Intégrer une application tierce dans geOrchestra 

Exploiter et propager le mécanisme de gestion des droits d'accès geOrchestra à des applications tierces ou comment "proxyfier" vos propres modules

Objectifs visés

Intégrer une application web dans geOrchestra en exploitant :

  • l'annuaire LDAP,
  • le mécanisme d'authentification

 

 

Afin de disposer d'une architecture globale cohérente

security

-proxy

mapfishapp

geonetwork

extratorapp

mon module 2

geoserver

ldapadmin

mon module 1

Par où commencer ?

Comprendre les grands principes de fonctionnement du security-proxy

Mode opératoire

<entry key="sklutz"   value="http://localhost:80/mviewer/" />

Côté security-proxy etape 1

La "proxyfication"

<property name="targets">
     <map>
        <entry key="sklutz"   value="http://localhost:80/mviewer/" />
        <entry key="mapfishapp"   value="http://localhost:8280/mapfishapp/" />
        <entry key="analytics"     value="http://localhost:8280/analytics/" />
        [...]
     </map>
</property>
 <s:intercept-url pattern="/sklutz/.*" access="ROLE_RB_VN" />

Côté security-proxy etape 2

Les droits d'accès

<bean id="properties-loader"
        class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"
        p:locations="/WEB-INF/security-proxy.properties" />
        
    <s:http entry-point-ref="casProcessingFilterEntryPoint" path-type="regex" realm="${realmName}" disable-url-rewriting="true">
        <s:intercept-url pattern=".*\?.*login.*" access="ROLE_SV_USER,ROLE_SV_EDITOR,ROLE_SV_REVIEWER,ROLE_SV_ADMIN,ROLE_ADMINISTRATOR" />
        <s:intercept-url pattern=".*\?.*casLogin.*" access="ROLE_SV_USER,ROLE_SV_EDITOR,ROLE_SV_REVIEWER,ROLE_SV_ADMIN,ROLE_ADMINISTRATOR" />
        <s:intercept-url pattern="/sklutz/.*" access="ROLE_RB_VN" />        
        <s:intercept-url pattern="/extractorapp/admin/.*" access="ROLE_ADMINISTRATOR" />
        <s:intercept-url pattern="/extractorapp/jobs/.*" access="ROLE_ADMINISTRATOR" />
        <s:intercept-url pattern="/extractorapp/.*" access="ROLE_MOD_EXTRACTORAPP" />
        <s:intercept-url pattern="/geofence/.*" access="ROLE_ADMINISTRATOR" />
        <s:intercept-url pattern="/analytics/.*" access="ROLE_MOD_ANALYTICS" />
        <!-- ldapadmin private UI is restricted to members of the MOD_LDAPADMIN group: -->
        <s:intercept-url pattern="/ldapadmin/privateui/.*" access="ROLE_MOD_LDAPADMIN" />
        <!-- ldapadmin private ui web services: -->
        <s:intercept-url pattern="/ldapadmin/private/.*" access="ROLE_MOD_LDAPADMIN" />
        <!-- ldapadmin pages: -->

Côté frontal web

RewriteRule ^/sklutz$ /sklutz/ [R]

<Proxy http://localhost:8080/sklutz/*>
    Order deny,allow
    Allow from all
</Proxy>

ProxyPass /sklutz/ http://localhost:8080/sklutz/
ProxyPassReverse /sklutz/ http://localhost:8080/sklutz/

Résultat

Questions,

Evolution du workflow

Made with Slides.com