add an authentication_required option (#4839)

jwkaltz · sbrunner · commit c5281aa00ba4 · 2019-04-10T13:27:09.000+02:00
Add an authentication_required option

Authored-By: jwkaltz &lt;wolfgang.kaltz@camptocamp.com&gt;
diff --git a/c2cgeoportal/tests/functional/test_mapserverproxy.py b/c2cgeoportal/tests/functional/test_mapserverproxy.py
@@ -972,3 +972,14 @@ def test_geoserver(self):
         ))
         response = MapservProxy(request).proxy()
         self.assert_contains(response.body, u"<Name>testpoint_protected</Name>")
+
+    def test_authentication_required(self):
+        from c2cgeoportal.views.mapserverproxy import MapservProxy
+        from pyramid.httpexceptions import HTTPUnauthorized
+
+        request = self._create_getcap_request()
+        request.params.update(dict(
+            service="wms", version="1.1.1", request="getcapabilities",
+            authentication_required="true"
+        ))
+        self.assertRaises(HTTPUnauthorized, MapservProxy(request).proxy)
diff --git a/c2cgeoportal/views/mapserverproxy.py b/c2cgeoportal/views/mapserverproxy.py
@@ -30,6 +30,7 @@
 
 import logging
 
+from pyramid.httpexceptions import HTTPUnauthorized
 from pyramid.view import view_config
 
 from c2cgeoportal.lib.caching import get_region, NO_CACHE, PUBLIC_CACHE, PRIVATE_CACHE
@@ -51,6 +52,10 @@ def __init__(self, request):
     @view_config(route_name="mapserverproxy")
     def proxy(self):
 
+        if self.user is None and "authentication_required" in self.request.params:
+            log.debug("proxy() detected authentication_required")
+            raise HTTPUnauthorized(headers={"WWW-Authenticate": 'Basic realm="Access to restricted layers"'})
+
         if self.user is not None:
             # We have a user logged in. We need to set group_id and
             # possible layer_name in the params. We set layer_name
diff --git a/doc/integrator/security.rst b/doc/integrator/security.rst
@@ -11,6 +11,27 @@ the WMS GetCapability when accessing the Mapserver proxy (mapserverproxy).
 
 Default: ``false``
 
+Force authentication when accessing the Mapserver proxy
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+If your WMS contains private layers and you wish to force a client to authenticate
+in order to always obtain all layers (including private layers), you can force
+authentication by adding the parameter ``authentication_required`` to the WMS URL.
+This setting may be necessary for the good operation of some clients such as ArcMap.
+
+For example, if your WMS is accessible as
+
+.. code:: html
+
+   https://<yourserver>/<yourinstance>/wsgi/mapserv_proxy
+
+then you can use the following URL to force authentication:
+
+.. code:: html
+
+   https://<yourserver>/<yourinstance>/wsgi/mapserv_proxy?authentication_required=true
+
+
 Enable / Disable the admin interface
 ------------------------------------
 
