Merken

Mastering Security with GeoServer and GeoFence

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
so good morning and welcome the 1st off we have a model for patrol merely to talk about messengers serve security reduces events and without further ado let him to thank you very much so today we are going to talk about security and the 1st thing I would like to say is that security is not fun securities art is
very hard to achieve we are going to rules look at colleges tries to handle security and all of available features that you can use it to make your infrastructure secure when the Jews servers involved so securities are and we can use emotion words to make it simpler for our customers especially when GeoServer server and 1 of our products is involved in creating a
and application infrastructure just solution my company in the sense that they work for Jews solutions I'm not the only but uh it was founded in 2006 and involved in just over developing them in every aspect included security stuff OK I
will give you an overview of what security is in general and all the diseases that implemented inside the just of infrastructure basically when you talk about security and you have to talk about 2 different aspects the first one is all you get the identity of your users and how you can trust these identity to make sure that the people that toxicity your system or services that acts as the a system of trust to do what they are unable to do and they cannot do what they are tunnel to do medical so this is what we call the indications getting their identity and trusting that identity the 2nd very important aspect is how we handled authorization so I we access our resources and all we basically do not access to resources in the tunnel tunnel to be accessed
by some particular users the he said user these 2 different aspects of both and built by uh different uh subsistence all the generic just over security infrastructure you can see here the basic the basic schema although the libraries and companies that are involved in the security domain uh the main block there is spring security they're uh just ever is fully based on this spring the framework in most of its infrastructure and also for security we use and modular spring that is called the spring security so each of the component of just server and insecurity is basically an extension of the standard with a spring security components then other components are involved in like the dispatcher for example that is the main entry point for every requested that comes to just over every request that comes to the dispatcher and then the dispatcher decides what to do with that request so for sure security is really more that's where we need to decide for example if a request is an old or not for a particular user then we have 2 different uh elements that our services and catalog that object to learn different types of resources that we can handle such server and that we can use to decide uh permissions so authorization rules for resources inside you services are for example stunned the OGC services like having amassed offense and so on but those are the kind of services like the rest of TI-digits has to handle administration stuff the capital that is about accessing the real data that produces the publishers like workspaces layers and so on and this aspect uh as a popular name of that as part of that is pulverization so authentication and motivation of the 2 different aspect that we need to handle whether we wanted to secure our system and all the edges and those both of them we will see in some basic concepts that I will try to explain the 1st line that are related to a vindication of feature chains and education providers you can see on the right on top right of all data schema and then this secure catalog on the bottom on the bottom right secure category simply up at the Capitol that almost all the implemented security was on top of the standard capital so every request to the capital disruptive so that the security rules can be applied by another element that is very important that is called a resource such as manager is the component pluggable component because we will see that you can have different implementations since I just over although the same the same concept like this such as manager research adjustment there is a the component that and the security policies sold the rules that permit or deny access to your resources OK now we see a
little bit more in detail this concepts for example what our filter
change so basically when you will send a request to just over this is because there has to be recognized by its type and can be depending on the type can be handled by a different set of security tools each of them is called the chain of the why because basically what you which it kind of request is
