Hexagon Geospatial
MENU

WebGIS

Need a push in the right direction when configuring WebMap, Portal or SDI services? Looking for hints and tips, or just looking for Ideas and information? The WebGIS discussion board is where you start those discussions, connect and share information.
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 45
Registered: ‎05-11-2017

Authenticated WMS with SDI

Hi all,

 

Is there anyone who can help me te set up WMS authenticated with username/pasword with Geospatial SDI.

 

I have tried to follow instructions from manual, but authnetication does not work. Service is acessable without username and pass.

 

 

My workflow is:

  • In Geomedia Desktop I have created GWS and published it to WMS source (GWS3857 service source) via GMWM publisher
  • With Admin console I have created WMS  (GMWM data source - GWS3857 service source)
  • With Admin console I have created WMS facade  (facade data source - created WMS GWS3857 service as service source)
  • In SDI Security Console I have added created facade service to configuration tab, and created roles and users 
  • I have edited web.config file of my facade service (added and configured  AuthenticationPipe and AuthorizationPipe)

After all this steps service is acessable without username and pass.

 

Have I missed some steps?

 

Regards,

Micko

 

Regular Contributor
Posts: 246
Registered: ‎10-26-2015

Re: Authenticated WMS with SDI

Hi Micko,

I will try my best to help you, this process can be difficult to summarise but here goes:

 

You don't need a WMS facade as it sounds like you have GeoMedia WebMap, so you should be editing the web.config file of the GeoMedia WebMap WMS instance as follows.

 

Add to the top of the <sectionGroup name="pipes"> section

 

<section name="AuthorizationPipe" type="Intergraph.GeoMedia.Web.SDI.Common.Pipes.AuthorizationPipe.AuthorizationPipeConfiguration, Intergraph.GeoMedia.Web.SDI.Common.Pipes.AuthorizationPipe" />
<section name="AuthenticationPipe" type="Intergraph.GeoMedia.Web.SDI.Common.Pipes.AuthenticationPipe.AuthenticationPipeConfiguration, Intergraph.GeoMedia.Web.SDI.Common.Pipes.AuthenticationPipe" />

Within the <client> section before the end of the system.serviceModel section (</system.serviceModel>) reference the Authorization Bridge Web Service you should have created as part of this setup.

 

<endpoint address="http://<SERVER_NAME>/<AUTH_BRIDGE_SVC_NAME>/Authorize.svc" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IAuthorize" contract="AuthorizationBridge.IAuthorize" name="WSHttpBinding_IAuthorize" />
<endpoint address="http://<SERVER_NAME>/<AUTH_BRIDGE_SVC_NAME>/Authorize.svc" binding="wsHttpBinding" bindingConfiguration="WSHttpBinding_IAuthorize" contract="AuthorizationBridge.IAuthenticate" name="WSHttpBinding_IAuthenticate" />

Within the CRSStore section reference the CRS3857 by adding a <CRS> section and ensure a copy of this CRS saved in a GeoMedia coordinate system file is located under the CSF folder of the Service Instance.

 

<CRS csfFileName="epsg3857.csf">
	    <Id value="EPSG:3857" primaryId="true" />
	    <Id value="urn:ogc:def:crs:EPSG:6.3:3857" />
</CRS>

Add to the start of the <pipes> section configuration settings for the Authentication and Authorization Pipes, ensuring you again reference your Geospatial SDI Authorization Bridge Web Service.

