Mastering Security with GeoServer and GeoFence

Video thumbnail (Frame 0) Video thumbnail (Frame 545) Video thumbnail (Frame 1174) Video thumbnail (Frame 2075) Video thumbnail (Frame 2632) Video thumbnail (Frame 4147) Video thumbnail (Frame 9568) Video thumbnail (Frame 10360) Video thumbnail (Frame 12325) Video thumbnail (Frame 13429) Video thumbnail (Frame 14072) Video thumbnail (Frame 16070) Video thumbnail (Frame 18640) Video thumbnail (Frame 20115) Video thumbnail (Frame 23157) Video thumbnail (Frame 28141) Video thumbnail (Frame 30332) Video thumbnail (Frame 34979) Video thumbnail (Frame 36658) Video thumbnail (Frame 41338)
Video in TIB AV-Portal: Mastering Security with GeoServer and GeoFence

Formal Metadata

Mastering Security with GeoServer and GeoFence
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The presentation will provide an introduction to GeoServer own authentication and authorization subsystems. We’ll cover the supported authentication protocols, such as from basic/digest authentication and CAS support, check through the various identity providers, such as local config files, database tables and LDAP servers, and how it’s possible to combine the various bits in a single comprehensive authentication tool, as well as providing examples of custom authentication plugins for GeoServer, integrating it in a home grown security architecture. We’ll then move on to authorization, describing the GeoServer pluggable authorization mechanism and comparing it with proxy based solution, and check the built in service and data security system, reviewing its benefits and limitations. Finally we’ll explore the advanced authentication provider, GeoFence, explore the levels on integration with GeoServer, from the simple and seamless direct integration to the more sophisticated external setup, and see how it can provide GeoServer with complex authorization rules over data and OGC services, taking into account the current user, OGC request and requested layers to enforce spatial filters and alphanumeric filters, attribute selection as well as cropping raster data to areas of interest.
Lie group 3 (number)
Server (computing) Server (computing) Image processing Java applet Client (computing) Event horizon Rule of inference Product (business) Java Enterprise Geometry Word Meeting/Interview Boom (sailing) Endliche Modelltheorie Information security Information security
Service (economics) Server (computing) Server (computing) Image processing Authentication Java applet Client (computing) Library catalog Price index Cartesian coordinate system Java Enterprise Geometry Computer animation Visualization (computer graphics) Authorization Data fusion Authorization Information security Information security Identity management Physical system
Point (geometry) Server (computing) Implementation Greatest element Connectivity (graph theory) System administrator Authentication Mereology Rule of inference Element (mathematics) Geometry Authorization Software framework Extension (kinesiology) Information security Physical system Authentication Domain name Standard deviation Block (periodic table) Server (computing) Library catalog Line (geometry) Category of being Data management Filtration Spring (hydrology) Computer animation Internet service provider Chain Right angle Authorization Information security Library (computing)
Classical physics Digital filter Group action Service (economics) INTEGRAL Multiplication sign System administrator Gene cluster Set (mathematics) Public key certificate Uniform resource locator Chain Mathematics Mechanism design Different (Kate Ryan album) Information security Physical system Form (programming) Authentication Interface (computing) Forcing (mathematics) Fitness function Price index Group action Sequence Type theory Computer animation Chain Different (Kate Ryan album) Wide area network
Filter <Stochastik> Authentication Email Default (computer science) Service (economics) Digital filter System administrator Interface (computing) Lemma (mathematics) Authentication Sampling (statistics) Electronic mailing list Price index Field (computer science) Variable (mathematics) Web 2.0 Chain Computer animation Lattice (group) Phase transition Different (Kate Ryan album) Integrated development environment Implementation Form (programming)
Filter <Stochastik> Metre Digital filter Server (computing) INTEGRAL Authentication Set (mathematics) Dynamic random-access memory Rule of inference Value-added network Doppler-Effekt Chain Implementation Social class Physical system Addition Service (economics) Interface (computing) Data storage device Coordinate system Database Staff (military) Price index Flow separation Computer animation Repository (publishing) Internet service provider Phase transition Library (computing)
Group action Implementation Service (economics) Token ring INTEGRAL Connectivity (graph theory) Disintegration Set (mathematics) Inverse element Mereology Rule of inference Uniform resource locator Different (Kate Ryan album) Single-precision floating-point format Core dump Extension (kinesiology) Information security Physical system Task (computing) Alpha (investment) Fundamental theorem of algebra Authentication Addition Keyboard shortcut Moment (mathematics) Data storage device Database Thermal expansion Price index Sign (mathematics) Single-precision floating-point format Computer animation Personal digital assistant Internet service provider Right angle Authorization Key (cryptography) Row (database) Extension (kinesiology)