to apply a set of 3 that of simple uh pieces of gold that take the request and apply certain actions to the request and so itself and then pass it to do the following features so you have a chain of fit the fund all applied for every request we have different chains because we probably won't apply different security forces to different kind of requests for example uh we want to to handle a request to the administration interface over just 7 differently from clusters are uh what did you say this is called for example you wanted to using classic form lobbying for the administration interface wise for uh accessing the BMS service we want to use a different authentication mechanism for example medical indication or certificates or any other kind of of the old integration system that you can think of so we have different chains for different requests each strain he's a sequence of features that are applied 1 after the other to the requested to decide that obligations stuff so what what is the user who is the use of a decent accessing the system in this particular time with his request OK here you can
see it's samples creation of what I was talking about is designed as samples of the data that you can use inside over each 1 is dedicated to a particular aspect of the authentication phase for example you have 1 feature that and also a session so a few of indicator lattices and you add essential field you don't need to authenticate for every request to a web administration interface for example you have other filters uh for her remember basal plane the cookies or for aligning access and so on there are many many many features that you can use it to and you're out indication here is a quick
list of the feature that you have a by default obviously since the seventies completely by the boat you
can add more features just developing that has more class implementing an interface adding it to the set of libraries of colleges ever and ever more freedom that you can that you can use it inside your infrastructure
In addition to filters that are basically dedicated to fetching coordination from the use of or senior staff you haven't indication providers so basically integration is divided in 2 phases 1st you get to the credential from your users using money meters like a form of like a bicycle indications or an external system you have many ways to get the credentials but you can go through observing you can decide which Mittelfeld indication want to configuring it in the system then you had that you need a way to trust uh degradation that the user is given to be sure that they are associated to an an existing user and which permissions which uh rules that needs to be applied to that particular user the 2nd phase is and thereby indication providers there are several examples old integration providers surviving into server for example you can use and Doppler repository to match credentials with an existing using the repository or a database of any kind of obvious storage system basically that you can use to match domestic eventually the the trust runs In addition to
that just over as a another set of providers that are specifically aimed at associating users with the rules in the system because you can categorize all of you users so that they they have been divided in groups of rows and rows are quite important because in their core security system needs be only uh the only entity you can associate permission with so you we will see in a moment that 2 ushers associated his to your users you need to specify with the that each entity has but you cannot do it to user by users in the core systems we will see that there are stationed at a you to associate permission also to the single-user but in the core system you can only do that with the rules so you need to create also you need to associate a to uh users and then you can buy permission to the specific roles that exist since the rules are are important to that is a specific component provided that can bind the safe rules to users and also for these you can decide which kind of storage which kind of service you want to use to do this but the particular uh task you can use up as we have seen also for users who can use databases there are many options and assess possible so you can create your own group provided if you need 1 also
marriages are includes some extensions that they are not part of the standard installation but the inverse of the expansion that you can install in addition some of them are dedicated to search to security and for example there is an implementation of the CAS single signal on system another 1 and it is called alpha k the user will use it to In many cases the names are just solutions because is a it's a generic implementation of the it token-based called indication so you can use it to whenever you have the right to you in your infrastructure something generating a token for authentication that probably an expiring tokens or something like that that you can use to share uh out integration between different systems of K is a mentor to handle this kind of use cases OK uh
let's changes our topic from other indication globalization what is
