Geoserver security in Terria JS

[hm1417]

Hi,

I am very new to the world of web applications and TerriaJS. TerriaMap is very useful for users like me who have no programmign experience. Many thanks for having this available to all and accessible in an easy to understand way.

I have a geoserver through which i serve WMS layers, some of them can be accessed anonymously and some require authentication. Is there a way to prompt users for a login at start up and show only those layers (and public ones) in the catalog based on their access rights ?

In the past the only way i could do this with my limited knowledge was to place a simple leaflet viewer in the tomcat container and when a user checks a layer to view there is a HTTP 401 response where user can input their credentials. Is there a way to replicate it or any other solution please ?

Many thanks for any guidance on this..

.h

[stevenjh]

Look at the terriajs-server configuration and the proxyauth settings.
This will get you some of the way in regards to applying a Geoserver user in between TerriaMap and Geoserver.

There is no built in mechanism to support multiple TerriaMap user logins with different proxied geoserver users or as far as I'm aware to prompt for the entry of a geoserver user.

[tephenavies]

Hi @hm1417.

We have developed a login system for our Digital Twin applications (see e.g. login button on https://nsw.digitaltwin.terria.io/) that only shows users what they have authorisation to access, however we have not made all of the code behind that mechanism open source at the moment. Please contact us at [email protected] for details on that and possible licensing etc.

There are a couple of ways you could implement this that I can think of.

Option 1

Different websites. Have one website with the standard catalog and another with the standard catalog + secure datasets. Use basic auth in front of terriajs-server (or the basic auth options in terriajs-server) to restrict access. Put geoserver passwords into terriajs-server's proxyauth settings file (see example). We've done this for clients before and it's worked well, although it's some extra work to keep both updated.

Only works if everyone who's authenticated should have access to all secure datasets, and you're alright with having 2 terria websites for it.

Option 2

There may be an easy way to implement some of this using multiple catalog files with just basic auth. If you set your application to load from a default catalog and another catalog you could add basic auth to the second catalog file. To load multiple catalog files from different sources you can do something like this in config.json:

    initializationUrls: [
        "default-catalog",
        "secure-catalog"
    ],
    parameters: {
        initFragmentPaths: [
            "init/",
            "https://my.server/catalogs/"
        ],

(see an example in de-australia-map)

Terria will attempt to load default-catalog.json and secure-catalog.json from init/. It'll find default-catalog.json (if you put your normal catalog at wwwroot/init/default-catalog.json) but if secure-catalog.json isn't found there it'll try to load it from https://my.server/catalogs/secure-catalog.json which should trigger a login. It's not as good because all users will be given a basic auth form on startup.

You may even be able to adapt that second option so that the server serving secure-catalog.json returns different catalogs to different users based on their basic auth logins.