Password protected KMZ publication

I have several KMZ publications hosted on URLs of the format, https://host/kml/publication/Export.kmz, that are password-protected. I have been using Cesium.KmlDataSource to add the KML to the map. No errors are returned, but the map does not display the KML, and I'm never prompted for credentials.

How can I force Cesium to prompt for credentials?

Further investigation shows that the console tells me what I already suspected.

Failed to load resource: the server responded with a status of 401 (Unauthorized)
bucket.html:1 XMLHttpRequest cannot load https://host/kml/publication/Export.kmz. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin '' is therefore not allowed access. The response had HTTP status code 401.

I’ve never tried it, but I’m pretty sure Cesium doesn’t currently support password protected kmz files. Cesium currently uses zip.js for zip decompression and I can’t find anything there to indicate that it supports password protected zip files. You are the first person to ask about them so I added an item to our roadmap to support them in the future:

For the CORS problem, this should result in failure on your end, as long as you listen for it. DataSource loading is asynchronous and promised based, so no exception is raised, you need to use otherwise.


.then( function(dataSource){

//Do something





You can either use a proxy or enable cors on the server (I recommend you do the latter).

Thanks for the help. I'll continue to investigate.

The KMZs themselves are not password-protected, but the site that they're hosted on requires credentials. Unfortunately, I have little to no control over the site, so I cannot enable CORS on the server. This leaves a proxy as my only possible option.

are the kmz files using a kml network link requiring credentials or are they just regular vanilla kmz files that are downloaded as needed

They are KMZ files using a KML network link requiring credentials.

That’s a different use case and one we don’t support yet either. I assume Google Earth prompts for credentials? I’m not sure what the options are here, I suppose we can try to retrieve the link and if it fails because of authorization we can then prompt for username/password and try again.

Browsers will automatically prompt for credentials when they’re required. The only reason it’s not working (probably) is because of the lack of CORS support on the server. In my experience, it can be tricky to get the credentials to pass through a proxy correctly, though.

the secured kmz may also be using the kml tag along with and

I have implemented a kmz with security in the past using google earth desktop app, it was tricky and things aren’t documented that well .

The method we used for security was a link in the name of the top folder of the kml document to a web page. Users needed to use the browser within google earth, having the “show web results in external browser” option turned off. after logging in, from the server is looked like a regular http request

@brianjs ,

If the kmz you are loading hits a web form, try logging into the web site serving the kmz before hand in another tab or via hitting the login page with an iframe may work establishing a user session, that may change the response you get back.

the KMZ you are using, what is the data that it is loading? is it linking to a WMS service by any chance. some WMS services will initiate basic authentication. If this is the case,…I’m speculating here…, loading the WMS directly may work …

also the service your hitting may have the data deliverable in another format, such as json via another web service call, it may be easier to work with that …

Google Earth will prompt for credentials if it hits a server using http basic authentication.

I still get the cross-domain issue even when logging in before adding the KMZ to Cesium, so I'm working with the developer of the KMZ server to implement CORS. Once, I have that in place, I should be good to go. Thanks to everyone for their help.