odorization about it's about giving user and the rulers have permission to do actions are resources that so when a user tries to do a particle action on a particular pressures we need to decide if this is an old or not and if it is an old if limits apply to want to uh throughout we access the resource for example let's say that we all we wanted to and do area Christine documents mess to get a particle so I'm happy for a particularly in and and we we wanted to decide how the user can see this particularly we can decide that the he cannot see at all so it's completed denied or it can it can access it for or it can access it not to a limited way for example it could access only part of the party learning on a particular region of the world for example or on if you from making another example we WFS began decided he can access all some attributes of a particular feature fi fight and so on so we have basically 2 use cases we can decide to deny access to a low weight or to unload it with limitations which constraints the vision system permits don't think your own these aspects using the example of that is called the such as manager and such as well there isn't really an interface that can be implemented by uh several several modules there is a core module of the components of basic
very simple system in their basic system you can only associated rules major rules to always loved diet and to use social groups of its center and you can uh basically decided permissions for and but on the other and then I you cannot specify limits for example the same you can do for security for services so you can decide if you can access the documents of that if a service or not then there are extensions to these basic subsystem that you can use to replace the vesicle present palatalization system 1 of them is your friends uh security system developed by but solutions in dynamic wanted them to know is and if an extension a community monitoring area for for just over that you can use is reconfigurable and has its own interface existing 2 different forms 1 is a stand-alone application that is external to just over that you can use to compute and to uh implement the rules basically and what it is directly integrated inside your seventies simpler to use and uses the same web administration interface it is not currently all the functionality of the stand-alone last but if we are going to make them an agreement in general terms and another option that is the 1 of the 2 eyes I would like to I suggest you for most use cases is that probably and need of their basic subsystem or a generic system Nigel facet is can be applied to neural situation in all these cases where you probably already the security infrastructure your your company and you just wanted to integrate just serving disease infrastructure what we usually do and what we suggest is to implement your own version of the devices such as manager that can apply in a simple way you're system rules that are probably not as Americans you find those you to do but are very specific to your use cases and if you already have something that's already describes these rules for example in in a database or in an external repository the simplest way to implement your own optimization system is to write your own version of the use of such as manager an interface is quite simple because it is a simple interface where you simply decided for each couple of user and all of the existing content categories like groups and roles and research so if you have a couple of use of the resource is simply have to decide how the user can access the article resources so you have a sentimental seen such events each 1 dedicated to a particular set of races and you just have to return a description of the uh the permission for the use of like the user is an older to access the users of the user is denied anything the uses a old you can describe during its documents usually
let's see if I have an example of the probably not what basically what are you can describe Jesus through an optical axis limits our field the data for example if you have a vector data that you you want to filter based on on the use of the the easy access it you can express a feed or a simple secure filter securities that you'll that you usually standard to just over 2 feet of your data thank you in your application you can uh let's say you can set it has a limited directly just server and in Europe there is such a manager in just over so that is applied automatically to a request for that particular user or you can also apply special features so he chooses can see a particular region of the world and you can also apply limits to the number of attributes that are visible to the particular out of this university idea the something is readable writable you have many options so that you can implement enuresis such as manager and basically that's it so I think it's time for questions if you have any the thank you
for this speech on interested to know how can we extensions to in w if is services so that's from the user that actually it it's a feature so that we can also lock the user a account that as actually did it that this feature for logging and they all of them if you understand what the year so I don't remember the name but there are some extension points so that you can implement to there are to catch particularly questioning implement your own logic tools let's say do something like locking the logging or similar stuff so you can't just uh capture or every request and do what you want with it we usually do it at for example to Wendell summer security staff that cannot be handled by standard are based on the distance as measured by think logging is another use case thus actually sentiment that's of interface was actually some this is face again implemented you just implement the interface compiler the models and install it do the can other questions 1 thank you for 1 of the main differences between the