AJAX REQUEST return CORS error in use case with AZURE application proxy

[Lieg Ric]

Hi Lorenzo

I'm a french guy so sorry for my english, but we have a problem CORS with latest stable version of Mapstore2.

We use Mapstore2 in internal use (internal network) with another server for Geoserver in the same domain and we have no problem with use cors.

We have to define and configure LocalConfig.json like you discribe and all usage are OK in this use case. 

Actually we use an apache routing to request in ajp to tomcat of Mapstore2 and  we have to allow all headers request.

But in a second time, we wan't to use Mapstore2 in an external access with SSO to our  internal network with Azure application proxy for not deploy a second Mapstore2 installation in DMZ.

So we deploy an application proxy azure and we access  with SSO to Mapstore2 normally and we have no problem at this time in this use case access.

But we see a significant problem with all AJAX request of Mapstore2 to the Geoserver server we had in localConfig.json the url of azure application proxy url https://login.microsoftonline.com/

And somehow all map with data from Geoserver we have save are OK.

But all AJAX request at loading application and all new AJAX request return CORS error  and we want to solve this problem for this new use case that we want to offer to our users. 

We have been working on this problem for several months and I am the only one who knows Mapstore2 but I am a beginner with your solution that I do not yet master. 

Could you help us for this original use as we need advice to solve this blocking problem ? 

My idea to solve this problem is to create another proxy for solve CORS headers for distribute request in localhost

So url to the doc of azure application proxy

https://docs.microsoft.com/fr-fr/azure/active-directory/manage-apps/what-is-application-proxy

Buona festa del primo maggio e spero che tu e la tua gente stare bene e prendersi cura di voi nel contesto covid-19 attuale

Ciao Lorenzo

Rico

[Mauro Bartolomeoli]

Hi Lorenzo,

just a few questions, trying to understand better.

You mention using SSO in the not working scenario. I suppose this works to authenticate users to MapStore2 and GeoServer at once. I don't know the details of the SSO and how it works, but maybe the authentication is simply not forwarded between MapStore and GeoServer in this case, so what you see as a CORS issue is indeed an authentication issue. Browsers are very unhelpful in these cases, because if they are sending cross origin requests, the error you get back is always mentioning CORS and hiding the real cause.

As a side note remember that we, as GeoSolutions, also have a commercial support channel to contact if you need help on integrating MapStore in your security environment.

Mauro

--
You received this message because you are subscribed to the Google Groups "mapstore-developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mapstore-develo...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/32ef463c-55e7-46a8-be51-5d041ae6b4f1%40googlegroups.com.

--

Regards,

Mauro Bartolomeoli

==
GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.
==

Dott. Mauro Bartolomeoli
@mauro_bart
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
Italy

mobile: +39 393 904 1756
phone: +39 0584 962313
fax:      +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

[Rico]

Ciao Mauro,

So The authentication between Mapstore2 and Geoserver is already operational in intranet mode and there is no problem. We configure Authkey in Geoserver.

At your question, I don't know the details of the SSO and how it works, but maybe the authentication is simply not forwarded between MapStore and GeoServer in this case, so what you see as a CORS issue is indeed an authentication issue. So, When loading static content works and authentication also. But my problem only concerns content that is loaded dynamically with xmlhttprequest (AJAX) as a WMS layer call and other dynamic call and loading the application.

Your text, Browsers are very unhelpful in these cases, because if they are sending cross origin requests, the error you get back is always mentioning CORS and hiding the real cause. 

But have you any idea to how i can do for identify my real problem.

Example Error:

server1 is the server with geoserver

server2 is the server with Mapstore2

Errors At loading application :

Access to XMLHttpRequest at 'https://server1/geoserver/pdf/info.json?authkey=47e04b16-52c4-4046-93a9-b34c1abde953' from origin 'https://server2' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Failed to load resource: net::ERR_FAILED 

Access to XMLHttpRequest at 'https://server1/geoserver/ows?service=WFS&version=1.1.0&request=GetFeature&outputFormat=application/json&typeName=cnr:CNR00MAPSEMPDT&authParam=130f6655-46e3-41e1-9642-66010f713cc0&authkey=130f6655-46e3-41e1-9642-66010f713cc0' from origin 'https://server2' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Failed to load resource: net::ERR_FAILED

Access to XMLHttpRequest at 'https://server1/geoserver/rest/cnr/getMntList?authkey=130f6655-46e3-41e1-9642-66010f713cc0' from origin 'https://server2' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Failed to load resource: net::ERR_FAILED

cnr.js:68 Uncaught (in promise) Error: Network Error
    at e.exports (cnr.js:68)
    at XMLHttpRequest.p.onerror (cnr.js:68)

