Protect service requiring authentication

This how-to describes how to protect a service that requires HTTP Basic Authentication for access.

Some servers that you want to protect with security.manager for OGC require user authentication via HTTP Basic Authentication. You can store a username and password in the server configuration that security.manager for OGC should use to access the service.

Store username and password

You specify the username and password that security.manager for OGC should use to access the service in the server configuration for the entire protected server:

{
    "server": {
        "host": "https://gisserver.example.com",
        "serverAuthn": {
            "type": "basic",
            "username": "alice",
            "password": "alicespassword"
       },
        "services": [
            {
                "path": "/path/to/nature/wms",
                "type": "WMS",
                "policy-ref": "my-policy"
            }
        ]
    }
}

The values for the serverAuthn property are described in the server configuration reference.

In this example, security.manager for OGC authenticates with the username alice and password alicespassword against the server https://gisserver.example.com. The authentication data is used for all services configured on this server.

Store username and password as environment variables

To avoid storing sensitive data like username and password in plain text in the server configuration, you can also store them as references to environment variables. In the server configuration, you then reference the corresponding environment variables:

{
    "server": {
        "host": "https://gisserver.example.com",
        "serverAuthn": {
            "type": "basic",
            "username": "${GISSERVER_USERNAME}",
            "password": "${GISSERVER_PASSWORD}"
        },
        "services": [
            {
                "path": "/path/to/nature/wms",
                "type": "WMS",
                "policy-ref": "my-policy"
            }
        ]
    }
}

In this example, the environment variables GISSERVER_USERNAME and GISSERVER_PASSWORD are used for the username and password. You must define the environment variables so that they are available when starting the Tomcat server in which security.manager for OGC runs.

Store username and password in secrets.properties

You can store sensitive data like username and password in the secrets.properties file of the configuration. In this file, you can define any key with a corresponding value and then reference this key in the server-config.json.

For example, store the username and password of your GIS Server in the secrets.properties file:

secrets.properties

# Credentials for my GIS server
gisserver.username=alice
gisserver.password=alicespassword

Then, reference the keys in the server-config.json file:

server-config.json

{
    "server": {
        "host": "https://gisserver.example.com",
        "serverAuthn": {
            "type": "basic",
            "username": "${gisserver.username}",
            "password": "${gisserver.password}"
        },
        "services": [
            {
                "path": "/path/to/nature/wms",
                "type": "WMS",
                "policy-ref": "my-policy"
            }
        ]
    }
}