Group action Line (geometry) 3 (number) Library catalog Limit (category theory) Generic programming Mereology Rule of inference Machine vision Attribute grammar Local Group Mathematics Core dump Physical system Module (mathematics) Area Constraint (mathematics) Temporal logic Interface (computing) Weight Price index Group action Limit (category theory) Particle system Computer animation Personal digital assistant Interface (computing) Authorization Pressure
Cluster sampling Group action Presentation of a group System administrator Multiplication sign Set (mathematics) Instance (computer science) Web 2.0 Geometry Computer configuration Military operation Extension (kinesiology) Information security Descriptive statistics Physical system Area Mechanism design Category of being Data management Filtration Vector space Repository (publishing) Information security Functional (mathematics) Server (computing) Implementation Enterprise architecture Service (economics) Authentication Rule of inference Event horizon Field (computer science) Number Attribute grammar Local Group Revision control Term (mathematics) Mathematical optimization Form (programming) Default (computer science) Rule of inference Server (computing) Interface (computing) Content (media) Generic programming Limit (category theory) Cartesian coordinate system Single-precision floating-point format Computer animation Personal digital assistant Universe (mathematics)
Filter <Stochastik> 12 (number) Server (computing) Group action Service (economics) Variety (linguistics) Multiplication sign Mehrplatzsystem Motion capture Mass Distance Number Revision control Meeting/Interview Different (Kate Ryan album) Operator (mathematics) Extension (kinesiology) Summierbarkeit Information security Physical system Rule of inference Default (computer science) Standard deviation Matching (graph theory) Interface (computing) Web page Drop (liquid) Staff (military) Database Limit (category theory) Compiler Hand fan Personal digital assistant Logic Mixed reality Configuration space Right angle Force
Filter <Stochastik> Beta function Multiplication sign 3 (number) Set (mathematics) Mereology Rule of inference Field (computer science) Frequency Meeting/Interview Term (mathematics) Form (programming) Area Standard deviation Dialect Constraint (mathematics) Interface (computing) Structural load Interactive television Filtration Computer animation Vector space Auditory masking Infinite conjugacy class property Video game
so good morning and welcome the 1st off we have a model for patrol merely to talk about messengers serve security reduces events and without further ado let him to thank you very much so today we are going to talk about security and the 1st thing I would like to say is that security is not fun securities art is
very hard to achieve we are going to rules look at colleges tries to handle security and all of available features that you can use it to make your infrastructure secure when the Jews servers involved so securities are and we can use emotion words to make it simpler for our customers especially when GeoServer server and 1 of our products is involved in creating a
and application infrastructure just solution my company in the sense that they work for Jews solutions I'm not the only but uh it was founded in 2006 and involved in just over developing them in every aspect included security stuff OK I
will give you an overview of what security is in general and all the diseases that implemented inside the just of infrastructure basically when you talk about security and you have to talk about 2 different aspects the first one is all you get the identity of your users and how you can trust these identity to make sure that the people that toxicity your system or services that acts as the a system of trust to do what they are unable to do and they cannot do what they are tunnel to do medical so this is what we call the indications getting their identity and trusting that identity the 2nd very important aspect is how we handled authorization so I we access our resources and all we basically do not access to resources in the tunnel tunnel to be accessed
by some particular users the he said user these 2 different aspects of both and built by uh different uh subsistence all the generic just over security infrastructure you can see here the basic the basic schema although the libraries and companies that are involved in the security domain uh the main block there is spring security they're uh just ever is fully based on this spring the framework in most of its infrastructure and also for security we use and modular spring that is called the spring security so each of the component of just server and insecurity is basically an extension of the standard with a spring security components then other components are involved in like the dispatcher for example that is the main entry point for every requested that comes to just over every request that comes to the dispatcher and then the dispatcher decides what to do with that request so for sure security is really more that's where we need to decide for example if a request is an old or not for a particular user then we have 2 different uh elements that our services and catalog that object to learn different types of resources that we can handle such server and that we can use to decide uh permissions so authorization rules for resources inside you services are for example stunned the OGC services like having amassed offense and so on but those are the