Error when we call a new layer WMS:

Error after we clicck on search button in the layer plugin 

Access to XMLHttpRequest at 'https://server1/geoserver/cnr/wms?service=WMS&version=1.3.0&request=GetCapabilities&authkey=130f6655-46e3-41e1-9642-66010f713cc0' from origin 'server2' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

So for me actually only xmlHTTPrequest call are blocking and i don't known What I can do for resolve this problem

Buona festa del primo maggio e spero che tu e la tua gente stare bene e prendersi cura di voi nel contesto covid-19 attuale

Thanks a lot Mauro,

Rico

To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/CAMyxr66fgwZ0PxGmK3O_RmhYER3NxQLfi6LC7dSpqm%3Di6ojHsg%40mail.gmail.com.

[Mauro Bartolomeoli]

Hi Rico,

At your question, I don't know the details of the SSO and how it works, but maybe the authentication is simply not forwarded between MapStore and GeoServer in this case, so what you see as a CORS issue is indeed an authentication issue. So, When loading static content works and authentication also. But my problem only concerns content that is loaded dynamically with xmlhttprequest (AJAX) as a WMS layer call and other dynamic call and loading the application.

That's the point: with static content SSO is accomplished by the browser automatically, eventually through redirection, but this mechanism sometimes does not work with AJAX requests because of missing headers or such.

 

Your text, Browsers are very unhelpful in these cases, because if they are sending cross origin requests, the error you get back is always mentioning CORS and hiding the real cause. 

But have you any idea to how i can do for identify my real problem.

You could try to capture AJAX requests sent by the browser (using Chrome DEVtools for example) and replicate them using command line tools such as curl, to see if you can get more meaningful errors. Or even read the GeoServer logs to see if:

 * your requests are reaching the server

 * you have any meaningful error in the GeoServer log

 

[Lieg Ric]

HI Mauro 

The authentification is not followed and I know today that application proxy azure use SAML so i think the request from the app proxy azure can not read by geoserver

Thanks

So after open dev tools de request error is

and there is an error in geoserver to ERROR [geoserver.security] - Error in WebServiceAuthenticationKeyMapper, error in web service communication

java.net.ConnectException: Connection refused (Connection refused)

2020-05-27 19:15:43,801 WARN [geoserver.security] - Could not find any user associated to webservice url [https://maps.cnr.tm.fr:8443/cnr/rest/geostore/session/username/{key}] with authkey: 361e2baf-d554-413a-a647-ded00a11e313

[Mauro Bartolomeoli]

Good morning,

so it looks like you are using authkey to authenticate to GeoServer and that GeoServer is not able to contact the service configured to validate the authentication token.

Can you show me how is the authkey GeoServer module configured? You should see a url pointing to a token validation service.

Unfortunately it seems that the GeoServer host is not able to contact (firewall/network issues) your token validation service.

Mauro

--

You received this message because you are subscribed to the Google Groups "mapstore-developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mapstore-develo...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/afa825dd-f65c-4b64-a986-f180724541bc%40googlegroups.com.

[Lieg Ric]

Hi Mauro

Sorry but i can't read message from work

The url to authentification for mapstore in geoserver is

https://myhost/cnr/rest/geostore/session/username/{key}

The configuration in geoserver is 

To unsubscribe from this group and stop receiving emails from it, send an email to mapstore-developers+unsub...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/afa825dd-f65c-4b64-a986-f180724541bc%40googlegroups.com.

[Mauro Bartolomeoli]

Good morning Lieg,

the web service url looks wrong, the protocol is repeated twice:

https://https://myhost....

Probably you just need to fix that.

Mauro

To unsubscribe from this group and stop receiving emails from it, send an email to mapstore-develo...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/afa825dd-f65c-4b64-a986-f180724541bc%40googlegroups.com.

--

Regards,

Mauro Bartolomeoli

==
GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.
==

Dott. Mauro Bartolomeoli
@mauro_bart
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
Italy

mobile: +39 393 904 1756
phone: +39 0584 962313
fax:      +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

--

You received this message because you are subscribed to the Google Groups "mapstore-developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to mapstore-develo...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/7c54de2e-926f-4177-b828-dfdf3af62a20%40googlegroups.com.

