Description
Issue: Support Environment Parametrization for WMSLayer Credentials
Problem
Currently, WMS layers in GeoWebCache require HTTP Basic Authentication credentials to be defined statically. This approach is inflexible and insecure for modern deployments, where sensitive values should be injected dynamically based on the environment. There is no support for resolving these credentials from environment variables, which complicates multi-environment deployments and makes testing harder.
To improve security, configurability, and maintainability, GeoWebCache should support environment-based dynamic resolution for credentials such as httpUsername and httpPassword.
Requirements
-
Enable Dynamic Environment Parametrization:
- Allow credentials to be resolved from environment variables at runtime.
- Provide a way to enable or disable this behavior without static configurations.
- Avoid breaking existing configurations that rely on hardcoded credentials.
-
Update Core Components:
- Refactor
WMSHttpHelperresolve credentials dynamically before making requests.
- Refactor
-
Testing Support:
- Implement tests for different scenarios:
- Credential resolution using default, custom, and parameterized values.
- Verification of environment variable support in different configurations.
- Use a testing framework that allows dynamic manipulation of environment variables.
- Implement tests for different scenarios:
Configuration Examples
Static Configuration Example
In a traditional setup, credentials are defined statically in the XML configuration file:
<gwcConfiguration>
<httpUsername>static_default_user</httpUsername>
<httpPassword>static_default_password</httpPassword>
<layers>
<wmsLayer>
<name>default_credentials</name>
<metaInformation>
<title>Layer with default http user and pwd</title>
</metaInformation>
<wmsUrl>
<string>https://example.com/geoserver/wms</string>
</wmsUrl>
</wmsLayer>
<wmsLayer>
<name>custom_credentials</name>
<metaInformation>
<title>Layer with custom http user and pwd</title>
</metaInformation>
<wmsUrl>
<string>https://example.com/geoserver/wms</string>
</wmsUrl>
<httpUsername>custom_layer_user</httpUsername>
<httpPassword>custom_layer_password</httpPassword>
</wmsLayer>
</layers>
</gwcConfiguration>Environment Variable Configuration Example
In the proposed solution, credentials can be defined as environment variable placeholders.
When ALLOW_ENV_PARAMETRIZATION is enabled, GeoWebCache should resolve the placeholders and use the provided environment values.
<gwcConfiguration>
<httpUsername>${DEFAULT_USER}</httpUsername>
<httpPassword>${DEFAULT_SECRET}</httpPassword>
<layers>
<wmsLayer>
<name>default_credentials</name>
<metaInformation>
<title>Layer with default http user and pwd</title>
</metaInformation>
<wmsUrl>
<string>https://example.com/geoserver/wms</string>
</wmsUrl>
</wmsLayer>
<wmsLayer>
<name>custom_credentials</name>
<metaInformation>
<title>Layer with parameterized custom http user and pwd</title>
</metaInformation>
<wmsUrl>
<string>https://example.com/geoserver/wms</string>
</wmsUrl>
<httpUsername>${CUSTOM_USER}</httpUsername>
<httpPassword>${CUSTOM_SECRET}</httpPassword>
</wmsLayer>
</layers>
</gwcConfiguration>
Activity