Fix enabling of services
Description
Environment
Activity
codehaus April 10, 2015 at 4:29 PM
CodeHaus Comment From: dzwiers - Time: Tue, 17 Feb 2004 18:03:15 -0600
---------------------
<p>Done.</p>
codehaus April 10, 2015 at 4:29 PM
CodeHaus Comment From: cholmes - Time: Tue, 17 Feb 2004 15:32:44 -0600
---------------------
<p>You asked for it... <img class="emoticon" src="https://jira.codehaus.org/images/icons/emoticons/smile.gif" height="16" width="16" align="absmiddle" alt="" border="0"/></p>
codehaus April 10, 2015 at 4:29 PM
CodeHaus Comment From: cholmes - Time: Thu, 29 Jan 2004 17:27:33 -0600
---------------------
<p>Jody - I think you've done or are planning on doing most everything mentioned in this issue. I just wanted you to be aware of it. Close it when you're done with it (and feel free to make authentication it's own issue).</p>
codehaus April 10, 2015 at 4:29 PM
CodeHaus Comment From: cholmes - Time: Mon, 29 Dec 2003 19:26:04 -0600
---------------------
<p>That's a great suggestion Sean, thanks! I'll look into it. It would be nice if we could make it nice and user friendly, but anything would be a solid start. I think using http stuff would be the way to go - to make it worthwhile we'd also have to take encryption into account, though I guess again that's probably the user's responsibility in setting up the webserver. At the very least though we could at least have some good documentation on how to set up geoserver securely. If anyone does work on this let me know, it's off my horizon for now, for this bug I'm probably just going to make it so you can disable things. But good authentication is definitely of vital importance to make this a production server.</p>
codehaus April 10, 2015 at 4:29 PM
CodeHaus Comment From: seangeo - Time: Mon, 29 Dec 2003 19:17:58 -0600
---------------------
<p>Just a suggestion: Instead of adding authentication parameters to the WFS protocol, you could use the authentication features of HTTP instead. I haven't tried it but the theory is if you use BASIC HTTP authentication, as defined by the Servlet spec, the container will do the authentication for you using the username and password sent with the HTTP request. At least this way the authentication and authorisation stay out of your code, however it might require some servlet container knowledge on behalf of the user. Just an option...</p>
In the services.xml file WMS and WFS both have an enabled field that can be set to true. Unfortunately this does not yet do anything. If enabled is set to false then users should not be able to access the WMS or WFS portion of the server.
We should also consider at the very least being able to set WFS transactions to false. That way not just any user could come along and change things. One hacky way of doing this is to just have a validation rule that rejects everything. A much better solution would be to allow some sort of authentication or limiting to ip addresses, but that should be another task. We could also consider a geoserver specific parameter of a password or something, as an attribute or element of the transaction request.