Advanced Security With GeoServer

Video thumbnail (Frame 0) Video thumbnail (Frame 4276) Video thumbnail (Frame 5631) Video thumbnail (Frame 9666) Video thumbnail (Frame 10761) Video thumbnail (Frame 15736) Video thumbnail (Frame 17261) Video thumbnail (Frame 20628) Video thumbnail (Frame 24508) Video thumbnail (Frame 27471) Video thumbnail (Frame 30886) Video thumbnail (Frame 31861) Video thumbnail (Frame 33969) Video thumbnail (Frame 34526)
Video in TIB AV-Portal: Advanced Security With GeoServer

Formal Metadata

Advanced Security With GeoServer
Title of Series
CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date
Open Source Geospatial Foundation (OSGeo)
Production Year
Production Place
Portland, Oregon, United States of America

Content Metadata

Subject Area
The presentation will provide an introduction to GeoServer own authentication and authorization subsystems. We'll cover the supported authentication protocols, such as from basic/digest authentication and CAS support, check through the various identity providers, such as local config files, database tables and LDAP servers, and how it's possible to combine the various bits in a single comprehensive authentication tool, as well as providing examples of custom authentication plugins for GeoServer, integrating it in a home grown security architecture.We'll then move on to authorization, describing the GeoServer pluggable authorization mechanism and comparing it with proxy based solution, and check the built in service and data security system, reviewing its benefits and limitations.Finally we'll explore an advanced authentication tool called GeoFence, and see how it can plug into GeoServer to provide graphical configuration abilities for use complex authorization rules over data and OGC services, taking into account spatial filters, attribute filters, attribute hiding as well as cropping raster data to areas of interest. Finally we'll show how using LDAP both GeoFence and GeoServer can use a common users database, simplifying administrators job, and provide some real world examples.
Keywords GeoServer OGC WMS WFS WPS WCS security authentication authorization GeoFence
Category of being Existence Presentation of a group Lecture/Conference File format Expandierender Graph Bit Information security Form (programming)
Server (computing) Open source Multiplication sign Software developer Projective plane Sheaf (mathematics) Bit Field (computer science) Information technology consulting Word Process (computing) Computer animation Series (mathematics) Information security Task (computing)
Point (geometry) Slide rule Greatest element Server (computing) Musical ensemble Connectivity (graph theory) Multiplication sign Sheaf (mathematics) Mereology Kettenkomplex Rule of inference Sign (mathematics) Authorization Software framework Information security Physical system Computer architecture Information Wrapper (data mining) Moment (mathematics) Data storage device Basis <Mathematik> Library catalog Price index Flow separation Word Spring (hydrology) Computer animation Internet service provider Phase transition Iteration Right angle Local ring
Server (computing) Musical ensemble Implementation Computer file Mehrplatzsystem Similarity (geometry) Mereology Dressing (medical) Damping Error message Traffic reporting Information security Physical system Default (computer science) Information Interface (computing) Moment (mathematics) Data storage device Database Price index Connected space Category of being Particle system Process (computing) Computer animation Query language Quicksort Service-oriented architecture Table (information) Reading (process) Asynchronous Transfer Mode
Musical ensemble Computer file Multiplication sign Source code Set (mathematics) Database Bit Rule of inference Computer animation Computer configuration Personal digital assistant Phase transition Service-oriented architecture
Musical ensemble Differential (mechanical device) State of matter System administrator Execution unit Set (mathematics) Numbering scheme Kettenkomplex Proper map Public key certificate Neuroinformatik Web 2.0 Web service Different (Kate Ryan album) Forest Formal verification Software framework Series (mathematics) Information security Identity management Physical system Email Moment (mathematics) Price index Sequence Flow separation Pattern language Quicksort Filter <Stochastik> Web page Metre Dataflow Server (computing) Modulare Programmierung Mass Web browser Field (computer science) Internetworking Form (programming) Authentication Default (computer science) Information Interface (computing) Line (geometry) Word Spring (hydrology) Computer animation Personal digital assistant Password
Musical ensemble Greatest element Computer file Observational study INTEGRAL Set (mathematics) Mereology Kettenkomplex Field (computer science) Web service Computer configuration Internetworking Core dump Endliche Modelltheorie Extension (kinesiology) Information security Physical system Enterprise architecture Default (computer science) Addition Standard deviation Information Key (cryptography) Database Directory service Price index Cartesian coordinate system Computer animation Repository (publishing) Personal digital assistant Password Phase transition Configuration space Complex system Single sign-on Object (grammar) Quicksort Service-oriented architecture
Complex (psychology) Musical ensemble Workstation <Musikinstrument> Price index Mereology Word Computer animation Beta distribution Personal digital assistant Bus (computing) Endliche Modelltheorie Service-oriented architecture Extension (kinesiology) Physical system
Complex (psychology) Default (computer science) Musical ensemble Server (computing) Standard deviation Information File format Set (mathematics) Insertion loss Basis <Mathematik> Price index Rule of inference Category of being Particle system Mechanism design Computer animation Energy level Utility software Service-oriented architecture Mathematical optimization Physical system
Area Adventure game Musical ensemble Focus (optics) Server (computing) Dependent and independent variables Information Debugger Directory service Mereology Rule of inference Field (computer science) Web 2.0 Doppler-Effekt Computer animation Repository (publishing) Different (Kate Ryan album) Flag Configuration space Endliche Modelltheorie Extension (kinesiology) Proxy server Identity management Physical system
