Advanced Security With GeoServer
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 188 | |
| Author | ||
| License | CC Attribution 3.0 Germany: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/31596 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language | ||
| Producer | ||
| Production Year | 2014 | |
| Production Place | Portland, Oregon, United States of America |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
| |
| Keywords |
FOSS4G 2014 Portland173 / 188
7
10
14
15
16
23
24
25
28
29
33
37
39
40
43
45
46
48
50
56
64
65
69
72
74
82
89
91
98
102
107
111
114
118
128
131
132
135
138
141
143
147
149
150
157
158
161
164
165
166
173
174
175
179
185
00:00
Information securityGeometryParameter (computer programming)Server (computing)Default (computer science)Presentation of a groupDimensional analysisBitExtension (kinesiology)ArchitectureFile formatExpandierender GraphForm (programming)ExistenceCategory of beingLecture/Conference
02:51
Information securityField (computer science)Series (mathematics)Server (computing)GeometryProjective planeOpen sourceSheaf (mathematics)Task (computing)Raster graphicsInformation technology consultingBitSoftware developerWordProcess (computing)Multiplication sign
03:45
Information securityServer (computing)Spring (hydrology)GeometryLibrary catalogMereologySheaf (mathematics)AuthenticationMusical ensembleLine (geometry)Multiplication signAuthorizationJava appletSoftware frameworkInternet service providerInformationDiagramRight angleWrapper (data mining)Physical systemWordConnectivity (graph theory)Moment (mathematics)Phase transitionKettenkomplexArchitecturePoint (geometry)OrthogonalityDataflowRule of inferenceGreatest elementPrice indexIterationSlide ruleBasis <Mathematik>Sign (mathematics)Flow separationData storage deviceLocal ringComputer animation
07:10
Musical ensembleServer (computing)Data storage deviceService-oriented architectureTraffic reportingDatabaseConnected spaceInformationTable (information)Asynchronous Transfer ModeRule of inferenceSimilarity (geometry)Computer fileCASE <Informatik>Dressing (medical)Physical systemQuicksortInterface (computing)ImplementationPrice indexMoment (mathematics)Reading (process)Process (computing)MehrplatzsystemInformation securitySource codeMereologyDefault (computer science)Query languageComputer configurationDampingCategory of beingMultiplication signError messageParticle systemSet (mathematics)Core dumpJava appletWritingWeb 2.0AuthenticationGeometryRepository (publishing)System callFlow separationComputer animation
11:30
AuthenticationPhase transitionBitRepository (publishing)Complex systemPhysical systemGreatest elementMusical ensembleEndliche ModelltheorieEnterprise architectureMetrePrice indexExtension (kinesiology)Workstation <Musikinstrument>Set (mathematics)WordQuicksortCASE <Informatik>Directory serviceDatabasePasswordFilter <Stochastik>Field (computer science)SequenceWeb serviceComputer fileServer (computing)InformationFlow separationSingle sign-onSeries (mathematics)Observational studyCore dumpInternetworkingDefault (computer science)Beta distributionComputer configurationState of matterDataflowAdditionPublic key certificateComplex (psychology)Bus (computing)Web browserMoment (mathematics)Form (programming)KettenkomplexMereologyService-oriented architectureForestWeb 2.0Information securityDifferent (Kate Ryan album)Cartesian coordinate systemIdentity managementSystem administratorEmailINTEGRALFormal verificationProper mapDifferential (mechanical device)Line (geometry)Standard deviationWeb pageSpring (hydrology)Execution unitMassSoftware frameworkInterface (computing)Key (cryptography)NeuroinformatikModulare ProgrammierungPattern languageConfiguration spaceNumbering schemeObject (grammar)1 (number)Error messageUniform resource locatorReal numberInternet service providerFlagMultilaterationToken ringSoftware developerAuthorizationRepresentational state transferExterior algebraAdaptive behaviorComputer animation
21:14
MereologyAuthenticationSet (mathematics)Physical systemFile formatCategory of beingMechanism designMathematical optimizationLevel (video gaming)Basis <Mathematik>Utility softwareService-oriented architectureMusical ensembleInsertion lossComplex (psychology)Price indexDefault (computer science)InformationAuthorizationAuthoring systemStandard deviationComputer animation
22:41
Rule of inferenceStandard deviationPhysical systemParticle systemMathematical optimizationAuthoring systemComputer animation
23:01
Doppler-EffektMereologyInformationField (computer science)Physical systemExtension (kinesiology)Musical ensembleProxy serverIdentity managementWeb 2.0Server (computing)FlagDifferent (Kate Ryan album)Endliche ModelltheorieData storage deviceAreaDirectory serviceFocus (optics)Repository (publishing)Adventure gameConfiguration spaceDebuggerRule of inferenceDependent and independent variablesMethodenbankCommunications protocolFront and back endsImplementationMultiplication signAuthoring systemAttribute grammarVector spaceBit
Transcript: English(auto-generated)
00:00
Assist us The argument of this talk is a geo server security We are going to explain a little bit in depth what has been just touched during the geo server feature frenzy presentation In in particular we are going to explain a little bit in detail what is the architecture of your server for what is related to security and
00:27
We will see how The main properties of of the security in geo server are flexibility and extendability We will see examples of all the supported format that you have by default and also how you can extend the security system to integrate it
00:47
properly with your existing infrastructure that many many companies have Already existing. Okay, we are almost done
02:45