kind of services like the rest of TI-digits has to handle administration stuff the capital that is about accessing the real data that produces the publishers like workspaces layers and so on and this aspect uh as a popular name of that as part of that is pulverization so authentication and motivation of the 2 different aspect that we need to handle whether we wanted to secure our system and all the edges and those both of them we will see in some basic concepts that I will try to explain the 1st line that are related to a vindication of feature chains and education providers you can see on the right on top right of all data schema and then this secure catalog on the bottom on the bottom right secure category simply up at the Capitol that almost all the implemented security was on top of the standard capital so every request to the capital disruptive so that the security rules can be applied by another element that is very important that is called a resource such as manager is the component pluggable component because we will see that you can have different implementations since I just over although the same the same concept like this such as manager research adjustment there is a the component that and the security policies sold the rules that permit or deny access to your resources OK now we see a
little bit more in detail this concepts for example what our filter
change so basically when you will send a request to just over this is because there has to be recognized by its type and can be depending on the type can be handled by a different set of security tools each of them is called the chain of the why because basically what you which it kind of request is
to apply a set of 3 that of simple uh pieces of gold that take the request and apply certain actions to the request and so itself and then pass it to do the following features so you have a chain of fit the fund all applied for every request we have different chains because we probably won't apply different security forces to different kind of requests for example uh we want to to handle a request to the administration interface over just 7 differently from clusters are uh what did you say this is called for example you wanted to using classic form lobbying for the administration interface wise for uh accessing the BMS service we want to use a different authentication mechanism for example medical indication or certificates or any other kind of of the old integration system that you can think of so we have different chains for different requests each strain he's a sequence of features that are applied 1 after the other to the requested to decide that obligations stuff so what what is the user who is the use of a decent accessing the system in this particular time with his request OK here you can
see it's samples creation of what I was talking about is designed as samples of the data that you can use inside over each 1 is dedicated to a particular aspect of the authentication phase for example you have 1 feature that and also a session so a few of indicator lattices and you add essential field you don't need to authenticate for every request to a web administration interface for example you have other filters uh for her remember basal plane the cookies or for aligning access and so on there are many many many features that you can use it to and you're out indication here is a quick
list of the feature that you have a by default obviously since the seventies completely by the boat you
can add more features just developing that has more class implementing an interface adding it to the set of libraries of colleges ever and ever more freedom that you can that you can use it inside your infrastructure
In addition to filters that are basically dedicated to fetching coordination from the use of or senior staff you haven't indication providers so basically integration is divided in 2 phases 1st you get to the credential from your users using money meters like a form of like a bicycle indications or an external system you have many ways to get the credentials but you can go through observing you can decide which Mittelfeld indication want to configuring it in the system then you had that you need a way to trust uh degradation that the user is given to be sure that they are associated to an an existing user and which permissions which uh rules that needs to be applied to that particular user the 2nd phase is and thereby indication providers there are several examples old integration providers surviving into server for example you can use and Doppler repository to match credentials with an existing using the repository or a database of any kind of obvious storage system basically that you can use to match domestic eventually the the trust runs In addition to
that just over as a another set of providers that are specifically aimed at associating users with the rules in the system because you can categorize all of you users so that they they have been divided in groups of rows and rows are quite important because in their core security system needs be only uh the only entity you can associate permission with so you we will see in a moment that 2 ushers associated his to your users you need to specify with the that each entity has but you cannot do it to user by users in the core systems we will see that there are stationed at a you to associate permission also to the single-user but in the core system you can only do that with the rules so you need to create also you need to associate a to uh users and then you can buy permission to the specific roles that exist since the rules are are important to that is a specific component provided that can bind the safe rules to users and also for these you can decide which kind of storage which kind of service you want to use to do this but the particular uh task you can use up as we have seen also for users who can use databases there are many options and assess possible so you can create your own group provided if you need 1 also
