[udig-devel] UDIG and cookies

[Jody Garnett]

Ian McIntosh wrote:
>
> Hi,
>
> We've successfully tested UDIG with "normal" Basic Authentication i.e. 
> on a test machine with Basic Authentication configured in Apache.
Congrats.
> We are aiming to secure our OGC resources using CA's SiteMinder. It 
> has various authentication schemes built in which we can use to apply 
> to urls, one of which is SiteMinder's own flavour of Basic 
> Authentication.
>
> Our tests don't work, and after conferring with SiteMinder's support 
> people, we now know that SM requires cookies to be enabled on the 
> client. UDIG (and GAIA and deeJUMP) all fail, and it's our hypothesis 
> that they don't support cookies.
>
> Can you please verify that this is the case for UDIG?
Hi Ian, I cannot confirm that exactly.

If you check out the GeoDSS codebase you will see support for the DACS 
authentication scheme used for OWS-3. This made use of cookies, and you 
will need to ask Richard Gould if this support made it back into trunk, 
or was only waiting on an interested party like yourself.

You may want to look the work of OWS-3 in particular the DRM thread. We 
were not part of this directly, only took a couple of days to hook up to 
two of the authentication schemes they used.

The original uDig design called for setting up a security module to 
manage names/passwords (and apparently cookies) associated with each 
resource. We can pass on the design if you wish to work on this, or talk 
about a more formal arrangement if this is important to you.

Cheers,
Jody