Ticket #2794: 0001-ticket-2792-Fix-add-authentication_type-basic_header.patch

applications/petascope/petascope_core/src/main/java/org/rasdaman/config/ConfigManager.java

@@ -107 +107 @@
     // context path for OAPI endpoint (e.g: localhost:8080/rasdaman/oapi)
     public static final String OAPI = "oapi";
 
-    // For community this endpoint always return fasle, it is used to check that if petascope is running from wsclient
+    // Check if petascope has enabled authentication in petascope.properties
     public static final String CHECK_PETASCOPE_ENABLE_AUTHENTICATION = "authisactive";
     public static final String CHECK_PETASCOPE_ENABLE_AUTHENTICATION_CONTEXT_PATH = ADMIN + "/authisactive";
 
@@ -291 +291 @@
     public static String INSPIRE_COMMON_URL = "";
     public static String INSPIRE_SPATIAL_DATASET_IDENTIFIER = "rasdaman";
 
+    private static final String KEY_AUTHENTICATION_TYPE = "authentication_type";
+    public static final String AUTHENTICATION_TYPE_BASIC_HEADER = "basic_header";
+    public static String AUTHENTICATION_TYPE = AUTHENTICATION_TYPE_BASIC_HEADER;
+
     // rasj 
     private static final String KEY_RASJ_LOGGING_LEVEL = "rasj_logging_level";
     public static String RASJ_LOGGING_LEVEL = RasjLoggingLevel.WARN.name();
@@ -382 +386 @@
         
         initRasj();
 
+        initAuthenticationTypesSetting();
+
         printStartupMessage();
         
         GDAL_JAVA_VERSION = Byte.parseByte(gdal.VersionInfo().substring(0, 1));
@@ -433 +439 @@
         
         return value;
     }
+
+    private boolean containsProperty(String key) {
+        return props.get(key) != null;
+    }
     
     private void initPetascopeSettings() throws PetascopeException {
         // server.port
@@ -740 +750 @@
 
         log.info("------------------------------------");
     }
+
+    public static boolean enableAuthentication() {
+        return !AUTHENTICATION_TYPE.isEmpty();
+    }
+
+    /**
+     * Initialize authentication types in Petascope (e.g: shibboleth and basic authentication header).
+     */
+    private void initAuthenticationTypesSetting() throws PetascopeException {
+        if (containsProperty(KEY_AUTHENTICATION_TYPE)) {
+            String value = get(KEY_AUTHENTICATION_TYPE).trim();
+            if (!value.isEmpty()) {
+                if (!value.equals(AUTHENTICATION_TYPE_BASIC_HEADER)) {
+                    throw new PetascopeException(ExceptionCode.InvalidPropertyValue,
+                            "Value for authentication setting '" + KEY_AUTHENTICATION_TYPE + "' is not supported. Given: '" + value + "'");
+                }
+            }
+
+            AUTHENTICATION_TYPE = value;
+        }
+    }
 }
 

applications/petascope/petascope_main/src/main/java/com/rasdaman/accesscontrol/service/AuthenticationService.java

@@ -122 +122 @@
         InputStream inputStream = urlConnection.getInputStream();
         return inputStream;
     }
+
+    /**
+     * Return rasdaman user credentials from a request.
+     * NOTE: used only in deeper classes which are behind this requests filter.
+     */
+    public static Pair<String, String> getRasUserCredentials(HttpServletRequest httpServletRequest) throws PetascopeException {
+        String username = ConfigManager.RASDAMAN_USER;
+        String password = ConfigManager.RASDAMAN_PASS;
+        
+        Pair<String, String> basicAuthCredentialsPair = getBasicAuthUsernamePassword(httpServletRequest);
+        if (basicAuthCredentialsPair != null) {
+            username = basicAuthCredentialsPair.fst;
+            password = basicAuthCredentialsPair.snd;
+        }
+        
+        if (ConfigManager.enableAuthentication()) {
+
+            // If request with basic authentication header then just use credentials from it
+            
+            if (basicAuthCredentialsPair != null) {
+                // Basic authentication, credentials always from header
+                username = basicAuthCredentialsPair.fst;
+                password = basicAuthCredentialsPair.snd;
+            }            
+        }
+        
+        Pair<String, String> credentailsPair = new Pair<>(username, password);
+        
+        return credentailsPair;
+    }
     
 }

new file applications/petascope/petascope_main/src/main/java/com/rasdaman/accesscontrol/service/RequestsFilter.java

