Add to Watchlist

Advanced Security With GeoServer

93 views

Citation of segment
Embed Code
Purchasing a DVD Cite video

Formal Metadata

Title Advanced Security With GeoServer
Title of Series FOSS4G 2014 Portland
Author Bartolomeoli, Mauro
License CC Attribution 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
DOI 10.5446/31596
Publisher FOSS4G, Open Source Geospatial Foundation (OSGeo)
Release Date 2014
Language English
Producer FOSS4G
Open Source Geospatial Foundation (OSGeo)
Production Year 2014
Production Place Portland, Oregon, United States of America

Content Metadata

Subject Area Computer Science
Abstract The presentation will provide an introduction to GeoServer own authentication and authorization subsystems. We'll cover the supported authentication protocols, such as from basic/digest authentication and CAS support, check through the various identity providers, such as local config files, database tables and LDAP servers, and how it's possible to combine the various bits in a single comprehensive authentication tool, as well as providing examples of custom authentication plugins for GeoServer, integrating it in a home grown security architecture.We'll then move on to authorization, describing the GeoServer pluggable authorization mechanism and comparing it with proxy based solution, and check the built in service and data security system, reviewing its benefits and limitations.Finally we'll explore an advanced authentication tool called GeoFence, and see how it can plug into GeoServer to provide graphical configuration abilities for use complex authorization rules over data and OGC services, taking into account spatial filters, attribute filters, attribute hiding as well as cropping raster data to areas of interest. Finally we'll show how using LDAP both GeoFence and GeoServer can use a common users database, simplifying administrators job, and provide some real world examples.
Keywords GeoServer
OGC
WMS
WFS
WPS
WCS
security
authentication
authorization
GeoFence
Series
Annotations
Transcript
Loading...
existence of government bodies talk at User GeoServer security we are going to explain a little bit in that what as being just starts the during the gist of a future frenzy presentation in uh in particular we are going to explain a little bit in detail what is judged get detector of our form to what is it related security and we will see how but the main properties of the of the security and just over our flexibility and expandability as we will see examples of all the uh supported to format that you have by default and also how you can extend the security system to integrate it properly with your problem of existing infrastructure that many many companies that have already existing OK we are almost done the the but I think that the and and the cost of the the the was and probably and you want to talk about here it's the the and the and and and so on and but in the end it and you try talk is that a nation are you is it correct OK so I think is start there as I
said we are talking about a basset security interests are so we're going to see a little bit in the data what security means and all your time is equal to your it in that you server security subsystem just a few
words on the way and and what work for and I were foragers solution which is an Italian base the company the task consultancy on your server from 2006 we work in several fields of did you special word we had a series of open source projects the main 1 is obviously just wearing ball that you know many section of the edges of development in particular for 12 to the related to rostering this processing and many other many other sections like security system and the printing system currently the yeah you can see a
busy diagram of big uh architecture of did you several security subsystem you can see that maybe we can talk when we when whenever you talk about a security we are really talking about a 2 October about uh October the words of indication and out of iterations the first one is about out I can identify users the data try to access my system and trust that they are who are the say the D N and the other 1 authorization our can access permissions to access the system to reach different user the tries to make requests here on the left you can see the main components that are in Bordeaux during the security phases of accepting every prestigious server In particular all this security system is based on every common framework in this award that is a spring security we see that many concepts uh inside Jews of the security of system our new reality concepts that comes from the spring security framework and obviously this is the basis of all the dispatcher systems takes requests from users of these sites that if those requests are loaded or denied it and uh continue the fuel accordingly OK on the right side is that you can see that the main component dictates and now uh they are named as we will see in a moment what features and chains are what about education providers start and all that you can configure and configure damn inside your server to make this so the security system work now the bottom part of security is catalog because each time you have to secure a system you have to decide how your data can be accessed and since they main access point for every data in and said you surveys the catalog mean mainly to secure the count of in this is done through a wrapper you can see here that is named the sick this acute catalog uh they uh the purpose of this if you a capital days to check that every request for very server is correctly out indicated and rights for the use the OK uh as I
already said uh our all the security subsystems based on spring security you can say you can see that we are going to talk about that education and localization in detail and outdoor aspect that we're going to talk about is how you server internally on those you to the store information about the users and this is uh the 1st section of the slide it talks about the users out can the organizing groups so how can I connect sign a rules to them to make the the permission assignment at the end we start that we we start talking there
about how you can store user groups are always inside your server the
the to do it uh you will use what is called a user group service that is a simple service of biased and so you can choose to store and use information on a similar kind of storage is for each 1 of the reason Decatur User Group service that you can configure when I talk about storage and I talk about creating user says storing them of some sort all data or database and also fetching them when I needed for security properties for example to help indicate an error guessing user readers credentials user groups so this can be read-only or read-write so we have some the use of IT service on which using just of itself I can't read the users are those that can be read only so I need to integrate with external services and I can just read reduce server that use information that is stored on that you can find it to the full implementation of user group servicing the server system when you stole it from scratch you will find to have a B. is the top story users groups are always and inside XML files this is the default that you would find for example for the basic use of the defined already continue reduce service or you can use a some sort of database for the JDBC interface of job so you can your your connection to extend database uh mainly all this report about the Bayes inside your server can be used so was dress as Q my she SQL Oracle that SQL Server and so on and you can directly write and read your user in groups information from from the database uh for these particles you can use it as a schema for other tables of the database that is uh old owned but you so you are that you added a few the full schema that you can directly can create on their on an empty database or if you already have some database which your use information that you use for other part was in your infrastructure you can add up to date CBC uh user Group service to use URIs using tables to that is quite simple you just have to write into uh simplifies the queries that are needed to extract the data or write them on the database prepared he also uh counting my opinion there isn't any single user groups service that would be very useful so 140 and not Repository Service we we see a moment that the research is supported to connected to external and not repository follow-up indication but currently divisional read write a capability for better so to uh managed your user groups you know that you have to use external tools to do that so in my opinion in the next future and uh it would be uh a good feature to add support for adopting a read-write mode the good aside today user service