existence of government bodies talk at User GeoServer security we are going to explain a little bit in that what as being just starts the during the gist of a future frenzy presentation in uh in particular we are going to explain a little bit in detail what is judged get detector of our form to what is it related security and we will see how but the main properties of the of the security and just over our flexibility and expandability as we will see examples of all the uh supported to format that you have by default and also how you can extend the security system to integrate it properly with your problem of existing infrastructure that many many companies that have already existing OK we are almost done the the but I think that the and and the cost of the the the was and probably and you want to talk about here it's the the and the and and and so on and but in the end it and you try talk is that a nation are you is it correct OK so I think is start there as I
said we are talking about a basset security interests are so we're going to see a little bit in the data what security means and all your time is equal to your it in that you server security subsystem just a few
words on the way and and what work for and I were foragers solution which is an Italian base the company the task consultancy on your server from 2006 we work in several fields of did you special word we had a series of open source projects the main 1 is obviously just wearing ball that you know many section of the edges of development in particular for 12 to the related to rostering this processing and many other many other sections like security system and the printing system currently the yeah you can see a
busy diagram of big uh architecture of did you several security subsystem you can see that maybe we can talk when we when whenever you talk about a security we are really talking about a 2 October about uh October the words of indication and out of iterations the first one is about out I can identify users the data try to access my system and trust that they are who are the say the D N and the other 1 authorization our can access permissions to access the system to reach different user the tries to make requests here on the left you can see the main components that are in Bordeaux during the security phases of accepting every prestigious server In particular all this security system is based on every common framework in this award that is a spring security we see that many concepts uh inside Jews of the security of system our new reality concepts that comes from the spring security framework and obviously this is the basis of all the dispatcher systems takes requests from users of these sites that if those requests are loaded or denied it and uh continue the fuel accordingly OK on the right side is that you can see that the main component dictates and now uh they are named as we will see in a moment what features and chains are what about education providers start and all that you can configure and configure damn inside your server to make this so the security system work now the bottom part of security is catalog because each time you have to secure a system you have to decide how your data can be accessed and since they main access point for every data in and said you surveys the catalog mean mainly to secure the count of in this is done through a wrapper you can see here that is named the sick this acute catalog uh they uh the purpose of this if you a capital days to check that every request for very server is correctly out indicated and rights for the use the OK uh as I
already said uh our all the security subsystems based on spring security you can say you can see that we are going to talk about that education and localization in detail and outdoor aspect that we're going to talk about is how you server internally on those you to the store information about the users and this is uh the 1st section of the slide it talks about the users out can the organizing groups so how can I connect sign a rules to them to make the the permission assignment at the end we start that we we start talking there
about how you can store user groups are always inside your server the
the to do it uh you will use what is called a user group service that is a simple service of biased and so you can choose to store and use information on a similar kind of storage is for each 1 of the reason Decatur User Group service that you can configure when I talk about storage and I talk about creating user says storing them of some sort all data or database and also fetching them when I needed for security properties for example to help indicate an error guessing user readers credentials user groups so this can be read-only or read-write so we have some the use of IT service on which using just of itself I can't read the users are those that can be read only so I need to integrate with external services and I can just read reduce server that use information that is stored on that you can find it to the full implementation of user group servicing the server system when you stole it from scratch you will find to have a B. is the top story users groups are always and inside XML files this is the default that you would find for example for the basic use of the defined already continue reduce service or you can use a some sort of database for the JDBC interface of job so you can your your connection to extend database uh mainly all this report about the Bayes inside your server can be used so was dress as Q my she SQL Oracle that SQL Server and so on and you can directly write and read your user in groups information from from the database uh for these particles you can use it as a schema for other tables of the database that is uh old owned but you so you are that you added a few the full schema that you can directly can create on their on an empty database or if you already have some database which your use information that you use for other part was in your infrastructure you can add up to date CBC uh user Group service to use URIs using tables to that is quite simple you just have to write into uh simplifies the queries that are needed to extract the data or write them on the database prepared he also uh counting my opinion there isn't any single user groups service that would be very useful so 140 and not Repository Service we we see a moment that the research is supported to connected to external and not repository follow-up indication but currently divisional read write a capability for better so to uh managed your user groups you know that you have to use external tools to do that so in my opinion in the next future and uh it would be uh a good feature to add support for adopting a read-write mode the good aside today user service