Okay, it's the dimension are you is is it correct? Okay, so I think we can start As I said, we are talking about advanced security in geo server We are going to see a little bit in detail what security means and how you can easily configure it in
03:04
the geo server security subsystem Just a few words on who I am and what I work for I work for a geo solution Which is an Italian based company the task consultancy on geo server from 2006 We work in several fields of the geospatial world with the series of open source projects
03:26
The main one is obviously geo server We are involved in many section of the geo server development in particular for world is related to raster images processing and Many other many other sections like security system and the printing system currently here. You can see a
03:49
basic diagram of the Architecture of the G server security subsystem. You can see that Mainly we can talk when we and whenever we talk about security. We are really talking about two orthogonal
04:06
Orthogonal words authentication and Authorization the first one is about how I can identify users That try to access my system and trust that they are
04:21
They say they they really are and the other one Authorization how I can access Permissions to access the system to each different user that tries to make requests Here on the left you can see the main Components that are involved during the security phase of accepting a request to just server
04:45
In particular all this security system is based on a very common framework in the Java world That is spring security. We will see that many concepts Inside the geo server security system are in reality
05:01
Concepts that comes from the spring security framework and Obviously, this is the base of all the dispatcher systems that takes requests from users decides that if those requests are allowed or denied and Continue the flow accordingly
05:22
Okay on the right side instead. You can see the main Component details and now they are named we will see in a moment What filters and chains are what authentication providers are and how do you can configure and? Configure them inside your server to make this the security system work
05:45
another important part of Security is catalog because each time you have to secure your system you have to decide How your data can be accessed and since the main access point for every data in
06:02
Inside your server is the catalog we need mainly to secure the catalog and this is done through a wrapper You can see here that is named the secure catalog the The purpose of the secure catalog is to check that every request for a resource in your server is
06:21
Correctly authenticated and authorized for the user okay as I already said All the security subsystem is based on spring security here You can say you can see that we are going to talk about authentication and authorization
06:43
in detail another Aspect that we are going to talk about is our geo server internally allows you to store Information about the users and this is The first section of this line that talks about users how they can be organized in groups
07:01
How can I can assign? roles to them to make Permission assignment at the end we will start we will start talking about How you can store user groups and roles inside your server? To
07:20
Do it you will use what is called a user group service that is a simple service Various kinds so you can choose to store user information on several kind of storages for each one There is a dedicated user group service that you can configure When I talk about storage I talk about
07:41
Creating users storing them on some sort of container or database and also fetching them when I need it for security purposes for example to authenticate Requesting user with its credentials user group service can be read-only or read-write so we have some user group service on which
08:02
Using geo server itself. I can create the users others that can be read-only So I need to integrate with external service And I can just read with your server the user information that is stored on that You can find to default implementation of a user group service in the core geo server system when you install it
08:24
From scratch you will find two capabilities that are storing users groups and roles Inside XML files. This is the default that you will find for example for the basic user that you find already Configuring your server or you can use some sort of database through the JDBC interface of Java
08:46
So you can configure your connection to an external database Mainly all the supported database inside your server can be used so Postgres SQL MySQL or a call SQL server and so on and
09:01
You can directly write and read Your user and groups information from from the database for this purpose you can use a schema for the tables of the database that is Owned by geo server So you are if you have a default schema that you can directly create on a on an empty database
09:25
Or if you already have some database with your user information That you use for other purposes in your infrastructure. You can adapt the JDBC User group service to use your existing tables to do that. It's quite simple
09:41
You just have to write into a set of files the queries that are needed to extract the data or Write them on the database properly Also currently my opinion there is a missing the user group service that would be very useful One for the LDAP repository service
10:00
We will see in a moment that there is a support to connect to external LDAP repository for authentication But currently there is no read write Capability for that so to manage your user and groups in LDAP You have to use external tools to do that. So in my opinion in the next future
10:22
