-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GEOT-7557] Provide the ability for downstream applications (e.g. GeoServer) to append additional querystring parameters e.g. AuthKey to every request made by the HTTPClient #4727
Conversation
Downstream integration build with GeoServer fails with:
|
This is a geotools change so it will need a GeoTools ticket please. |
@roarbra do you have time to look at this change? Seems up your alley. |
modules/library/http/src/main/java/org/geotools/http/AbstractHttpClient.java
Outdated
Show resolved
Hide resolved
This was strange. Having a AuthKey that are appended to the query string of the url is not a common way of handling authentication. Rather the opposite. It's not recommended to have secrets in the url. Having said that. I like the idea of having a way to add query parameters to the url from within Geoserver, but it shouldn't be named authKey and it should be open for more than just a single value. Like for instance a Map<String, Object> parameters. |
I agree, an AuthKey/API key in the querystring is not ideal (certainly AWS API Gateway refuses to implement it for that reason), however, it is still an extremely popular way to provide REST authentication, including our own GeoServer extension called AuthKey. I think the HTTP headers option is far better but thought while I was busy with fixing WMS stores geoserver/geoserver#7552 to include an API key option. Should I rather undo the work? I currently can't see the benefit of making it more generic, but I understand what you're asking for. Should I spend the extra time to support a Map<String, Object> |
Actually there are quite a few providers that have an "API user key" in the url as a query param, eg. Google, Thunderforest, Bing to name a few, just like there are many that actually provide a unique url with a token eg. ttps://s.map5.nl/map/bbpp.6488ab/service?layer=map5topo_simple&style=default&tilematrixset=geonovum_grid&Service=WMTS&Request=GetTile&Version=1.0.0&Format=image%2Fjpeg&TileMatrix=11&TileCol=967&TileRow=1032 |
Yes, you're right. That is a unique key providing a user specific url. That has nothing to do with authentication. The problem with the PR was that it were introducing a property called "authKey" that have nothing to do with a general HTTPClient. Rather it is specific for a very special situation. |
@petersmythe the API here could be a Map, and the GUI in GeoServer could be a simple text area that accepts a property file syntax. With the right Wicket converter/model you can turn that into the expected map object. |
Understood, I will make the GeoTools API more generic and keep the GeoServer implementation more specific - just a single AuthKey text field is required, I believe. |
I don't know why you needed to have such a long name. If you would like to see the reason to make it more generic, you could have a look at GEOT-7097. |
Would you mind taking another look over the PR @roarbra ? |
That looks a lot better. Thanks! |
modules/library/http/src/main/java/org/geotools/http/AbstractHttpClient.java
Outdated
Show resolved
Hide resolved
…pServer.java Improve grammar Co-authored-by: Jody Garnett <jody.garnett@gmail.com>
…t.java Improve docs Co-authored-by: Jody Garnett <jody.garnett@gmail.com>
Replace Map<String, Object>
…ythe/geotools into auth-for-cascaded-stores
Merging with geoserver/geoserver#7552 |
The backport to
stderr
stdout
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-31.x 31.x
# Navigate to the new working tree
cd .worktrees/backport-31.x
# Create a new branch
git switch --create backport-4727-to-31.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick 2c64415c672901095533b5c75fe25a8e7bcbc196,5282fc86a283dac457aa0ee9ba9e8ed4c9c4d93b,e75b49195d58f635b1bb0a9788956934a00aaee8,8c9e05cc9dbb273a049b473dc3a7a3fec4bfccde,cbcd07ce43e7d2caa109579685edf3c273508890,c2e8460f88fd72d59af4ea56d1376ee97e34fef0,bfab9b24983eb6f6207581c548b5589dc5a2c5f4,9cac6a53965d2cb69780222849bbcafec3aee201,da90c1663aa0de0ed0622b5b041866c772bf214c,20993c164f6d46e6e495cd956207ce199a4696b6,f22ce7a77a9d47c49721cf5fa450e57e404862fe,711c099db0ed9fbdb67adba7113d63e1cace7910,2ad536e9990454870e7bde15386b7fe2424f20a9,8dd3aa97f3d77237eeb1b87f2f1bcdde2276bf53,0f8d61aed046585763591a66619e968b0de2826f,6fdafbd7e9b5eb3ff7510be19c07718bed4f4551,5b00f2ef7c4000ce86083f6877933963a86593cb,a754bea7af2a2856b3601db6ff4c67e4673d07f2,741510a74bf1660f8e21fee3a86ccc08e22069f0,d1807c6a4f9406fbb9bb414c18db14e2f93c00e7,16fd45686aa23eb7a3e9c70d348b1381d39ad683,a29aabc35cef1610ed095bf0a20ae9ccc9b749cd,5a04c3a3bd328e8c3d25cc6afde012449105ecac,d79060463c0649659439eafeefa6c83633cb7d3c,7ef354bf7f00c59297ba74b1672a1ab279a64603,97321be859c58b1e323153c89ee38bf99b39620c,7ad1c8177df106e826f843b4c3dc49ae9d1e8c07,40ea5b296e5904939a2c0a3a2f8d2259d40691b8,f7560f897e42757028223e2d951c8cc2f35156ec,0f22d69735f97201e6132650f50e1c2be31b5934
