LuciadFusion Studio doesn’t include out-of-the-box functionality to add authentication to published services. You can add that authentication yourself, though, in several ways. To set up LuciadFusion service authentication, you can choose to:

  • Use a reverse proxy in front of LuciadFusion. In this setup, all access to LuciadFusion passes through the reverse proxy, which you can configure to enable authentication for selected endpoints. For more information about setting up LuciadFusion with a reverse proxy based on Apache HTTP server, see How to set up the LuciadFusion Platform with a reverse proxy. For more information about using Apache’s authentication modules, see the Apache HTTP server documentation.

  • Use Spring Security, which is included with LuciadFusion. With Spring Security, you can identify distinct security configurations for distinct endpoints. For example, if you published a WMS service with endpoint ogc/wms/world, you can secure access to it by creating a custom security configuration for the ogc/wms/world/** pattern. To do so, you must define a SecurityFilterChain bean. Make LuciadFusion pick it up by enabling the fusion.config.additionalScanPackages property in the LuciadFusion configuration file fusion.common.yml. Use the HttpSecurity class to create your own security configuration.

    This example illustrates this approach by only authorizing users with role WMS for request patterns that match with ogc/wms/world/**: 

    import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.SecurityFilterChain;

@Configuration
public class CustomSecurityConfig {

  @Bean
  public SecurityFilterChain serviceFilterChain(HttpSecurity http) throws Exception {
    http.securityMatcher("/ogc/wms/world/**")
        .authorizeHttpRequests(authorizeHttpRequests ->
                                 authorizeHttpRequests.anyRequest().hasRole("WMS"))
        .httpBasic();
    return http.build();
  }
}

    You must also add the WMS role and its users to the LuciadFusion configuration: 

    fusion.security:
  # See application-fusion.production-template.yml for more information on security properties
  enabled: true
  cors.origins: "*"
  authenticationManager: properties_in_memory # Uses the fusion.security.users as authentication source
  authenticationTypes:
    - http_basic
    - form
  users:
    - username: admin
      password: admin
      roles:
        - ADMIN
    - username: dm
      password: dm
      roles:
        - DATA_MANAGER
    - username: wms
      password: wms123
      roles:
        - WMS