication Headers

GeoServer out-of-the-box can be easily configured (via GUI) to parse HTTP headers in order to obtain Authorization information. Because of this, if one can configure Mapfish Print to send the Authorization information to GeoServer through the headers. Naturally this assumes that other requests (from public internet) will have the headers cleared to prevent hacks that allow unauthorized access to protected layers and services.

The solution behaves as follows:

  • The browser logs the user in by visiting one of the Mapfish Print secure pages. (User will be redirected to CAS Login page if the user has not been previously logged in)
    • If the user has been previously logged in this step is skipped
  • Each request to the secured GeoServer(s) is made with the authorization obtained during the login phase added to the request as HTTP headers
  • GeoServer reads the HTTP headers and uses that information as authentication/authorization in order to determine which layers/services the user is allowed

In order to make this work the following configuration is required:

  • Have Mapfish Print configured to authenticate with CAS (same as in the Access Protected Mapfish Print Resources section).
  • Have Mapfish Print configured to forward the username and roles each request made to the selected GeoServers.
  • Have GeoServer configured to read username and roles from headers
  • Have GeoServer behind a proxy (or have a Servlet Filter configured) which removes the security header information from unauthorized requests. (IE any requests not from Mapfish Print).

Advantages:

  • Simple Configuration

Disadvantages:

  • Requires GeoServer and Mapfish Print can have private communication
  • Requires that a proxy or filter removes security headers from GeoServer Requests that do not come from Mapfish Print

CAS Proxy Tickets

A more complex (but ostensibly the correct) way is to use the Proxy Tickets functionality that is part of the CAS protocol.

The solution behaves as follows:

  • The browser logs the user in by visiting one of the Mapfish Print secure pages. (User will be redirected to CAS Login page if the user has not been previously logged in)
    • If the user has been previously logged in this step is skipped
  • Mapfish Print is configured to request a Proxy ticket from CAS for the GeoServer it needs to communicate with
  • Mapfish Print makes the request to GeoServer with the added cas proxy ticket added to the request
  • GeoServer recognizes the ticket and checks with the CAS server to verify that it is a valid proxy ticket
  • GeoServer uses the authorization obtained through the verification phase of the proxy ticket to apply the appropriate security rules to the request.

Advantages:

  • Most secure solution
  • Works as CAS was designed to work

Disadvantages:

  • Most difficult to configure as GeoServer and Mapfish Print must have a significant amount of extra configuration options set

Privileged User Mapping

This solution is kind of a hack. It supposes that the Forward Authentication Headers can't be used. In this solution Mapfish Print has a set of User credentials that it is permitted to use in order to authenticate with GeoServer. Based on the actual user one of the User Credentials will be used when making requests to GeoServer.

The solution behaves as follows:

  • The browser logs the user in by visiting one of the Mapfish Print secure pages. (User will be redirected to CAS Login page if the user has not been previously logged in)
    • If the user has been previously logged in this step is skipped
  • Mapfish Print Analyzes the authentication information and looks in a table of its known users to find credentials for a user that match those of the actual user
  • Mapfish Print uses the credentials when making GeoServer Requests for authentication.

This solution requires that the Roles assigned to users can be matched to one of the users that is known to Mapfish Print.

Advantages:

  • This solution is not restricted to GeoServer
  • The server does not have to be on the same network as Mapfish Print

Disadvantages:

  • Restricts how user authorization can be configured because they must always match up with those in Mapfish Print
  • More likely to get incorrect security since it depends on the mapping from arbitrary user authorization to a Mapfish Print known user authorization
  • Potentially annoying to configure and maintain (but not too difficult)

Use a CAS aware Security Proxy

Both Mapfish Print and GeoServer are protected by a Proxy that is CAS-aware. Proxy sends headers to GeoServer and Mapfish Print containing the security information. Mapfish Print and GeoServer are configured to read authorization from HTTP headers.

The GeOrchestra Security Proxy can be used in this capacity since it has already been configured to work with CAS and sends the authorization information via HTTP headers sec-user and sec-role.

Advantages:

  • Minimal configuration of Mapfish Print and GeoServer (does not need 255 and thus can be used immediately).

Disadvantages:

  • Requires Proxy to protect GeoServer and Mapfish Print (making infrastructure more complex)
  • All secured GeoServer instances must be protected by the proxy.
  • all Mapfish Print instances must be protected by the proxy
Add a custom footer
Add a custom sidebar
Clone this wiki locally