WMS basic authentication is using OSM account

[anonymous]

When JOSM is acessing a WMS server which requires Basic Authentication, it will send the OSM username and password.
Besides the security aspect it is currently not possible to use such WMS servers with different login data.

Some GUI option to set login data for WMS would be nice.
OSM login data should never be sent to other servers requiring Basic Authentication without permission.

[bastiK]

Could you name a WMS with Basic Auth setup?

[anonymous]

This is just an example. Remember JOSM sends your OSM login data to this server.

​http://security.demo.52north.org/wss/service/wms_demis/httpauth?

demo accounts:

• alice/alice: Full access
• bob/bob: Limited access
• guest/guest: Very limited access

[skyper]

Replying to anonymous:

OSM login data should never be sent to other servers requiring Basic Authentication without permission.

This is a critical bug !

[skyper]

I split the enhancement part to #7122

As it is easy to add wms servers to the list this defect is even a blocker !

[stoecker]

In [4690/josm]:

see #7086 - fix passing auth information to wrong server

[stoecker]

I did a basic fix introducing host-name aware authentication settings which fixes this immediate problem. But it still is not perfect.

[stoecker]

In [4692/josm]:

see #7086 - save other passwords in JOSM prefs

[anonymous]

With regard to the current patches: it seems like JOSM sometimes "forgot" sending the auth information (maybe that should be another ticket). Before the patches the auth dialog just appeared again. With the current josm-latest I get HTTP 401 errors without auth dialog resulting in error tiles.

[simon04]

See #7122.

[simon04]

Not sending OSM credentials has been fixed 4 years ago. For other problems/enhancements → #7122.