[Lieg Ric]

Good morning 

But my problem are more complicate because this web service is useful in intranet mode, i don't have any problem in intranet mode in the network of my entreprise.

It works normally and is good. That is the context.

But when I wan't connect to Mapstore2 only with the application proxy azure is bad for ajax request only the static content work. that is my problem.

I create an application azure proxy for using Mapstore2 in external network like at my home or from another external network of my entreprise.

So my question is, if i can create another webservice for this use case with the good protocol in SAML or in OpenID for example ?

Won’t this second web services in another protocol, create a new problem in the authentication of Mapstore2 and geoserver? 

Thanks a lot for your help

Eric

To unsubscribe from this group and stop receiving emails from it, send an email to mapstore-developers+unsub...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/afa825dd-f65c-4b64-a986-f180724541bc%40googlegroups.com.

--

Regards,

Mauro Bartolomeoli

==
GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.
==

Dott. Mauro Bartolomeoli
@mauro_bart
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
Italy

mobile: +39 393 904 1756
phone: +39 0584 962313
fax:      +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

--
You received this message because you are subscribed to the Google Groups "mapstore-developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to mapstore-developers+unsub...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/7c54de2e-926f-4177-b828-dfdf3af62a20%40googlegroups.com.

[Mauro Bartolomeoli]

Good morning Lieg,

thanks for the explanation.

On the GeoServer side SAML is supported via a community module: https://docs.geoserver.org/latest/en/user/community/saml/index.html

Also OAuth2 is supported the same way, with another module: https://docs.geoserver.org/latest/en/user/community/oauth2/index.html

Both are community modules, it means that they are not officially supported so they may (or not) work for you.

To be clear: you need specific support for your SSO protocol via a geoserver plugin, I don't think you can use the generic authkey module for this.  

I would suggest trying one of them with GeoServer only to see if they work on your scenario (and eventually ask on the Geoserver mailing lists if you need further help on the GeoServer side).

On the MapStore side, we don't have direct support for SAML or OAuth2 out of the box, but MapStore security is based on the Java Spring Security framework that allows for "easy" customization of the authentication workflow, so it can be done with both, but some work is needed to match your environment, and eventually some customization needs to be developed.

Mauro

To unsubscribe from this group and stop receiving emails from it, send an email to mapstore-develo...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/afa825dd-f65c-4b64-a986-f180724541bc%40googlegroups.com.

--

Regards,

Mauro Bartolomeoli

==
GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.
==

Dott. Mauro Bartolomeoli
@mauro_bart
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
Italy

mobile: +39 393 904 1756
phone: +39 0584 962313
fax:      +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

--
You received this message because you are subscribed to the Google Groups "mapstore-developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to mapstore-develo...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/7c54de2e-926f-4177-b828-dfdf3af62a20%40googlegroups.com.

--

Regards,

Mauro Bartolomeoli

==
GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.
==

Dott. Mauro Bartolomeoli
@mauro_bart
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
Italy

mobile: +39 393 904 1756
phone: +39 0584 962313
fax:      +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail.

--

You received this message because you are subscribed to the Google Groups "mapstore-developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to mapstore-develo...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/480ed5a5-3643-41fd-b4b4-4b7ce07da898%40googlegroups.com.

[Rico]

Good evening Mauro

Thanks a lot for your assist so I understand what i must do for this application architecture. Actually we have in internal network mapstore in SSO with geoserver using authkey and our geoserver is 2.12.5 version so there is no community module SAML with this version

SO I will decompose my project in two application one for internal use and another else for external use that is totally différent of the first one, 

I will install the latest geoserver 2.18 and Mapstore2 on the same server with apache 2.4 proxy or another web technology. 

And I will install with this another Mapstore in PWA mode for mobile use This application architecture will be only for external use with PC and mobile terminal.

After We need to do this evolution by someone because we don't have experience with Java Spring Security framework in my work for this customization of authentication workflow with an Active Directory and using application proxy azure

So I will postpone this project for the moment and finalize the other, then I would like to know how much this specific development could cost us if I preserved it for you.   

It would be possible for you to give me a macro estimate (envelope) for this adaptation of Mapstore2 so that I can schedule a budget for the coming months.

When we are ready I will write technical specifications so that you can give me a more precise financial assessment. Is that okay with you?

Thanks 

Eric 

To view this discussion on the web, visit https://groups.google.com/d/msgid/mapstore-developers/CAMyxr671ybyMJ1vVTvV5G_DzSQ8rJ-LFjTCAH9Vxj-JOmKVg0A%40mail.gmail.com.