@@ +1 @@
+/*
+ * This file is part of rasdaman community.
+ *
+ * Rasdaman community is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Rasdaman community is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU  General Public License for more details.
+ *
+ * You should have received a copy of the GNU  General Public License
+ * along with rasdaman community.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Copyright 2003 - 2023 Peter Baumann / rasdaman GmbH.
+ *
+ * For more information please see <http://www.rasdaman.org>
+ * or contact Peter Baumann via <baumann@rasdaman.com>.
+ */
+package com.rasdaman.accesscontrol.service;
+
+import java.io.IOException;
+import java.util.*;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletRequestWrapper;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.commons.lang3.StringUtils;
+import org.rasdaman.CorsFilter;
+import org.rasdaman.config.ConfigManager;
+import static org.rasdaman.config.ConfigManager.ADMIN;
+import static org.rasdaman.config.ConfigManager.AUTHENTICATION_TYPE_BASIC_HEADER;
+import static org.rasdaman.config.ConfigManager.OWS;
+import static org.rasdaman.config.ConfigManager.RASQL;
+import org.rasdaman.config.VersionManager;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import static org.rasdaman.config.ConfigManager.*;
+import static org.rasdaman.config.ConfigManager.PETASCOPE_ENDPOINT_URL;
+import static petascope.core.KVPSymbols.WCS_SERVICE;
+import petascope.core.Pair;
+import petascope.exceptions.ExceptionCode;
+import petascope.exceptions.PetascopeException;
+import petascope.util.ExceptionUtil;
+import petascope.util.ras.RasUtil;
+import static org.rasdaman.config.ConfigManager.CHECK_PETASCOPE_ENABLE_AUTHENTICATION;
+import static org.rasdaman.config.ConfigManager.SECORE;
+import petascope.controller.PetascopeController;
+
+/**
+ * If Shibboleth authentication is configured, any unauthenticated requests will
+ * need to redirect to Shibboleth auth endpoint to login from IdP's credentials.
+ *
+ * @author Bang Pham Huu <b.phamhuu@jacobs-university.de>
+ */
+@Component
+public class RequestsFilter implements Filter {
+    
+    // Endpoint to check authentication and return the roles of an user to clients
+    public static final String LOGIN = "login";
+
+    @Autowired
+    private HttpServletRequest httpServletRequest;
+    @Autowired
+    private PetascopeController petascopeController;
+    @Autowired
+    private AuthenticationService authenticationService;
+
+    // NOTE: These requests should bypass authentication in Petascope (i.e: no need to authenticate in any case)
+    // Because they are sent internally by petascope / rasfed not by users
+    private static final List<String> NO_NEED_TO_AUTHENTICATE_REQUESTS = new ArrayList<>(Arrays.asList(
+        // Rasql Servlet as it always needs query and password parameters
+        RASQL,
+            
+        SECORE,    
+
+        // non-standard for checking authentication for petascope
+        CHECK_PETASCOPE_ENABLE_AUTHENTICATION, LOGIN
+    ));
+
+    /**
+     * Check if a request should need authentication or not
+     */
+    private boolean requireAthenticationRequest(String requestMethod, String requestURI, String queryString) {
+        
+        // Static assets (.html, .js, .css) are not checked
+        if (requestURI.matches(".*/.*\\..*")) {
+            return false;
+        }
+
+        if (requestURI.contains("admin/version")) {
+            return false;
+        }
+        
+        // Request to return WSClient
+        if (requestMethod.equals("GET")) {
+            if (requestURI.endsWith("/" + OWS) && queryString == null) {
+                return false;
+            } else if (requestURI.endsWith("rasdaman/") && queryString == null) {
+                // Return the HTML pages configured in petascope.properties (e.g: BigDataCube demo)
+                return false;
+            }
+        }
+        
+        // endpoint to show admin page embedded in petascope (the page contains web rascontrol, access controll management and statistic)
+        if (this.httpServletRequest.getMethod().equals("GET") && requestURI.endsWith("/" + ADMIN)) {
+            return false;
+        }
+
+        for (String request : NO_NEED_TO_AUTHENTICATE_REQUESTS) {
+            // special requests are not checked
+            if (requestURI.contains("/" + request)) {
+                return false;
+            }
+        }                
+
+        return true;
+    }
+
+    /**
+     * Check if credentials are valid
+     * NOTE: it allows null credentialsPair for further processing
+     */
+    private void checkValidCredentialsAllowNull(Pair<String, String> credentialsPair) throws PetascopeException {
+        if (credentialsPair != null) {
+            RasUtil.checkValidUserCredentials(credentialsPair.fst, credentialsPair.snd);
+        }
+    }
+    
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {
+        HttpServletRequest httpServletRequest = (HttpServletRequest) request;
+        HttpServletResponse httpServletResponse = (HttpServletResponse) response;
+
+        // NOTE: no url for petascope is defined in petascope.properties, only now can have the HTTP request object to set this value
+         if (StringUtils.isEmpty(PETASCOPE_ENDPOINT_URL)) {
+            // use the requesting URL to Petascope (not always: http://localhost:8080/rasdaman/ows)
+
+            // e.g. /openeo/.well-known/openeo
+            String servletPath = httpServletRequest.getServletPath();
+            String requestURL = httpServletRequest.getRequestURL().toString();
+
+            // e.g. http://localhost:8080/rasdaman/ows
+            String contextPathURL = requestURL.split(servletPath)[0] + "/" + OWS;
+
+            ConfigManager.setPetascopeEndpointUrl(contextPathURL);
+            String protocol = httpServletRequest.getHeader("X-Forwarded-Proto");
+
+            if (protocol != null) {
+                // e.g. in case using https in apache2 proxy for http on local tomcat
+                String[] tmps = PETASCOPE_ENDPOINT_URL.split("://");
+                ConfigManager.setPetascopeEndpointUrl(protocol + "://" + tmps[1]);
+            }
+        }
+
+        if (INSPIRE_COMMON_URL.isEmpty()) {
+            INSPIRE_COMMON_URL = PETASCOPE_ENDPOINT_URL;
+        }
+        
+        // NOTE: must enable 'Access-Control-Allow-Origin': * in HTTP response
+        // In case basic header is enabled to avoid CORS problem in web browser
+        CorsFilter.setResponseHeader(httpServletRequest, httpServletResponse);
+        
+        // NOTE: to avoid CORS error from web browser for preflight request (OPTIONS request), these requests don't contain basic header
+        // (in case petascope's basic header is enabled)
+        if ("OPTIONS".equals(httpServletRequest.getMethod())) {
+            httpServletResponse.setStatus(HttpServletResponse.SC_OK);
+            return;
+        } 
+        
+        String authenticationErrorMessage = "";
+        
+        if (ConfigManager.enableAuthentication()) {
+            
+            // Based on the first authentication type to redirect to Shibboleth IdP 
+            // or throw exception with basic authentcation header (requests without username and password)
+            String authenticationType = ConfigManager.AUTHENTICATION_TYPE;
+
+            // Special requests will not need to check
+            if (requireAthenticationRequest(httpServletRequest.getMethod(), httpServletRequest.getRequestURI(), httpServletRequest.getQueryString())) {
+                Pair<String, String> basicAuthCredentialsPair = null;
+                try {
+                    basicAuthCredentialsPair = AuthenticationService.getBasicAuthUsernamePassword(httpServletRequest);
+                    this.checkValidCredentialsAllowNull(basicAuthCredentialsPair);
+                } catch (PetascopeException ex) {
+                    ExceptionUtil.handle(VersionManager.getLatestVersion(WCS_SERVICE), ex, httpServletResponse);
+                    return;
+                }
+
+                if (authenticationType.equals(AUTHENTICATION_TYPE_BASIC_HEADER)) {
+                    if (basicAuthCredentialsPair == null) {
+                        if (ConfigManager.RASDAMAN_USER.isEmpty()) {
+                            // If rasguest is not set as rasdaman_user and basic header is enabled, then petascope throws error for unauthenticated requests
+                            try {
+                                String requestRepresentation = this.petascopeController.getRequestPresentationWithEncodedAmpersands(httpServletRequest);
+                                authenticationErrorMessage = "Missing basic authentication header with username:password encoded in Base64 string from request '" + requestRepresentation + "'";
+                            } catch (Exception ex) {
+                                ExceptionUtil.handle(VersionManager.getLatestVersion(WCS_SERVICE), ex, httpServletResponse);
+                            }                            
+                        } else {
+                            // If rasguest is set as rasdaman_user and basic header is enabled, then petascope uses rasguest's credentials for unauthenticated requests
+                            MutableHttpServletRequest mutableRequest = new MutableHttpServletRequest(httpServletRequest);
+                            String credentialsInBase64 = AuthenticationService.createBasicHeaderCredentialsInBase64String(ConfigManager.RASDAMAN_USER, ConfigManager.RASDAMAN_PASS);
+                            mutableRequest.putHeader(AuthenticationService.BASIC_AUTHENTICATION_HEADER, credentialsInBase64);
+                        }
+                    }
+                }
+            }
+        } else {
+            // Requests to SECORE should still be ok without these missing rasguest configurations
+            if (!httpServletRequest.getRequestURI().contains(ConfigManager.SECORE)) {
+                Pair<String, String> basicAuthCredentialsPair = null;
+                try {
+                    basicAuthCredentialsPair = AuthenticationService.getBasicAuthUsernamePassword(httpServletRequest);
+                    this.checkValidCredentialsAllowNull(basicAuthCredentialsPair);
+                } catch (PetascopeException ex) {
+                    ExceptionUtil.handle(VersionManager.getLatestVersion(WCS_SERVICE), ex, httpServletResponse);
+                }
+            }
+        }
+
+        if (authenticationErrorMessage.isEmpty()) {
+            // requests has no problem with authentication
+            filterChain.doFilter(request, response);
+        } else {
+            // request is not authenticated
+            PetascopeException petascopeException = new PetascopeException(ExceptionCode.Unauthorized, authenticationErrorMessage);
+            ExceptionUtil.handle(VersionManager.getLatestVersion(WCS_SERVICE), petascopeException, httpServletResponse);
+        }
+    }
+
+    @Override
+    public void init(FilterConfig fc) throws ServletException {
+    }
+
+    @Override
+    public void destroy() {
+    }
+    
+    // This is needed for adding custom header (e.g Authorization for basic header) to HttpServletRequest object
+    final public class MutableHttpServletRequest extends HttpServletRequestWrapper {
+
+        private final Map<String, String> customHeaders;
+
+        public MutableHttpServletRequest(HttpServletRequest request){
+            super(request);
+            this.customHeaders = new HashMap<>();
+        }
+
+        public void putHeader(String name, String value){
+            this.customHeaders.put(name, value);
+        }
+
+        public String getHeader(String name) {
+            String headerValue = customHeaders.get(name);
+
+            if (headerValue != null){
+                return headerValue;
+            }
+            return ((HttpServletRequest) getRequest()).getHeader(name);
+        }
+
+        public Enumeration<String> getHeaderNames() {
+            Set<String> set = new HashSet<String>(customHeaders.keySet());
+
+            @SuppressWarnings("unchecked")
+            Enumeration<String> e = ((HttpServletRequest) getRequest()).getHeaderNames();
+            while (e.hasMoreElements()) {
+                String n = e.nextElement();
+                set.add(n);
+            }
+            return Collections.enumeration(set);
+        }
+    }
+}
+

