There are multiple ways to configure authenticated access to services published in LuciadFusion Platform. To set up LuciadFusion service authentication, you can choose to:

  • Configure whether services require authentication by default using the configuration property fusion.security.serviceAuthenticationRequired.

  • Configure authentication for endpoints matching a certain pattern by listing them under the configuration property fusion.security.authenticatedEndpoints. See the How to configure access to services in LuciadFusion article for some examples.

  • Use Spring Security, which is included with LuciadFusion. With Spring Security, you can identify distinct security configurations for distinct endpoints. For example, if you published a WMS service with endpoint ogc/wms/world, you can secure access to it by creating a custom security configuration for the ogc/wms/world/** pattern. To do so, you must define a SecurityFilterChain bean. Make LuciadFusion pick it up by enabling the fusion.config.additionalScanPackages property in the LuciadFusion configuration file fusion.common.yml. Use the HttpSecurity class to create your own security configuration.

    This example illustrates this approach by only authorizing users with role WMS for request patterns that match with ogc/wms/world/**:

    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.web.SecurityFilterChain;
    
    @Configuration
    public class CustomSecurityConfig {
    
      @Bean
      public SecurityFilterChain serviceFilterChain(HttpSecurity http) throws Exception {
        http.securityMatcher("/ogc/wms/world/**")
            .authorizeHttpRequests(authorizeHttpRequests ->
                                     authorizeHttpRequests.anyRequest().hasRole("WMS"))
            .httpBasic();
        return http.build();
      }
    }
  • Use a reverse proxy in front of LuciadFusion. In this setup, all access to LuciadFusion passes through the reverse proxy, which you can configure to enable authentication for selected endpoints. For more information about setting up LuciadFusion with a reverse proxy based on Apache HTTP server, see How to set up the LuciadFusion Platform with a reverse proxy. For more information about using Apache’s authentication modules, see the Apache HTTP server documentation.