default for security system NGO fans that basically the the basic security system as many many limiting what you can contribute uh as I said that you can only associate permission to those not directly to a single user or a single group why we did you France or in customers such as many as you can also do that and you also can not to do something like mix and match services and resources based operations so you can say this layer can be accessed to be about mass but not beyond uh doubt BFS you have only for services and players but they are not they cannot be combined by which you fast you can do something like that and also with the basic system you cannot apply filters so orally the number of what they viewed so you can only say on or the nite you do not have a ways to get to some specified the inside at 1st but the quality of for example on time was started so trying out with offense under some weird found out that you can run friends next to G is server you can have different somehow included in service so what are the main differences so what do you have to know what do we have to to look at so what is the recommended way home care notion that evolved
to quick quickest I don't want to welcome currently a be directly integrated version as a assigned imitation what you can go if you were basic basically in there in the configuration interface Bob saw their real engine is basically the same and another difference is that has to the directly integrated they're sure uh uses the users directly using the user subsystem although of just instead of implementing it so because the stand the stand wasn't version has its own database of for users and groups why the directly integrated users the standard use the users and the other limitation use you will see the varying the in desired vesicle you cannot you cannot edit limits so you cannot to control a variety of right and some user interfaces staff of medical the OK I think we
have time for 1 more question the you but the the interface you can specified the special filter the theater and his specify that online but also the use I think yes and then the the the actual filters in an intersection between those so we need to request and dozen and in interaction the intersection between the 2 special filters and so you meaning if you have a special filter directly in the field data are in in their request and then other widening the security system and notes for the new interface you can set up through the world a special form of constraints for the layer but they also uses himself can can be constrained to certain special area and in the effective uh no I think so this you you can specify rules that contains a special filters but then divorce also specified the user OK but are so in terms of the rule then the then you can be spatial the special rules based on the life on the on the user and so the thing is that the resulting rule an intersection between those and then also the 2nd part of the question if a feature is is bigger than that special part of the rules and what do what is the right way to only return a result full for the load area even those of the the the future itself maybe be spans the period you can probably see where the standards after to the question what are you going it's created by OK uh for a vector data but I don't think so I think it's a simple intersection to select the beta so if it's intersected would be returned have but know we not because they put it in the set of regions that that for rustily as well this special feudalism really a mask on the roster but this this will we 1 of the what you read it you of the Council of you don't want leave to that was year I in the world of but then that's all the time we have at the very top 500 suicide theft
Lie-Gruppe
Server
Java Enterprise
Computersicherheit
Besprechung/Interview
Applet
Bildverarbeitung
Schlussregel
Biprodukt
Ereignishorizont
Informationsmodellierung
Server
Computersicherheit
Client
Wort <Informatik>
Räumliche Anordnung
Baum <Mathematik>
Web Services
Autorisierung
Server
Computersicherheit
Java Enterprise
Applet
Bildverarbeitung
Kartesische Koordinaten
Physikalisches System
Computeranimation
Online-Katalog
Web Services
Authentifikation
Autorisierung
Nichtunterscheidbarkeit
Computersicherheit
Client
Räumliche Anordnung
Indexberechnung
Visualisierung
Datenfusion
Quelle <Physik>
Server
Subtraktion
Punkt
Implementierung
Online-Katalog
Element <Mathematik>
Framework <Informatik>
Service provider
Computeranimation
Domain-Name
Datenmanagement
Web Services
Authentifikation
Autorisierung
Datentyp
Minimum
Computersicherheit
Programmbibliothek
Zusammenhängender Graph
Maßerweiterung
Filterung <Stochastik>
Gerade
Autorisierung
Kategorie <Mathematik>
Computersicherheit
Systemverwaltung
Schlussregel
Physikalisches System
p-Block
Verkettung <Informatik>
Rechter Winkel
Mereologie
Server
Authentifikation
Räumliche Anordnung
Standardabweichung
Subtraktion
Folge <Mathematik>
Mathematisierung
Gruppenoperation
Computeranimation
Bildschirmmaske
Gruppentheorie
Datentyp
Weitverkehrsnetz
Indexberechnung
Cluster <Rechnernetz>
URL
Schnittstelle
Kette <Mathematik>
Kraftfahrzeugmechatroniker
Digitales Zertifikat
Computersicherheit
Klassische Physik
Systemverwaltung
Physikalisches System
Digitalfilter
Integral
Dienst <Informatik>
Verkettung <Informatik>