applications/petascope/petascope_main/src/main/java/com/rasdaman/admin/layer/service/AdminActivateLayerService.java

@@ -21 +21 @@
  */
 package com.rasdaman.admin.layer.service;
 
-// -- rasdaman enterprise begin
-
 import com.rasdaman.admin.service.AbstractAdminService;
 import petascope.core.response.Response;
 import java.util.Map;

applications/petascope/petascope_main/src/main/java/com/rasdaman/admin/layer/service/AdminDeactivateLayerService.java

@@ -22 +22 @@
 package com.rasdaman.admin.layer.service;
 
 
-// -- rasdaman enterprise begin
-
 import com.rasdaman.admin.service.AbstractAdminService;
 
 // -- rasdaman enterprise end

applications/petascope/petascope_main/src/main/java/com/rasdaman/admin/model/AuthIsActiveResult.java

@@ -1 @@
-// -- rasdaman enterprise begin
-
 /*
- *  Copyright 2003 - 2023 Peter Baumann / rasdaman GmbH.
- *  For more information please see <http://www.rasdaman.org>
- *  or contact Peter Baumann via <baumann@rasdaman.com>.
+ * This file is part of rasdaman community.
+ *
+ * Rasdaman community is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Rasdaman community is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU  General Public License for more details.
+ *
+ * You should have received a copy of the GNU  General Public License
+ * along with rasdaman community.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Copyright 2003 - 2023 Peter Baumann / rasdaman GmbH.
+ *
+ * For more information please see <http://www.rasdaman.org>
+ * or contact Peter Baumann via <baumann@rasdaman.com>.
  */
-
 package com.rasdaman.admin.model;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
@@ -33 +46 @@
         return rasdamanUser;
     }
 }
-
-
-// -- rasdaman enterprise end
- No newline at end of file

applications/petascope/petascope_main/src/main/java/org/rasdaman/ApplicationMain.java

@@ -329 +329 @@
 
         // Test if rasdaman is running first with provided credentials from rasguest and rasadmin
 