 

<AuthenticationPipe name="authenticationPipe" nextPipeName="authorizationPipe" firstPipe="true"> 
      <Settings> 
        <add name="AuthenticationProtocol.AuthBridgeEndpoint.Authenticate" value="http://<SERVER_NAME>/<AUTH_BRIDGE_SVC_NAME>/Authenticate.svc" /> 
      </Settings>
      <AuthenticationMethodHandlers>
        <add name="token"> <Plugin type="Intergraph.GeoMedia.Web.SDI.Common.AuthenticationProtocol.TokenAuthenticationMethodHandler, Intergraph.GeoMedia.Web.SDI.Common.AuthenticationProtocol" /></add>
        <add name="query"> <Plugin type="Intergraph.GeoMedia.Web.SDI.Common.AuthenticationProtocol.QueryAuthenticationMethodHandler, Intergraph.GeoMedia.Web.SDI.Common.AuthenticationProtocol" /></add>
        <add name="basic"> <Plugin type="Intergraph.GeoMedia.Web.SDI.Common.AuthenticationProtocol.BasicAuthenticationMethodHandler, Intergraph.GeoMedia.Web.SDI.Common.AuthenticationProtocol" /></add>
        <add name="session"> 
        <Plugin type="Intergraph.GeoMedia.Web.SDI.Common.AuthenticationProtocol.SessionAuthenticationMethodHandler, Intergraph.GeoMedia.Web.SDI.Common.AuthenticationProtocol">
        <SessionManager type="Intergraph.GeoMedia.Web.SDI.Common.AuthenticationProtocol.SimpleSessionManager, Intergraph.GeoMedia.Web.SDI.Common.AuthenticationProtocol" /> </Plugin> </add> 
      </AuthenticationMethodHandlers>
</AuthenticationPipe>
<AuthorizationPipe name="authorizationPipe" nextPipeName="metadataConfigurationPipe" authorizationBridgeURL="http://<SERVER_NAME>/<AUTH_BRIDGE_SVC_NAME>/Authorize.svc" bBoxHandlingMode="Stretch" numOfConcurrentRequests="4" firstPipe="false"> 
      <GMLService noFCCsfFound="FAIL" noGeomCsfFound="FAIL" swapGeoCoords="false" swapProjCoords="false" />
      <CRSStore storeName="globalStore" />
</AuthorizationPipe>

Edit the firstpipe parameter on the MetadataConfigurationPipe to be "false".

 

Save the GeoMedia WebMap WMS Service Instance web.config file changes.

 

When it comes to configuring the the Permissions on the WMS using the SDI Security Console follow these tips:

 

  1. Enter the URL for the WMS service in the format http://[servername]/[servicename]/ on the Configuration tab.
  2. Only define feature classes (layer names) for the WMS service if you need to restrict access to particular layers in the WMS. Having no feature classes assigned to the Role will assume all layers in the WMS are available to users with the Role.
  3. Leverage Groups if you are having to setup lots of users. E.g. assign users to a group and then assign the Role to a Group.

I've probably missed a few key steps I've not thought of but hopefully that will get your WMS secured with Authentication.

 

Regards,

Colin

Contributor
Posts: 45
Registered: ‎05-11-2017

Re: Authenticated WMS with SDI

Dear Colin,

 

Thanks a lot for your answer.

I folowed your guide, but I still have some problems.

 

I will investigate in more detail.

 

Mladen

Regular Contributor
Posts: 246
Registered: ‎10-26-2015

Re: Authenticated WMS with SDI

Hopefully enabling debug logging on the WMS Service Instance web.config and Authorization Bridge Web Service web.config will reveal the cause of your issue.

Staff
Posts: 294
Registered: ‎11-05-2015

Re: Authenticated WMS with SDI

You said that the service does allow anonymous access whereas you believe it shouldn't. Do you mean that you can obtain the GetCapabilities response without providing the username and password? Or, do you mean that you can still request data from it without providing credentials?

If it's the former, then the authentication pipe has an additional configuration attribute named requireAuthentication. It accepts values of true/false and defaults to false. Hence, the default behavior is to allow anonymous GetCapabilities. Refer to https://hexagongeospatial.fluidtopics.net/reader/M1~Uk2m5OSlMcN7GqN6Vdw/RoooaGEoQzWK11xOC7ZDzw
If your problem is the latter, then we would need you to provide more details on what did you set exactly in the SDI Security Console.
Do you need immediate support?
If you encounter a critical issue and need immediate assistance please submit a Service Request through our Support Portal.