problem access projects via web url specifying user account

[mtiozzo]

I updated lizmap from 3.1 to 3.2. now I have a problem with the connection strings I used to see projects in php page, via iframe. the string can access the repository but fails to authenticate the user. the string used is the following: http://SERVER/lm/index.php/jauth/login/in?login=USER&password=PASSWORD.&auth_url_return=%2Flm%2Findex.php%2Fview%2Fmap%2F%3Frepository%3D1%26project%3DBONIFICHE

when I open a page this error appears to me: 404 Not Found Sorry, the requested page doesn't exist

Page generated by Jelix.

I tried to change the connection string in this: http://SERVER/lm/index.php/view/map/?repository=7&project=base4/jauth/login/in?login=USER&password=PASSWORD

when I open a page this error appears to me: Non puoi accedere al repository.

• Lizmap version: 3.2
• QGis version: 2.14
• OS (windows, linux, macOS, android..): debian 9
• Browser : all
• Lizmap data stored into Postgresql

[rldhont]

The module to manage authentication has changed in lizmap-web-client 3.2

The URL to authentication is: http://SERVER/lm/index.php/auth/login/in

[mtiozzo]

I tried to change the links with your suggestion but still it does not work yet, I have to enable some services? or it's just a loggin string problem

http://SERVER/lm/index.php/auth/login/in?login=USER&password=PASSWORD.&auth_url_return=%2Flm%2Findex.php%2Fview%2Fmap%2F%3Frepository%3D1%26project%3DBONIFICHE

http://SERVER/lm/index.php/view/map/?repository=7&project=base4/auth/login/in?login=USER&password=PASSWORD

[rldhont]

The params have also changed:

• auth_login
• auth_password
• auth_url_return

[mtiozzo]

I tried various combination of commands, using both the straight format you suggested and than tried mixing it with the old and the new (also tried the old plain format with new path and parameters).

Exemple: http://SERVER/lm/index.php/auth/login/in?auth_login=USER&auth_password=PASSWORD.&auth_url_return=%2Flm%2Findex.php%2Fview%2Fmap%2F%3Frepository%3D1%26project%3Dproject

None of them has worked, it always posts 404 error.

I've seen the new login page from admin.php uses "admin.php/auth/login/?auth_url_return=" straigth without the "in" before the question mark. So i tried also using "index.php/auth/login/?auth_login=" etc., and also using admin.php with auth_url_return to index.php paths (both just index.php path and to a project). Tried also with "/login/form?...", "/formin?" and a few other guess attempts...

None worked! I've already checked the jelix docs and tried do understand the .php files, but i didn't got out of this...

Many thanks for the support anyway

[rldhont]

With lizmap 3.2, you can't do it like that, you need to generate a form (the html page) that contains a token to secure the authentication.

[mtiozzo]

I need to call a lizmap on a php page. I had thought about using iframe with the connection string I had sent to you previously. so you can no longer use that string specifying your username and password. quite right? so the only world to proceed is passing the session, ldap, etc ... quite right? Thanks

[laurentj]

The url should start with http://SERVER/lm/admin.php/auth/login/in, not http://SERVER/lm/index.php/auth/login/in. This is why you have a 404 error.

Then parameters should be ?auth_login=USER&auth_password=PASSWORD&auth_url_return=%2Flm%2Findex.php%2Fview%2Fmap%2F%3Frepository%3D1%26project%3Dproject. However as rldhont said, the token parameter is missing and you cannot forge it yourself. So the authentication will fail.

Anyway, I hope that the login and password indicated into the url, is the login/password of the user who view the web page having the iframe else you have a security issue. It means that anybody accessing to your web page, can saw the login/password by viewing the source code in the browser for example.

In general, it is a bad practice to set login/password in urls inside a web page.

[rldhont]

The way you want to integrate lizmap needs to deactivate security in authentication form https://docs.jelix.org/en/manual/jforms/security

To do so you need to overload the jcommunity login form https://github.com/3liz/lizmap-web-client/blob/master/lib/vendor-modules/jcommunity/forms/login.form.xml or to create a controller to do the authentication and the redirection.

To overloading the form you can copy the lib/vendor-modules/jcommunity/forms/login.form.xml in lizmap/vr/overloads/jcommunity/forms/login.form.xml and update the overloaded file by addingallowAnyOrigin="true" to <form> element. Here is the doc https://docs.jelix.org/en/manual/overloads

[mtiozzo]

thank you for the help you are giving me. I followed all the steps you gave me to change the configuration of the jelix form. more or less it works for my needs at this time. the only thing is when I load the page where the iframe is present at the first loading lizmap directs me to the login page, I have to reload the page because the map is loaded. do you have any suggestions how to solve?

thank

[laurentj]

@mtiozzo I study some other solutions because giving the login and password within the url of an iframe is very insecure.

1. a first solution (and the best solution IMHO) is to use a SSO (Single Sign-On) protocol, like CAS. It requires to install an authentication server, but these protocols are designed for your needs I guess. We had a module which allowed to support the CAS protocol into a Jelix application (so into lizmap) but it is very old and we need to adapt it. You will have to install this authentication server, and to modify your application to use this authentication server instead of verifying yourself the authentication into your app.
2. a second solution is to implement a protocol based on token directly inside Lizmap, but it requires to develop it into lizmap, and it requires to modify your app to call some new web API of Lizmap when the user logs in and when he logs out, and probably to implement a class or a web service into your app, called by Lizmap. All of these new web APIS will allow to create, exchange, validate or destroy a token you will give into the iframe URL. (I still study this protocol or study if there is not an existing protocol which doesn't need an authentication server).

What do you think about these kind of solutions?

[laurentj]

Instead of using CAS, which can be very tricky to install (the CAS server is a JAVA application..), I think it will be simpler to implement a token base protocol to authenticate into Lizmap, using JWT token. I started to write a specification.

In summary: an application which wants to embed a lizmap map, will have to call a new web API of Lizmap, with credentials of the user and a "return URL" (POST request). As response the app will have a lizmap URI to which the browser should be redirected. At this lizmap URI, Lizmap will then check the token, will create a session and so a cookie session, and then will redirect the browser to the "return URL" given by the application. The app could then set iframe with url of maps without any credentials or tokens. The browser will send cookie session as usual in iframe requests.

The goal is to not have credentials or tokens into the iframe url, to not leak them into the browser history, server logs or else where.

[mbernasocchi]

hey @rldhont is there any news here?