-        if (ConfigManager.RASDAMAN_USER.trim().isEmpty() && ConfigManager.RASDAMAN_PASS.trim().isEmpty()) {
-            AbstractController.startException = new PetascopeException(ExceptionCode.InternalComponentError,
-                "petascope does not know which user to query to rasdaman. " +
-                "Hint: in petascope.properties set rasdaman_user and rasdaman_pass with valid credentials of a rasdaman user, then restart tomcat service afterwards.");
-        }
-
         if (ConfigManager.RASDAMAN_USER != null && !ConfigManager.RASDAMAN_USER.isEmpty()
-            && ConfigManager.RASDAMAN_PASS != null && !ConfigManager.RASDAMAN_PASS.isEmpty()) {
+          && ConfigManager.RASDAMAN_PASS != null && !ConfigManager.RASDAMAN_PASS.isEmpty()) {
             try {
                 RasUtil.checkValidUserCredentials(ConfigManager.RASDAMAN_USER, ConfigManager.RASDAMAN_PASS);
             } catch (Exception ex) {
                 String errorMessage = "Cannot check if rasdaman is running. Reason: " + ex.getMessage().trim()
-                    + ". Hint: make sure rasdaman is running, user's credentials are correct and restart tomcat service afterwards.";
+                        + ". Hint: make sure rasdaman is running, user's credentials are correct and restart tomcat service afterwards.";
                 log.error(errorMessage);
                 AbstractController.startException = new PetascopeException(ExceptionCode.InternalComponentError, errorMessage);
                 return;
@@ -353 +347 @@
             RasUtil.checkValidUserCredentials(ConfigManager.RASDAMAN_ADMIN_USER, ConfigManager.RASDAMAN_ADMIN_PASS);
         } catch(Exception ex) {
             String errorMessage = "Cannot check if rasdaman is running. Reason: " + ex.getMessage().trim()
-                + ". Hint: make sure rasdaman is running, user's credentials are correct and restart tomcat service afterwards.";
+                                + ". Hint: make sure rasdaman is running, user's credentials are correct and restart tomcat service afterwards.";
             log.error(errorMessage);
             AbstractController.startException = new PetascopeException(ExceptionCode.InternalComponentError, errorMessage);
             return;
@@ -362 +356 @@
         CrsUtil.setInternalResolverCRSToQualifiedCRS();
         CrsUtil.currentWorkingResolverURL = ConfigManager.SECORE_URLS.get(0);
 
+        if (ConfigManager.RASDAMAN_USER.trim().isEmpty() && ConfigManager.RASDAMAN_PASS.trim().isEmpty()
+                && !ConfigManager.enableAuthentication()
+        ) {
+            AbstractController.startException = new PetascopeException(ExceptionCode.InternalComponentError,
+                    "No authentication is enabled, hence, petascope does not know which user to query to rasdaman.\n" +
+                            "Hint: in petascope.properties either change to authentication_type=basic_header " +
+                            "or set rasdaman_user and rasdaman_pass with valid credentials of a rasdaman user, then restart petascope.");
+        }
+
     }
 
     @EventListener(ApplicationReadyEvent.class)

applications/petascope/petascope_main/src/main/java/org/rasdaman/datamigration/DataMigration8Handler.java

@@ -1 @@
-// -- rasdaman enterprise begin
+/*
+ * This file is part of rasdaman community.
+ *
+ * Rasdaman community is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Rasdaman community is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU  General Public License for more details.
+ *
+ * You should have received a copy of the GNU  General Public License
+ * along with rasdaman community.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Copyright 2003 - 2023 Peter Baumann / rasdaman GmbH.
+ *
+ * For more information please see <http://www.rasdaman.org>
+ * or contact Peter Baumann via <baumann@rasdaman.com>.
+ */
 
 package org.rasdaman.datamigration;
 import com.rasdaman.admin.layer.service.AdminCreateOrUpdateLayerService;
@@ -51 +71 @@
     
 }
 
-// -- rasdaman enterprise end
- No newline at end of file

applications/petascope/petascope_main/src/main/java/org/rasdaman/datamigration/DataMigration9Handler.java

@@ -1 @@
-// -- rasdaman enterprise begin
+/*
+ * This file is part of rasdaman community.
+ *
+ * Rasdaman community is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Rasdaman community is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU  General Public License for more details.
+ *
+ * You should have received a copy of the GNU  General Public License
+ * along with rasdaman community.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Copyright 2003 - 2023 Peter Baumann / rasdaman GmbH.
+ *
+ * For more information please see <http://www.rasdaman.org>
+ * or contact Peter Baumann via <baumann@rasdaman.com>.
+ */
 
 package org.rasdaman.datamigration;
 import org.rasdaman.domain.cis.Coverage;
@@ -40 +60 @@
     }
     
 }
-
-// -- rasdaman enterprise end
- No newline at end of file

applications/petascope/petascope_main/src/main/java/petascope/controller/AbstractController.java

@@ -22 +22 @@
 package petascope.controller;
 
 import com.rasdaman.accesscontrol.service.AuthenticationService;
+
+import java.io.File;
 import java.io.IOException;
 import java.io.OutputStream;
 import java.nio.file.Files;
@@ -43 +45 @@
 import org.apache.commons.lang3.StringEscapeUtils;
 import org.apache.maven.wagon.util.FileUtils;
 import org.rasdaman.config.ConfigManager;
+
+import static com.rasdaman.accesscontrol.service.AuthenticationService.*;
 import static org.rasdaman.config.ConfigManager.UPLOADED_FILE_DIR_TMP;
 import static org.rasdaman.config.ConfigManager.UPLOAD_FILE_PREFIX;
 import org.rasdaman.config.VersionManager;
@@ -56 +60 @@
 import petascope.controller.handler.service.XMLWCSServiceHandler;
 import petascope.core.KVPSymbols;
 import static petascope.core.KVPSymbols.KEY_ACCEPTVERSIONS;
-
-
 import static petascope.core.KVPSymbols.KEY_REQUEST;
 import static petascope.core.KVPSymbols.VALUE_INSERT_COVERAGE;
 import static petascope.core.KVPSymbols.VALUE_UPDATE_COVERAGE;
@@ -979 +981 @@
         return sourceIP;
     }
 