that are most to create an and all users and groups there is another uh separated service that is about managing Rose it's very similar to the use of the service barter is dedicated to uh storing and fetching the user rose so from our from an external container is also in these cases this can be stored inside XML files or into a database or uh in this case the support for and not that is included in this is for me the reason why it's should be needed also for their use of service and another option you have is to use the rule is defined directly by the time I would call being added to it you are using for example it if we have a set of rules that are inside that our container you can use them as the source for roles for just over 2 OK so let's
talk a bit about the unconditioned phases of the security system this phase
is about to uh identify the user and trusting that it's identity through the verification of some sort of credentials the litigation just over these and those who uh imagine isn't that is proper offspring security that our future chains in practice so when you have to authenticate the user you have a set of filters if if there is a simple uh software module that gets the information from the user and the decide so if the user has been note indicated and trusted and so the request flow can continue or not there are many features that are supported by just several receiving them in a moment they work uh by by creating a chain of features so you can for example put a series of petering sequence and let them check the use of 1 after another and the 1 out in skin up indicates the user or no of them so the request is not indicated this is usual for example if you have several system started to get your system 1 dedicated to Internet users another 1 for external users you can use them all just put in a sequence and they review was the or together every chain uh another uh and the ability you have these that everything is applied differently to a different kind of requests for example you can differentiate I'll request to their web of being new i i indicator from of of the web services so that we amassed BFS forest indicated different kinds of users can be handled for the admin interface and the services or the rest of the eyes and so on this is done that where imagine is more progress your pattern matching so you set for example or the requested that the a web but uh word units are in the true this chain all the requested w massive about testing it ah and of through another 2 the
OK uh the filters that you have a line of wouldn't just server to configure indication of our speed to the now mainly 2 groups so the 1st one that are dedicated to our the system fetches out into detailed indication data so username and password or some sort of certificate every kind of prevention of that can I'll take to get the user you can decide which kind of the credentials support of for example we here you can find a basic of indication which is a method uses the browser username and not stored and people uh when they access a web page or to where classic form so where web pages with fields for username password and so on the you will also have a feature that we handle anonymous users that should always be the last of all this sequence so you can try several kind of authentication if none of them work you say the user is anonymous the then there is another group of of freedom that can handle on so called the realtor indication meters uh In some cases your infrastructure and those don't indication for you and simply server trust the infrastructure that the user is what uh infrastructure states so we have several middle that of brilliant indication so of indication that that as before just over uh is is able to to to do its work and these are the main that was not supported by default so some sort of HTTP header that is received it never requested uh die just needed that is assumed that 2 basic is about them into the browser supported would indicate user access the fire on the line of fire SSL certificates practically certificates that you can install on your browser and so on is sort of very easy if known all the default filters that you find in the course uh are sufficient for your needs to implemented a few other than that of course new kind of filters to include it in just over 2 computer were down and let just over what week your scheme of without indication that you already have in your infrastructure and since the out these are few that form the spring security framework you we probably found find someone that already have done something similar to start with I in the phase of
dedication when you that festers you have gathered information from the user so for example username and password and you have to decide how to check the username and password on by of I don't know what it is the duty of the abdication provide set is another chain that you can you reduce service so another set of objects that are able to check that the the credentials that during the 1st phase that correct or not currently we have a set of default plants that you can use dire ctly winding is a simple username and password checker that use 1 of the user group service that you have of the people for example like that you see and some my so it's sex simply with the use of a service that you have continually if the username and password is stored on the XML file or not or a database and all of the system that we were have already talked about uh 48 education provide the bottom we have the support for uh adopt repositories that are very common in an enterprise infrastructure recently I personally worked on editing after directory support so we have this some more the option of flexor to we adopt addition provided to support after their activities and not but not exactly the basically not require some configuration more to work and the there are some tutorials uh a further if you need more documentation the part as I do that said before these ask we can we cannot readily documented by the OK and as we said for a for the future so to also get indication provided you can write your own if you need 1 that is not included in the best studies of 2 the also
