Add support in AuthKey Module to pass the Api Key token inside an Authorization Header

[giohappy]

The request is to add the option, inside the AuthKey Module, to send the "api key / session token" using a custom header, as an alternative to the (current) URL parameter.

The main reason is to hide the token from logs and the OnlineResource URI returned inside GetCapabilites response.

I suggest to adopt the same approach implemented for the "Authenticate using Web Service" provider (#145), where a checkbox can be flagged to retrieve the token from a header instead of the URL templated parameter.

For AuthKey Module the header could be the standard Authorization Header (rfc2617) with "Bearer \" value (rfc6750).

The following is the screenshot from the "Authenticate using Web Service" module:

[nmco]

I guess this is in the context of:

MAPSTAND
C145-2019-MAPSTAND-SUPP II

@taba90 as usual let's prepare plan and estimate, and then wait for the green light before moving on whit the implementation.

[simboss]

I just want to see the estimate on this.

If it takes more than 2 hours let me know upfront.

[taba90]

It's needed a new boolean value in the WebServiceAuthenticationKeyMapper class to check how to send the auth key. The tricky part seems to be the UI cause the configuration of the webservicekeymapper is handled using a Map<String,String> and text fields, so adding a checkbox isn't straightforward https://github.com/geoserver/geoserver/blob/ad7eb9041ff5dab135cba61798e8415c3b91097d/src/extension/authkey/src/main/java/org/geoserver/security/web/AuthenticationKeyFilterPanel.java#L132. Two different Fragments, one to handle textField an one to handle checkbox would then be needed. Estimated time is 4 hours.

[nmco]

Thank you @taba90, the estimate sounds reasonable to me. Let's know if we can proceed @simboss.

[simboss]

@taba90 @nmco let's move forward with this as soon as we can