+    /**
+     * Check if user has a specific role to process request
+     */
+    public void validateUserPermission(HttpServletRequest httpServletRequest, String... inputRoleNames) throws PetascopeException {
+        Pair<String, String> credentialsPair = getBasicAuthCredentialsOrRasguest(httpServletRequest);
+        String username = credentialsPair.fst;
+
+        Set<String> userRoles = AuthenticationController.parseRolesFromRascontrol(username);
+
+        for (String roleName : inputRoleNames) {
+            if (!userRoles.contains(roleName)) {
+                String requestRepresentation = this.getRequestPresentationWithEncodedAmpersands(httpServletRequest);
+
+                Pair<String, String> basicAuthCredentialsPair = getBasicAuthUsernamePassword(httpServletRequest);
+
+                ExceptionCode exceptionCode = ExceptionCode.AccessDenied;
+                if (basicAuthCredentialsPair == null) {
+                    // In this case rasguest user is set in petascope.properties, but the user doesn't have the permission to run
+                    exceptionCode = ExceptionCode.Unauthorized;
+                }
+
+                throw new PetascopeException(exceptionCode,
+                                                "User '" + username + "' does not have role '" + roleName + "' to process request '" + requestRepresentation + "'.");
+            }
+        }
+    }
+
+    /**
+     * The user requests must have the role if basic header is enabled, or his IP must be allowed
+     */
+    public void validateWriteRequestByRoleOrAllowedIP(HttpServletRequest httpServletRequest,
+                                                      String roleName) throws PetascopeException {
+
+        if (ConfigManager.enableAuthentication() || getBasicAuthUsernamePassword(httpServletRequest) != null) {
+            // + user must have the specific role, otherwise exception
+            this.validateUserPermission(httpServletRequest, roleName);
+        } else {
+            // + user's IP must be from allowed write request setting, otherwise exception
+            validateWriteRequestFromIP(httpServletRequest);
+        }
+    }
+
     /**
      * If basic authentication header is not enabled, then petascope checks if write request from IP address is valid or not
      * before processing.
      */
-    public void validateWriteRequestFromIP(HttpServletRequest httpServletRequest) throws PetascopeException {
+    private void validateWriteRequestFromIP(HttpServletRequest httpServletRequest) throws PetascopeException {
         if (!ConfigManager.ALLOW_WRITE_REQUESTS_FROM.contains(ConfigManager.PUBLIC_WRITE_REQUESTS_FROM)) {
             
             String sourceIP = this.getRequestIPAddress(httpServletRequest);

applications/petascope/petascope_main/src/main/java/petascope/controller/AuthenticationController.java

@@ -26 +26 @@
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
-import static java.lang.System.in;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.LinkedHashSet;
-import java.util.Map;
-import java.util.Set;
-import java.util.logging.Level;
-import java.util.logging.Logger;
+
+import java.util.*;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import javax.servlet.http.HttpServletRequest;
@@ -41 +35 @@
 import static org.rasdaman.config.ConfigManager.CHECK_PETASCOPE_ENABLE_AUTHENTICATION_CONTEXT_PATH;
 
 import org.rasdaman.rasnet.util.DigestUtils;
-import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import petascope.core.Pair;
@@ -65 +58 @@
     
     public static final String READ_WRITE_RIGHTS = "RW";
 
+    private static final Map<String, Set<String>> userRolesCacheMap = new LinkedHashMap<>();
+
+    /**
+     * Check if petascope has being enabled authentication in petascope.properties,
+     * then WSClient shows a login form.
+     */
     @RequestMapping(value = CHECK_PETASCOPE_ENABLE_AUTHENTICATION_CONTEXT_PATH)
     private void handleCheckEnableAuthentication() throws Exception {
         if (startException != null) {
             throw startException;
         }
 
+        boolean basicAuthenticationHeaderEnabled = false;
         String rasdamanUser = "";
+
+        if (ConfigManager.enableAuthentication()) {
+            basicAuthenticationHeaderEnabled = true;
+        }
+
         if (!ConfigManager.RASDAMAN_USER.trim().isEmpty()
                 && !ConfigManager.RASDAMAN_PASS.trim().isEmpty()) {
             rasdamanUser = ConfigManager.RASDAMAN_USER;
         }
 
-        AuthIsActiveResult result = new AuthIsActiveResult(false, rasdamanUser);
+        AuthIsActiveResult result = new AuthIsActiveResult(basicAuthenticationHeaderEnabled, rasdamanUser);
         Response response = new Response(Arrays.asList(JSONUtil.serializeObjectToJSONString(result).getBytes()), MIMEUtil.MIME_JSON);
         this.writeResponseResult(response);
     }
@@ -95 +100 @@
         
         String username = resultPair.fst;
         String password = resultPair.snd;
-        
+
         String result = "";
         
         RasUtil.checkValidUserCredentials(username, password);
@@ -119 +124 @@
      * @TODO: this can be done faster and better with protobuf/grpc
      */
     public static Set<String> parseRolesFromRascontrol(String username) throws PetascopeException {
+        Set<String> roleNames = userRolesCacheMap.get(username);
+        if (roleNames != null) {
+            System.out.println("############# user roles from cache: " + username);
+            return roleNames;
+        }
+
         try {
             // export RASLOGIN=rasadmin:d293a15562d3e70b6fdc5ee452eaed40 && rascontrol -q -e -x list user -rights
             Runtime runtime = Runtime.getRuntime();
             
-            Set<String> roleNames = new LinkedHashSet<>();
+            roleNames = new LinkedHashSet<>();
             
             String loginEnv = ConfigManager.RASDAMAN_ADMIN_USER + ":" + DigestUtils.MD5(ConfigManager.RASDAMAN_ADMIN_PASS);
             String[] envp = new String[] {"RASLOGIN=" + loginEnv};
@@ -160 +171 @@
                     }
                 }
             }
+
+            System.out.println("#### Put roles of user: " + username + " to cache.");
+            userRolesCacheMap.put(username, roleNames);
             
             return roleNames;
         } catch (IOException ex) {

applications/petascope/petascope_main/src/main/java/petascope/controller/InspireController.java

@@ -22 +22 @@
 package petascope.controller;
 