the field uh if you need 1 that you don't you can look at it stand the extension because just ever splitted into a core installation etc. extension that you can style I need uh and there are some that are dedicated dedicated security for example the CAS model that is a standard for managing single single-sign-on for a set of application this model that support to to server to looking the user using serious system there is also a community model named out key that almost amount but some sort of cancer generated by a service or stored on the on the fly away and very other use data this is the applied the ball for example recently we had the some support to uh to the standard of that normally uses an excellent and XML file or a static database we have a support to call an external web service to check for some token and get back the user information and so on I ought to be able to uh come into this work to the to the community model so that you can work with it and uh finally you can see that you know you can easily easily configure europe indications system to work with many existing and out integration infrastructure like for example for some customers we work the uh to integrated their shibboleth single sign-on system about out into a CAS 2 and all single-sign-on we also have the possibility you epochs the makes all the artist theater existing go to 1 all very flexible notification in a a complex system where you have for example of a set of Internet users stored on and and Active Directory tourists and then you can also have some users coming from the Internet you the wanted to register on the Internet adopt about for example on a a sort of dedicated database for that you can mix all these cases configuring them together just ever we do all the work of indications for you
of a really talking of our future improvements so the idea is to clean up a beta distribution system because it's still a bit complex in some parts to users and feeling some also like for example as I said that the end up user Group service to improve the flexibility of the system also to improve some existing models like the out the community model of an impossible promoted to an extension of feature station and always and also if possible to create a new word indication to end of summits cases that are not for currently supported for K this bus
to deal tualization part the it
is a companion to the indication when I know what the user is able to decide what it can do inside edges of subsistence for these I use the optimization system edges over uh by default implements a big white in and out is how to efficiently and uh mechanism uh basically permission can only be assignment role is not directly to user or groups of so you have to face the assignment of formation you have 1st to decide which loss and what and then decide out assigned those roles to users or groups you and for what really is related to which kind of information I can go if you were here uh opposition the basic properties this your system uh doesn't seem opportunities that is decide which data can be uh can be permitted so uh at the worst basis or a layer level and at the service level which kind of services the user can access that domestic affairs and so on but C the utilization system is very pluggable it's possible to extend it very easy to implement a more complex set cultivation system and for this for example we as
you solutions and created that their particle solution that is that you offensive that extends the standard optimization system at being a some kind of rules that are more finer-grained for example of how we the vesicle composition system you can only decide if if 1 layer is accessible by the user or not using just as you can't for example
say I to these user can access these layer but only for the specific area considered a colleague inside the United States not when you're up for I can also decide a for example
which i to the use of adventure they are visible by certain user and other outages that are not the I that the possibility of decided more easily what the user can do and what not also since the massacre opposition system is to enable a toad arises role was not directly using ropes which your friends you can also say that a signed permission directly user by user so it's a simple extension uh to the best you could use server so security system that allows you to a specified whether which kind of permission the users the fish and some of the questions the the any questions about focus and this was 1st I would you say it's easier to implement and Active Directory were sugarless yeah is what is the rule of 3 people see me and I know what you in In the medical Doppler uh configuration because of for example of what the director needs so that the user is indicated before he can get to the groups bounded to the user so we had to add support for this and some other flags the tunnel was to decide how to extract the dying actor-director that store and it'll be different than a basic open adopt a repository for example so with these new fields so we have to support for the she was part of what we did is basically an at the front end up on the web server we that the model for she bullets b I that your server that that communicate the front-end reduce server using for example GCP proxy brought to court so that a party with psoriasis response for responsible for the she will part and then due server can use of the information that the from 10 cents to trust the identity of the user this is the way we integrated should of with yourself OK they have and