It would be a good feature to add support for LDAP in a read write mode Aside the user group service that allows to create and handle users and groups. There is another Separated service that is about managing roles. It's very similar to the user group service, but is dedicated to
10:48
storing and fetching user rules from From an external container also in this case this can be stored inside XML files or into a database or
11:02
In this case the support for LDAP is included This is for me the reason why it should be needed also for the user group service and Another option you have is to use the roles defined directly by the Java web container that you are using For example Tomcat if you have a set of roles that are configured inside the Java web container
11:25
You can use them as the source for roles for your server, too Okay, let's talk a bit about the authentication phase of the security system This phase is about identifying the user and
11:41
Trusting its identity through the verification of some sort of credentials the authentication in your server is handled through Imagineism that is proper of of spring security that our filter chains In practice when you have to authenticate the user you have a set of filters a filter is a simple
12:03
software module that gets information from the user and decides if the user has been authenticated and trusted and so The request flow can continue or not. There are many filters that are supported by G server We will see them in a moment
12:21
They work By creating a chain of filters so you can for example Put a series of filtering sequence and let them check the user one after another until one Authenticates the user or none of them does so their request is not authenticated
12:41
This is useful. For example, if you have several systems to authenticate your system one dedicated to internal users Another one for external users, you can use them all just put in a sequence and they will be used all together every chain Another capability you have is that every chain is applied
13:03
Differently to different kind of requests, for example, you can differentiate how Requests to the web admin UI are authenticated from how the web services. So WMS WFS are authenticated different kind of user can be Handled for the admin interface and the services or the rest APIs and so on
13:25
This is done through a Imagineism of our request URL pattern matching So you said for example all the requests that have a web Word in it are handled through this chain all the requests that have
13:40
WMS or WFS in it are handled through another chain Okay The basic filters that you have available in your server to configure authentication are Splitted in mainly two groups. So the first one are dedicated to how the system fetches Authentic authentication data, so username password or some sort of certificate
14:06
every kind of credential that can authenticate the user you can decide which kind of Credential supporter for example, we here you can find basic authentication Which is a method used by browser to ask username and password to people
14:24
When they access a web page or through a classic form So through a web page with fields for username password and so on You will also have a filter that will handle anonymous users That should always be the last of the sequence so you can try
14:43
Several kind of authentication if none of them work you say the user is anonymous Then there is another group of filter that can handle so-called the pre authentication methods In Some cases your infrastructure and also authentication for you and simply G server trust
15:06
the infrastructure that the user is what The infrastructure says so we have several method of pre authentication. So authentication that happens before G server Is is able to
15:21
To do its work These are the main ones that are supported by default so some sort of HTTP error that is received in every request Digest meter that is similar to basic. It's another meter that browser supported to authenticate user X509 that are SSL certificates practically certificates that you can install on your browser and so on
15:48
It's also very easy if none of the default filters that you find in the core are sufficient for your needs To implement if you are a developer of course new kind of filters to include it in your server to configure them and
16:04
Let your server work with your scheme of authentication that you already have in your infrastructure And since we are these are filters for the spring security framework You will probably found find someone that already have done something similar to start with
16:22
Later phase of authentication when you have fetched You have gathered information from the user So for example username and password you have to decide how to check that the user name and password and by are valid or not This is the duty of the authentication providers set is another chain that you can configure in your server
16:43
so another set of objects that are able to check that the credential fetch during the first phase are Correct or not currently we have a Set of default ones that you can use directly One is a simple username and password checker that uses one of the user group service that you have
17:04
Configured for example one that use the XML file So it checks simply with the user group service that you have configured if the user name and password is stored on the XML file or not or Database all the system that we are have already talked about
17:24
For the authentication provider part we have support for LDAP repositories that are very common in enterprise infrastructure Recently, I personally worked on adding active directory support. So we added some more Optional flags to the LDAP authentication provider to support active director
17:45