 
-import com.rasdaman.accesscontrol.service.AuthenticationService;
 import java.util.Map;
 import javax.servlet.http.HttpServletRequest;
 import org.rasdaman.config.ConfigManager;
@@ -71 +70 @@
     @Override
     protected void requestDispatcher(HttpServletRequest httpServletRequest, Map<String, String[]> kvpParameters) throws PetascopeException {
         
-        this.validateWriteRequestFromIP(httpServletRequest);
+        this.validateWriteRequestByRoleOrAllowedIP(httpServletRequest, AuthenticationController.READ_WRITE_RIGHTS);
         
         String coverageId = this.getValueByKeyAllowNull(kvpParameters, KEY_INSPIRE_COVERAGE_ID);
         String metadataURL = this.getValueByKeyAllowNull(kvpParameters, KEY_INSPIRE_METADATA_URL);

applications/petascope/petascope_main/src/main/java/petascope/controller/admin/AdminLayerManagementController.java

@@ -34 +34 @@
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 import petascope.controller.AbstractController;
+import petascope.controller.AuthenticationController;
 import petascope.controller.RequestHandlerInterface;
 import petascope.core.KVPSymbols;
 import petascope.core.response.Response;
@@ -105 +106 @@
         
         RequestHandlerInterface requestHandlerInterface = () -> {
             try {
-                this.validateWriteRequestFromIP(httpServletRequest);
+                this.validateWriteRequestByRoleOrAllowedIP(httpServletRequest, AuthenticationController.READ_WRITE_RIGHTS);
                 this.activateLayerService.handle(httpServletRequest, kvpParameters);
             } catch (Exception ex) {
                 ExceptionUtil.handle(VersionManager.getLatestVersion(KVPSymbols.WMS_SERVICE), ex, this.injectedHttpServletResponse);
@@ -132 +133 @@
         
         RequestHandlerInterface requestHandlerInterface = () -> {
             try {
-                this.validateWriteRequestFromIP(httpServletRequest);
+                this.validateWriteRequestByRoleOrAllowedIP(httpServletRequest, AuthenticationController.READ_WRITE_RIGHTS);
                 this.deactivateLayerService.handle(httpServletRequest, kvpParameters);
             } catch (Exception ex) {
                 ExceptionUtil.handle(VersionManager.getLatestVersion(KVPSymbols.WMS_SERVICE), ex, this.injectedHttpServletResponse);

applications/petascope/petascope_main/src/main/java/petascope/controller/admin/AdminOwsServiceInfoController.java

@@ -36 +36 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
+import petascope.controller.AuthenticationController;
 import petascope.exceptions.PetascopeException;
 import petascope.exceptions.SecoreException;
 import petascope.exceptions.WCSException;
@@ -107 +108 @@
         
         RequestHandlerInterface requestHandlerInterface = () -> {
             try {
-                this.validateWriteRequestFromIP(httpServletRequest);
+                this.validateWriteRequestByRoleOrAllowedIP(httpServletRequest, AuthenticationController.READ_WRITE_RIGHTS);
                 this.handle(kvpParameters);
             } catch (Exception ex) {
                 ExceptionUtil.handle(VersionManager.getLatestVersion(KVPSymbols.WCS_SERVICE), ex, this.injectedHttpServletResponse);

applications/petascope/petascope_main/src/main/java/petascope/controller/admin/AdminPyramidController.java

@@ -37 +37 @@
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 import petascope.controller.AbstractController;
+import petascope.controller.AuthenticationController;
 import petascope.controller.RequestHandlerInterface;
 import petascope.core.KVPSymbols;
 import petascope.core.response.Response;
@@ -109 +110 @@
         
         RequestHandlerInterface requestHandlerInterface = () -> {
             try {
-                this.validateWriteRequestFromIP(httpServletRequest);
+                this.validateWriteRequestByRoleOrAllowedIP(httpServletRequest, AuthenticationController.READ_WRITE_RIGHTS);
 
                 this.addPyramidMemberService.handle(httpServletRequest, kvpParameters);
             } catch (Exception ex) {
@@ -137 +138 @@
         
         RequestHandlerInterface requestHandlerInterface = () -> {
             try {
-                this.validateWriteRequestFromIP(httpServletRequest);
+                this.validateWriteRequestByRoleOrAllowedIP(httpServletRequest, AuthenticationController.READ_WRITE_RIGHTS);
 
                 this.removePyramidMemberService.handle(httpServletRequest, kvpParameters);
             } catch (Exception ex) {
@@ -165 +166 @@
         
         RequestHandlerInterface requestHandlerInterface = () -> {
             try {
-                this.validateWriteRequestFromIP(httpServletRequest);
+                this.validateWriteRequestByRoleOrAllowedIP(httpServletRequest, AuthenticationController.READ_WRITE_RIGHTS);
 
                 this.createPyramidMemberService.handle(httpServletRequest, kvpParameters);
             } catch (Exception ex) {

applications/petascope/petascope_main/src/main/java/petascope/controller/admin/AdminStyleManagementController.java

@@ -34 +34 @@
 import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RestController;
 import petascope.controller.AbstractController;
+import petascope.controller.AuthenticationController;
 import petascope.controller.RequestHandlerInterface;
 import petascope.core.KVPSymbols;
 import petascope.exceptions.PetascopeException;
@@ -74 +75 @@
         
         RequestHandlerInterface requestHandlerInterface = () -> {
             try {
-                this.validateWriteRequestFromIP(httpServletRequest);
+                this.validateWriteRequestByRoleOrAllowedIP(httpServletRequest, AuthenticationController.READ_WRITE_RIGHTS);
 
                 this.createOrUpdateStyleService.handleAdd(httpServletRequest, kvpParameters);
             } catch (Exception ex) {
@@ -102 +103 @@
         
         RequestHandlerInterface requestHandlerInterface = () -> {
             try {
-                this.validateWriteRequestFromIP(httpServletRequest);
+                this.validateWriteRequestByRoleOrAllowedIP(httpServletRequest, AuthenticationController.READ_WRITE_RIGHTS);
 
                 this.createOrUpdateStyleService.handleUpdate(httpServletRequest, kvpParameters);
             } catch (Exception ex) {
@@ -130 +131 @@
         