marriages are includes some extensions that they are not part of the standard installation but the inverse of the expansion that you can install in addition some of them are dedicated to search to security and for example there is an implementation of the CAS single signal on system another 1 and it is called alpha k the user will use it to In many cases the names are just solutions because is a it's a generic implementation of the it token-based called indication so you can use it to whenever you have the right to you in your infrastructure something generating a token for authentication that probably an expiring tokens or something like that that you can use to share uh out integration between different systems of K is a mentor to handle this kind of use cases OK uh
let's changes our topic from other indication globalization what is
odorization about it's about giving user and the rulers have permission to do actions are resources that so when a user tries to do a particle action on a particular pressures we need to decide if this is an old or not and if it is an old if limits apply to want to uh throughout we access the resource for example let's say that we all we wanted to and do area Christine documents mess to get a particle so I'm happy for a particularly in and and we we wanted to decide how the user can see this particularly we can decide that the he cannot see at all so it's completed denied or it can it can access it for or it can access it not to a limited way for example it could access only part of the party learning on a particular region of the world for example or on if you from making another example we WFS began decided he can access all some attributes of a particular feature fi fight and so on so we have basically 2 use cases we can decide to deny access to a low weight or to unload it with limitations which constraints the vision system permits don't think your own these aspects using the example of that is called the such as manager and such as well there isn't really an interface that can be implemented by uh several several modules there is a core module of the components of basic
very simple system in their basic system you can only associated rules major rules to always loved diet and to use social groups of its center and you can uh basically decided permissions for and but on the other and then I you cannot specify limits for example the same you can do for security for services so you can decide if you can access the documents of that if a service or not then there are extensions to these basic subsystem that you can use to replace the vesicle present palatalization system 1 of them is your friends uh security system developed by but solutions in dynamic wanted them to know is and if an extension a community monitoring area for for just over that you can use is reconfigurable and has its own interface existing 2 different forms 1 is a stand-alone application that is external to just over that you can use to compute and to uh implement the rules basically and what it is directly integrated inside your seventies simpler to use and uses the same web administration interface it is not currently all the functionality of the stand-alone last but if we are going to make them an agreement in general terms and another option that is the 1 of the 2 eyes I would like to I suggest you for most use cases is that probably and need of their basic subsystem or a generic system Nigel facet is can be applied to neural situation in all these cases where you probably already the security infrastructure your your company and you just wanted to integrate just serving disease infrastructure what we usually do and what we suggest is to implement your own version of the devices such as manager that can apply in a simple way you're system rules that are probably not as Americans you find those you to do but are very specific to your use cases and if you already have something that's already describes these rules for example in in a database or in an external repository the simplest way to implement your own optimization system is to write your own version of the use of such as manager an interface is quite simple because it is a simple interface where you simply decided for each couple of user and all of the existing content categories like groups and roles and research so if you have a couple of use of the resource is simply have to decide how the user can access the article resources so you have a sentimental seen such events each 1 dedicated to a particular set of races and you just have to return a description of the uh the permission for the use of like the user is an older to access the users of the user is denied anything the uses a old you can describe during its documents usually