LDAP but not exactly a basic LDAP requires some configuration more to work There are some tutorials on it if if you need more documentation this part as I Listen before please ask we can
18:02
We can document with document it better Okay, and as we said for for the filters also the authentication provider You can write your own if you need one that is not included in the basic installation of your server
18:21
also, if you If you need one that you don't have you can look at the standard extensions because your server is plated into a core installation and several extension that you can install by need And there are some that are dedicated dedicated to security For example the CIS model that is a standard for managing single sign-on for several application
18:46
This model adds support to to do server to log in the user using the CIS subsystem There is also a community model named out key that allows to map Some sort of tokens generated by a service or stored on on a file with the real user data
19:07
This is very pluggable for example recently we added some support to To the standard out key that normally uses an XML an XML file or a static database We have a support to call an external web service to check for some token and get back user information
19:26
and soon I hope to be able to commit this work to the to the community model so that you can work with it and Finally you can see that You can easily easily configure your authentication system to work with many existing
19:46
authentication infrastructure like for example for some customers we worked To integrate the she-bullet single sign-on system. It's another alternative to CIS to handle single sign-on Also another possibility you have is to mix all the various filter existing to allow very flexible
20:07
authentication in a Complex system where you have for example a set of internal users toward on adapt repositories active directory repositories And then you can also have some users coming from the internet that you don't want to register on the internal adapt
20:25
For example on a sort of dedicated database for that you can mix all these cases configuring them together Just ever we do all the work of authentication for you Really talking of future improvements
20:41
The idea is to clean up a bit the security system because it's still a bit complex in some parts to use And filling some holes like for example, as I said the DLDAP user group service To improve the flexibility of the system also to improve some existing models like the out key
21:00
Community model and if possible promote it to an extension and official extension And always and also if possible to create new authentication filters to handle some edge cases that are not Currently supported. Okay, let's pass to the authorization part That is a companion to the authentication when I know
21:22
Who the user is I have to decide what it can do inside the geoserver subsystem for this I use the authorization system Geoserver by default implements a quite simple Authorization mechanism basically Permissions can only be assigned to roles not directly to user or groups
21:44
So you have a two-phase Assignment of permission you have first to decide which roles can do what and then decide how to assign those roles to users or groups For what
22:00
Is related to which kind of permission I can configure here the authorizations the basic authorization system Does some simple opportunities that is decide which data can be? Can be permitted so at the workspace or layer level and At the service level which kind of services a user can access
22:24
WMS WFS and so on but since the authorization system is very pluggable It's possible to extend it very easily to implement a more complex authorization system and for this for example We as your solution have created a particular solution that is called a geofence that extends the standard
22:46
authorization system adding some kind of rules that are more finer-grained for example With the basic authorization system. You can only decide if a full layer is accessible by a user or not using geofence
23:01
You can for example say I this user can access this layer But only for this specific area can see the data only inside the United States not on Europe. I can also decide For example, which attributes of a vector layer are visible by certain user and other attributes
23:23
That are not I Get the possibility of decide more easily What the user can do and whatnot also since the basic Authorization system is enabled only to authorize Rules not directly user and groups with geofence. You can also say
23:43
Assign permission directly user by user. So it's a simple extension to the basic geoserver Security system that allows you to specify better which kind of permission the user has
24:01
Time finished some questions Any question Okay, hi this work. All right, would you say it's easier to implement active directory or shibboleth?
24:31
In the basic adapt Configuration because for example Active directory needs that a user is authenticated before he can get the groups
24:43
bounded to the user so we had to do add support for this and Some other flags that allows to decide how to extract the data in active directory That is stored a little bit differently than a basic open adapt repository. For example, so with these new fields
25:00
We added the support for the shibboleth part What we did is basically Add a front-end apache web server with the module for shibboleth Behind the geoserver then let communicate the front-end with geoserver using for example the HAP proxy
25:21
protocol so that Apache web server is responsible responsible for the shibboleth part and then Geoserver can use the information that the front-end sends to trust the identity of the user This is the way we integrated shibboleth with you server
25:42
Okay Thank you