         RequestHandlerInterface requestHandlerInterface = () -> {
             try {
-                this.validateWriteRequestFromIP(httpServletRequest);
+                this.validateWriteRequestByRoleOrAllowedIP(httpServletRequest, AuthenticationController.READ_WRITE_RIGHTS);
 
                 this.adminDeleteStyleService.handle(httpServletRequest, kvpParameters);
             } catch (Exception ex) {

applications/petascope/petascope_main/src/main/java/petascope/controller/admin/AdminUpdateCoverageController.java

@@ -38 +38 @@
 import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.multipart.support.StandardMultipartHttpServletRequest;
 import petascope.controller.AbstractController;
+import petascope.controller.AuthenticationController;
 import petascope.controller.RequestHandlerInterface;
 import petascope.core.KVPSymbols;
 import static petascope.core.KVPSymbols.KEY_METADATA;
@@ -81 +82 @@
         
         RequestHandlerInterface requestHandlerInterface = () -> {
             try {
-                this.validateWriteRequestFromIP(httpServletRequest);
+                this.validateWriteRequestByRoleOrAllowedIP(httpServletRequest, AuthenticationController.READ_WRITE_RIGHTS);
 
                 this.adminUpdateCoverageService.handle(httpServletRequest, kvpParameters);
             } catch (Exception ex) {

applications/petascope/petascope_main/src/main/java/petascope/util/IPAddressUtil.java

@@ -1 @@
-// -- rasdaman enterprise begin
-
 /*
- *  Copyright 2003 - 2019 Peter Baumann / rasdaman GmbH. 
- *  For more information please see <http://www.rasdaman.org>
- *  or contact Peter Baumann via <baumann@rasdaman.com>.
+ * This file is part of rasdaman community.
+ *
+ * Rasdaman community is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Rasdaman community is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the GNU  General Public License for more details.
+ *
+ * You should have received a copy of the GNU  General Public License
+ * along with rasdaman community.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Copyright 2003 - 2023 Peter Baumann / rasdaman GmbH.
+ *
+ * For more information please see <http://www.rasdaman.org>
+ * or contact Peter Baumann via <baumann@rasdaman.com>.
  */
 
 package petascope.util;
@@ -105 +119 @@
     }
     
 }
-
-
-// -- rasdaman enterprise end
- No newline at end of file

applications/petascope/petascope_main/src/main/java/petascope/wcst/handlers/DeleteCoverageHandler.java

@@ -21 +21 @@
  */
 package petascope.wcst.handlers;
 
-import com.rasdaman.accesscontrol.service.AuthenticationService;
 import java.util.ArrayList;
 import java.util.List;
 import javax.servlet.http.HttpServletRequest;
@@ -38 +37 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
+import petascope.controller.AuthenticationController;
 import petascope.controller.PetascopeController;
 import petascope.exceptions.PetascopeException;
 import petascope.exceptions.WMSException;
@@ -55 +55 @@
 import petascope.wms.handlers.service.WMSGetMapCachingService;
 import org.rasdaman.repository.service.WMTSRepositoryService;
 import petascope.util.CrsUtil;
-import petascope.wmts.handlers.service.WMTSGetCapabilitiesService;
 
 /**
  * Handles the deletion of a coverage.
@@ -86 +85 @@
     private static final org.slf4j.Logger log = LoggerFactory.getLogger(DeleteCoverageHandler.class);
 
     public Response handle(DeleteCoverageRequest request) throws Exception {
-        
-        petascopeController.validateWriteRequestFromIP(httpServletRequest);
+
+        this.petascopeController.validateWriteRequestByRoleOrAllowedIP(httpServletRequest, AuthenticationController.READ_WRITE_RIGHTS);
         
         String username = ConfigManager.RASDAMAN_ADMIN_USER;
         String password = ConfigManager.RASDAMAN_ADMIN_PASS;

applications/petascope/petascope_main/src/main/java/petascope/wcst/handlers/InsertCoverageHandler.java

@@ -21 +21 @@
  */
 package petascope.wcst.handlers;
 
-import com.rasdaman.accesscontrol.service.AuthenticationService;
 import java.io.File;
 import java.io.IOException;
 import java.util.ArrayList;
@@ -42 +41 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
+import petascope.controller.AuthenticationController;
 import petascope.controller.PetascopeController;
 import petascope.exceptions.PetascopeException;
 import petascope.exceptions.SecoreException;
@@ -103 +103 @@
      */
     public Response handle(InsertCoverageRequest request) throws Exception {
         log.debug("Handling coverage insertion...");
-        this.petascopeController.validateWriteRequestFromIP(httpServletRequest);
+        this.petascopeController.validateWriteRequestByRoleOrAllowedIP(httpServletRequest, AuthenticationController.READ_WRITE_RIGHTS);
         
         if (request.getGMLCoverage() != null) {
             return handleGMLCoverageInsert(request);

applications/petascope/petascope_main/src/main/java/petascope/wcst/handlers/UpdateCoverageHandler.java

@@ -27 +27 @@
  */
 package petascope.wcst.handlers;
 
-import com.rasdaman.accesscontrol.service.AuthenticationService;
 import com.rasdaman.admin.layer.service.AdminCreateOrUpdateLayerService;
 
+import petascope.controller.AuthenticationController;
 import petascope.core.Pair;
 import petascope.core.XMLSymbols;
 import petascope.core.gml.cis10.GMLCIS10ParserService;
@@ -143 +143 @@
     public Response handle(UpdateCoverageRequest request)
             throws WCSTCoverageParameterNotFound, WCSTInvalidXML, PetascopeException, SecoreException, Exception {
         log.debug("Handling coverage update...");
-        
-        this.petascopeController.validateWriteRequestFromIP(httpServletRequest);
+
+        this.petascopeController.validateWriteRequestByRoleOrAllowedIP(httpServletRequest, AuthenticationController.READ_WRITE_RIGHTS);
         
         // persisted coverage
         Coverage currentCoverage = persistedCoverageService.readCoverageByIdFromDatabase(request.getCoverageId());

applications/petascope/petascope_main/src/main/java/petascope/wcst/helpers/update/RasdamanUpdaterFactory.java