let's see if I have an example of the probably not what basically what are you can describe Jesus through an optical axis limits our field the data for example if you have a vector data that you you want to filter based on on the use of the the easy access it you can express a feed or a simple secure filter securities that you'll that you usually standard to just over 2 feet of your data thank you in your application you can uh let's say you can set it has a limited directly just server and in Europe there is such a manager in just over so that is applied automatically to a request for that particular user or you can also apply special features so he chooses can see a particular region of the world and you can also apply limits to the number of attributes that are visible to the particular out of this university idea the something is readable writable you have many options so that you can implement enuresis such as manager and basically that's it so I think it's time for questions if you have any the thank you
for this speech on interested to know how can we extensions to in w if is services so that's from the user that actually it it's a feature so that we can also lock the user a account that as actually did it that this feature for logging and they all of them if you understand what the year so I don't remember the name but there are some extension points so that you can implement to there are to catch particularly questioning implement your own logic tools let's say do something like locking the logging or similar stuff so you can't just uh capture or every request and do what you want with it we usually do it at for example to Wendell summer security staff that cannot be handled by standard are based on the distance as measured by think logging is another use case thus actually sentiment that's of interface was actually some this is face again implemented you just implement the interface compiler the models and install it do the can other questions 1 thank you for 1 of the main differences between the default for security system NGO fans that basically the the basic security system as many many limiting what you can contribute uh as I said that you can only associate permission to those not directly to a single user or a single group why we did you France or in customers such as many as you can also do that and you also can not to do something like mix and match services and resources based operations so you can say this layer can be accessed to be about mass but not beyond uh doubt BFS you have only for services and players but they are not they cannot be combined by which you fast you can do something like that and also with the basic system you cannot apply filters so orally the number of what they viewed so you can only say on or the nite you do not have a ways to get to some specified the inside at 1st but the quality of for example on time was started so trying out with offense under some weird found out that you can run friends next to G is server you can have different somehow included in service so what are the main differences so what do you have to know what do we have to to look at so what is the recommended way home care notion that evolved
to quick quickest I don't want to welcome currently a be directly integrated version as a assigned imitation what you can go if you were basic basically in there in the configuration interface Bob saw their real engine is basically the same and another difference is that has to the directly integrated they're sure uh uses the users directly using the user subsystem although of just instead of implementing it so because the stand the stand wasn't version has its own database of for users and groups why the directly integrated users the standard use the users and the other limitation use you will see the varying the in desired vesicle you cannot you cannot edit limits so you cannot to control a variety of right and some user interfaces staff of medical the OK I think we
have time for 1 more question the you but the the interface you can specified the special filter the theater and his specify that online but also the use I think yes and then the the the actual filters in an intersection between those so we need to request and dozen and in interaction the intersection between the 2 special filters and so you meaning if you have a special filter directly in the field data are in in their request and then other widening the security system and notes for the new interface you can set up through the world a special form of constraints for the layer but they also uses himself can can be constrained to certain special area and in the effective uh no I think so this you you can specify rules that contains a special filters but then divorce also specified the user OK but are so in terms of the rule then the then you can be spatial the special rules based on the life on the on the user and so the thing is that the resulting rule an intersection between those and then also the 2nd part of the question if a feature is is bigger than that special part of the rules and what do what is the right way to only return a result full for the load area even those of the the the future itself maybe be spans the period you can probably see where the standards after to the question what are you going it's created by OK uh for a vector data but I don't think so I think it's a simple intersection to select the beta so if it's intersected would be returned have but know we not because they put it in the set of regions that that for rustily as well this special feudalism really a mask on the roster but this this will we 1 of the what you read it you of the Council of you don't want leave to that was year I in the world of but then that's all the time we have at the very top 500 suicide theft