# Push it to GitHub
git push --set-upstream origin backport-4727-to-31.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-31.x Then, create a pull request where the |
…Server) to append additional querystring parameters e.g. AuthKey to every request made by the HTTPClient (#4727) * To support HTTP Headers see github.com/geoserver/geoserver/pull/7552 * Add AuthKey by appending to URL in HTTPClient * Undo test version in pom files * Fix SimpleHTTPClient * Add test cases * Fix review issues with URL * URL Host not Authority * Change AuthKey -> ExtraParams and from String to Map * URL encode keys and values and build a test that verifies this * Update modules/extension/wms/src/main/java/org/geotools/ows/wms/WebMapServer.java Improve grammar Co-authored-by: Jody Garnett <jody.garnett@gmail.com> * Update modules/library/http/src/main/java/org/geotools/http/HTTPClient.java Improve docs Co-authored-by: Jody Garnett <jody.garnett@gmail.com> * Petersmythe map string object (#2) Replace Map<String, Object> * Change null to emptyMap, add duplicate key check * Oops, when applying patch * Fix integer test * Fix spelling * To support HTTP Headers see github.com/geoserver/geoserver/pull/7552 * Add AuthKey by appending to URL in HTTPClient * Undo test version in pom files * Fix SimpleHTTPClient * Add test cases * Fix review issues with URL * URL Host not Authority * Change AuthKey -> ExtraParams and from String to Map * URL encode keys and values and build a test that verifies this * Update modules/extension/wms/src/main/java/org/geotools/ows/wms/WebMapServer.java Improve grammar Co-authored-by: Jody Garnett <jody.garnett@gmail.com> * Update modules/library/http/src/main/java/org/geotools/http/HTTPClient.java Improve docs Co-authored-by: Jody Garnett <jody.garnett@gmail.com> * Petersmythe map string object (#2) Replace Map<String, Object> * Change null to emptyMap, add duplicate key check * Oops, when applying patch * Fix integer test * Fix spelling --------- Co-authored-by: Peter Smythe <peter@afrigis.co.za> Co-authored-by: Jody Garnett <jody.garnett@gmail.com>
…Server) to append additional querystring parameters e.g. AuthKey to every request made by the HTTPClient (#4727) (#4735) * To support HTTP Headers see github.com/geoserver/geoserver/pull/7552 * Add AuthKey by appending to URL in HTTPClient * Undo test version in pom files * Fix SimpleHTTPClient * Add test cases * Fix review issues with URL * URL Host not Authority * Change AuthKey -> ExtraParams and from String to Map * URL encode keys and values and build a test that verifies this * Update modules/extension/wms/src/main/java/org/geotools/ows/wms/WebMapServer.java Improve grammar * Update modules/library/http/src/main/java/org/geotools/http/HTTPClient.java Improve docs * Petersmythe map string object (#2) Replace Map<String, Object> * Change null to emptyMap, add duplicate key check * Oops, when applying patch * Fix integer test * Fix spelling * To support HTTP Headers see github.com/geoserver/geoserver/pull/7552 * Add AuthKey by appending to URL in HTTPClient * Undo test version in pom files * Fix SimpleHTTPClient * Add test cases * Fix review issues with URL * URL Host not Authority * Change AuthKey -> ExtraParams and from String to Map * URL encode keys and values and build a test that verifies this * Update modules/extension/wms/src/main/java/org/geotools/ows/wms/WebMapServer.java Improve grammar * Update modules/library/http/src/main/java/org/geotools/http/HTTPClient.java Improve docs * Petersmythe map string object (#2) Replace Map<String, Object> * Change null to emptyMap, add duplicate key check * Oops, when applying patch * Fix integer test * Fix spelling --------- Co-authored-by: Peter Smythe <peter@afrigis.co.za> Co-authored-by: Jody Garnett <jody.garnett@gmail.com>
https://osgeo-org.atlassian.net/browse/GEOT-7557
Supports github.com/geoserver/geoserver/pull/7552
Background: There is a GeoServer option to configure a WMTS data store with HTTP Headers (as well as basic username/password), however the HTTP Headers option is not available for WMS data stores (only username/password).
In addition, specifically for AuthKeys/API keys, some WMS/WMTS servers are not aware of authentication mechanisms that they sit behind. They then return Capabilities documents that do not include the authentication mechanism appended to the published URLs. Clients that properly parse the Capabilities documents (QGIS, GeoServer) find that they can securely request the Capabilities documents however break on the subsequent Map/Tile requests.
I propose to add an AuthKey option to both WMS and WMTS data stores.
Checklist
main
branch (backports managed later; ignore for branch specific issues).For core and extension modules:
[GEOT-XYZW] Title of the Jira ticket
.