Forcing
Menge
Authentifikation
Fitnessfunktion
Web Services
Filter <Stochastik>
Systemverwaltung
Mailing-Liste
Digitalfilter
Programmierumgebung
Dienst <Informatik>
E-Mail
Variable
Computeranimation
Bildschirmmaske
Benutzerbeteiligung
Lemma <Logik>
Datenfeld
Verbandstheorie
Authentifikation
Stichprobenumfang
Authentifikation
Indexberechnung
Default
Phasenumwandlung
Implementierung
Kette <Mathematik>
Schnittstelle
Stab
Klasse <Mathematik>
Dienst <Informatik>
Doppler-Effekt
Service provider
Computeranimation
Authentifikation
Programmbibliothek
Meter
Indexberechnung
Speicher <Informatik>
Phasenumwandlung
Schnittstelle
Implementierung
Kette <Mathematik>
Addition
Filter <Stochastik>
Dokumentenserver
Datenhaltung
Schlussregel
Physikalisches System
Digitalfilter
Integral
Menge
Dynamisches RAM
Ablöseblase
Server
Koordinaten
Subtraktion
Momentenproblem
Desintegration <Mathematik>
Gruppenkeim
Implementierung
Maßerweiterung
Service provider
Computeranimation
Task
Datensatz
Autorisierung
Jensen-Maß
Zusammenhängender Graph
Indexberechnung
Speicher <Informatik>
Maßerweiterung
URL
Schnelltaste
Addition
Schlüsselverwaltung
Computersicherheit
Datenhaltung
Inverse
Einfache Genauigkeit
Vorzeichen <Mathematik>
Schlussregel
Token-Ring
Physikalisches System
Einfache Genauigkeit
Integral
Fundamentalsatz der Algebra
Dienst <Informatik>
Menge
Rechter Winkel
Mereologie
Authentifikation
Speicherabzug
Wärmeausdehnung
Schnittstelle
Nebenbedingung
Gewicht <Mathematik>
Gruppenoperation
Mathematisierung
Computeranimation
Online-Katalog
Autorisierung
Temporale Logik
Inverser Limes
Indexberechnung
Maschinelles Sehen
Attributierte Grammatik
Schnittstelle
Schlussregel
Physikalisches System
Modul
Gerade
Gruppenoperation
Inverser Limes
Druckverlauf
Flächeninhalt
Gruppenkeim
Mereologie
Generizität
Speicherabzug
Partikelsystem
Server
Minimierung
Versionsverwaltung
Gruppenkeim
Zahlenbereich
Implementierung
Kartesische Koordinaten
Kombinatorische Gruppentheorie
Term
Computeranimation
Unternehmensarchitektur
Deskriptive Statistik
Benutzerbeteiligung
Bildschirmmaske
Web Services
Datenmanagement
Authentifikation
Computersicherheit
Inverser Limes
Gruppoid
Inhalt <Mathematik>
Maßerweiterung
Grundraum
Filterung <Stochastik>
Attributierte Grammatik
Schnittstelle
Web Services
Lineares Funktional
Dokumentenserver
Kategorie <Mathematik>
Computersicherheit
Default
Systemverwaltung
Schlussregel
Vektorraum
Physikalisches System
Instantiierung
Mechanismus-Design-Theorie
Ereignishorizont
Einfache Genauigkeit
Schlussregel
Konfiguration <Informatik>
Generizität
Dienst <Informatik>
Datenfeld
Gruppenkeim
Menge
Flächeninhalt
Server
Räumliche Anordnung
Klumpenstichprobe
Subtraktion
Stab
Compiler
Besprechung/Interview
Gewichtete Summe
Versionsverwaltung
Gruppenkeim
Zahlenbereich
Kraft
Zwölf
Mathematische Logik
Computeranimation
Homepage
Web Services
Fächer <Mathematik>
Mixed Reality
Inverser Limes
Abstand
Maßerweiterung
Konfigurationsraum
Default
Schnittstelle
Tropfen
Teilnehmerrechensystem
Nichtlinearer Operator
Filter <Stochastik>
Matching <Graphentheorie>
Datenhaltung
Computersicherheit
Ruhmasse
Physikalisches System
Schlussregel
Motion Capturing
Dienst <Informatik>
Rechter Winkel
Server
Varietät <Mathematik>
Standardabweichung
Nebenbedingung
Videospiel
Filter <Stochastik>
Betafunktion
Besprechung/Interview
Interaktives Fernsehen
Schlussregel
Vektorraum
Frequenz
Term
Dialekt
Computeranimation
Verdeckungsrechnung
Bildschirmmaske
Datenfeld
Flächeninhalt
Menge
Last
Mereologie
ICC-Gruppe
Filterung <Stochastik>
Schnittstelle
Standardabweichung

Metadaten

Formale Metadaten

Titel Mastering Security with GeoServer and GeoFence
Serientitel FOSS4G Bonn 2016
Teil 109
Anzahl der Teile 193
Autor Giannecchini, Simone (GeoSolutions Founder)
Bartolomeoli, Mauro (GeoSolutions Sas)
Lizenz CC-Namensnennung 3.0 Deutschland:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/20395
Herausgeber FOSS4G
OSGeo
Erscheinungsjahr 2016
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract The presentation will provide an introduction to GeoServer own authentication and authorization subsystems. We’ll cover the supported authentication protocols, such as from basic/digest authentication and CAS support, check through the various identity providers, such as local config files, database tables and LDAP servers, and how it’s possible to combine the various bits in a single comprehensive authentication tool, as well as providing examples of custom authentication plugins for GeoServer, integrating it in a home grown security architecture. We’ll then move on to authorization, describing the GeoServer pluggable authorization mechanism and comparing it with proxy based solution, and check the built in service and data security system, reviewing its benefits and limitations. Finally we’ll explore the advanced authentication provider, GeoFence, explore the levels on integration with GeoServer, from the simple and seamless direct integration to the more sophisticated external setup, and see how it can provide GeoServer with complex authorization rules over data and OGC services, taking into account the current user, OGC request and requested layers to enforce spatial filters and alphanumeric filters, attribute selection as well as cropping raster data to areas of interest.

Zugehöriges Material

Ähnliche Filme

Loading...