@@ -72 +72 @@
         }
     }
 
-    private String getInsituMime(String mimeType) {
-        if (mimeType.contains(IOUtil.GRIB_MIMETYPE)) {
-            return IOUtil.GRIB_MIMETYPE;
-        } else if (mimeType.contains(IOUtil.NETCDF_MIMETYPE)) {
-            return IOUtil.NETCDF_MIMETYPE;
-        } else {
-            return IOUtil.GDAL_MIMETYPE;
-        }
-    }
-
-    // -- rasdaman enterprise ends
-
     /**
      * To improves ingestion performance if the data is on the same machine as the rasdaman server, as the network transport is bypassed 
      * we add the filePaths parameter into RangeElement strings

applications/petascope/petascope_main/src/main/java/petascope/wms/handlers/service/WMSGetMapStyleService.java

@@ -89 +89 @@
     private WMSGetMapWCPSMetadataTranslatorService wmsGetMapWCPSMetadataTranslatorService;
     @Autowired
     private WcpsCoverageMetadataTranslator wcpsCoverageMetadataTranslator;    
-    
-    // -- rasdaman enteprise begin
-    
+
     public static final String WMS_VIRTUAL_LAYER_EXPECTED_BBOX = "BBOX";
     public static final String WMS_VIRTUAL_LAYER_EXPECTED_WIDTH = "WIDTH";
     public static final String WMS_VIRTUAL_LAYER_EXPECTED_HEIGHT = "HEIGHT";
     public static final String WMS_VIRTUAL_LAYER_EXPECTED_OUTPUT_CRS = "OUTPUT_CRS";
-    
-    // -- rasdaman enterprise end
-    
+
     public static final String FRAGMENT_ITERATOR_PREFIX = "$";
     private static final String COLLECTION_ITERATOR = "c";
     public static final String WCPS_FRAGMENT_ITERATOR = FRAGMENT_ITERATOR_PREFIX + COLLECTION_ITERATOR;

applications/petascope/petascope_main/src/main/resources/petascope.properties.in

@@ -80 +80 @@
 rasdaman_url=http://localhost:7001
 rasdaman_database=RASBASE
 
-rasdaman_user=rasguest
-rasdaman_pass=rasguest
+rasdaman_user=
+rasdaman_pass=
 rasdaman_admin_user=rasadmin
 rasdaman_admin_pass=rasadmin
 
@@ -92 +92 @@
 
 #---------------------------- Security configuration ---------------------------
 
+authentication_type=basic_header
 allow_write_requests_from=127.0.0.1
 
 # Used only for embedded petascope deployment

doc/main/05_geo-services-guide-petascope-configuration.inc

@@ -276 +276 @@
     - Need to change: NO, unless changed in rasdaman (not recommended)
 
 
--   ``rasdaman_user`` set the user for **unauthenticated** read-only access to
-    rasdaman. Any request which does not provide credentials for a rasdaman user in
-    basic authentication format in the HTTP Authorization header, will entail
-    executing read-only operations with this user in rasdaman.
-    It is best to limit this user to read-only access in rasdaman by granting
-    the ``R`` permission to it.
+-   ``rasdaman_user`` set the user for **unauthenticated** access to rasdaman.
+
+    When authentication is disabled by setting ``authentication_type=`` in
+    petascope.properties, this user is used to run ``SELECT`` rasql queries,
+    so it is best to limit it to read-only access in rasdaman (e.g. by granting
+    the ``R`` role to it).
+
+    When authentication is enabled by setting ``authentication_type=basic_header``,
+    then this setting allows to control whether any unauthenticated access is
+    enabled.
+
+    If it is not set to anything with ``rasdaman_user=``, then unauthenticated
+    access is disabled and any request without credentials will be immediately 
+    denied.
+
+    If it is set to some valid rasdaman user (e.g. ``rasdaman_user=rasguest``),
+    then unauthenticated requests which do not specify any credentials will
+    be executed with this user and its corresponding password set with
+    ``rasdaman_pass``.
 
     - Default: ``rasguest``
 
@@ -297 +310 @@
     - Need to change: **YES** when changed in rasdaman    
 
 
--   ``rasdaman_admin_user`` this user is used to map updating OGC requests 
-    (e.g. during data import, or deleting coverages) to updating rasql queries, for
-    any request which does not provide credentials for a rasdaman user in
-    basic authentication format in the HTTP Authorization header.
-    Additionally, these credentials are used internally for various tasks which require
-    admin access rights in rasdaman.
+-   ``rasdaman_admin_user`` when authentication is disabled with
+    ``authentication_type=``, this user will be used for executing update
+    queries in rasdaman, if they come from an allowed IP address as configured
+    in :ref:`allow_write_requests_from <conf-allow-write-requests-from>`. When
+    authentication is enabled, these credentials are not used for executing
+    user requests. However, in both cases they are also needed internally for
+    various tasks.
 
-    Generally, this user should be granted full admin permissions.
+    Generally, this user should be granted the ``RW`` rasdaman role.
 
     - Default: ``rasadmin``
 
@@ -349 +363 @@
 Security
 ^^^^^^^^
 
+-   ``authentication_type`` specifies how to authenticate requests.
+    Valid values are:
+
+    - ``basic_header`` requires requests to attach ``username:password`` encoded
+      as a Base64 string to the HTTP header. If the ``rasdaman_user`` setting is
+      not empty, however, requests without credentials will be automatically
+      mapped to the user and password configured in ``rasdaman_user`` and
+      ``rasdaman_pass``; thereby unauthenticated access can be allowed, but
+      limited to some restricted rasdaman user.
+
+    - An empty string, i.e. ``authentication_type=``, disables authentication.
+      All requests will be forwarded to rasdaman with the credentials configured
+      with ``rasdaman_user`` / ``rasdaman_pass`` for read queries, and 
+      ``rasdaman_admin_user`` / ``rasdaman_admin_pass`` for update queries.
+      
+    - Default if the setting does not exist, it is set to ``basic_header``.
+
 
 .. _conf-allow-write-requests-from: