I have a Geoserver instance on a docker container that sits on an Ubuntu host. At the moment, requests to the Geoserver container are forwarded on through the host's Apache web server. I am making these requests from a javascript web application.
I would like to secure some of my layers on Geoserver.
My question: how can I provide the proper credentials (presumably, username and password) to access these layers from my javascript app without displaying them in plain view in my source code?
You can hide username and password of a secured layer by using an authkey from https://docs.geoserver.org/stable/en/user/community/authkey/index.html But with Browser developer tools everybody can see the parameter of the requests and reuse the authkey, as is it is just a mapping to a user and GeoServer will generate a Cookie with the first request that matches to permissions of the mapped used - so anyone interested can use the authkey for everything the mapped user of it is allowed to.
The only real solution that does not show that authkey is to add the authkey at the proxy on the Apache. Or even better restrict requests to the GeoServer at the Apache only for logged in users (if your application uses a login at the Apache) and forward only requests to Geoserver of users that have the necessary permissions in your application (within Apache).