that are most to create an and all users and groups there is another uh separated service that is about managing Rose it's very similar to the use of the service barter is dedicated to uh storing and fetching the user rose so from our from an external container is also in these cases this can be stored inside XML files or into a database or uh in this case the support for and not that is included in this is for me the reason why it's should be needed also for their use of service and another option you have is to use the rule is defined directly by the time I would call being added to it you are using for example it if we have a set of rules that are inside that our container you can use them as the source for roles for just over 2 OK so let's
talk a bit about the unconditioned phases of the security system this phase
is about to uh identify the user and trusting that it's identity through the verification of some sort of credentials the litigation just over these and those who uh imagine isn't that is proper offspring security that our future chains in practice so when you have to authenticate the user you have a set of filters if if there is a simple uh software module that gets the information from the user and the decide so if the user has been note indicated and trusted and so the request flow can continue or not there are many features that are supported by just several receiving them in a moment they work uh by by creating a chain of features so you can for example put a series of petering sequence and let them check the use of 1 after another and the 1 out in skin up indicates the user or no of them so the request is not indicated this is usual for example if you have several system started to get your system 1 dedicated to Internet users another 1 for external users you can use them all just put in a sequence and they review was the or together every chain uh another uh and the ability you have these that everything is applied differently to a different kind of requests for example you can differentiate I'll request to their web of being new i i indicator from of of the web services so that we amassed BFS forest indicated different kinds of users can be handled for the admin interface and the services or the rest of the eyes and so on this is done that where imagine is more progress your pattern matching so you set for example or the requested that the a web but uh word units are in the true this chain all the requested w massive about testing it ah and of through another 2 the
OK uh the filters that you have a line of wouldn't just server to configure indication of our speed to the now mainly 2 groups so the 1st one that are dedicated to our the system fetches out into detailed indication data so username and password or some sort of certificate every kind of prevention of that can I'll take to get the user you can decide which kind of the credentials support of for example we here you can find a basic of indication which is a method uses the browser username and not stored and people uh when they access a web page or to where classic form so where web pages with fields for username password and so on the you will also have a feature that we handle anonymous users that should always be the last of all this sequence so you can try several kind of authentication if none of them work you say the user is anonymous the then there is another group of of freedom that can handle on so called the realtor indication meters uh In some cases your infrastructure and those don't indication for you and simply server trust the infrastructure that the user is what uh infrastructure states so we have several middle that of brilliant indication so of indication that that as before just over uh is is able to to to do its work and these are the main that was not supported by default so some sort of HTTP header that is received it never requested uh die just needed that is assumed that 2 basic is about them into the browser supported would indicate user access the fire on the line of fire SSL certificates practically certificates that you can install on your browser and so on is sort of very easy if known all the default filters that you find in the course uh are sufficient for your needs to implemented a few other than that of course new kind of filters to include it in just over 2 computer were down and let just over what week your scheme of without indication that you already have in your infrastructure and since the out these are few that form the spring security framework you we probably found find someone that already have done something similar to start with I in the phase of
dedication when you that festers you have gathered information from the user so for example username and password and you have to decide how to check the username and password on by of I don't know what it is the duty of the abdication provide set is another chain that you can you reduce service so another set of objects that are able to check that the the credentials that during the 1st phase that correct or not currently we have a set of default plants that you can use dire ctly winding is a simple username and password checker that use 1 of the user group service that you have of the people for example like that you see and some my so it's sex simply with the use of a service that you have continually if the username and password is stored on the XML file or not or a database and all of the system that we were have already talked about uh 48 education provide the bottom we have the support for uh adopt repositories that are very common in an enterprise infrastructure recently I personally worked on editing after directory support so we have this some more the option of flexor to we adopt addition provided to support after their activities and not but not exactly the basically not require some configuration more to work and the there are some tutorials uh a further if you need more documentation the part as I do that said before these ask we can we cannot readily documented by the OK and as we said for a for the future so to also get indication provided you can write your own if you need 1 that is not included in the best studies of 2 the also
the field uh if you need 1 that you don't you can look at it stand the extension because just ever splitted into a core installation etc. extension that you can style I need uh and there are some that are dedicated dedicated security for example the CAS model that is a standard for managing single single-sign-on for a set of application this model that support to to server to looking the user using serious system there is also a community model named out key that almost amount but some sort of cancer generated by a service or stored on the on the fly away and very other use data this is the applied the ball for example recently we had the some support to uh to the standard of that normally uses an excellent and XML file or a static database we have a support to call an external web service to check for some token and get back the user information and so on I ought to be able to uh come into this work to the to the community model so that you can work with it and uh finally you can see that you know you can easily easily configure europe indications system to work with many existing and out integration infrastructure like for example for some customers we work the uh to integrated their shibboleth single sign-on system about out into a CAS 2 and all single-sign-on we also have the possibility you epochs the makes all the artist theater existing go to 1 all very flexible notification in a a complex system where you have for example of a set of Internet users stored on and and Active Directory tourists and then you can also have some users coming from the Internet you the wanted to register on the Internet adopt about for example on a a sort of dedicated database for that you can mix all these cases configuring them together just ever we do all the work of indications for you
of a really talking of our future improvements so the idea is to clean up a beta distribution system because it's still a bit complex in some parts to users and feeling some also like for example as I said that the end up user Group service to improve the flexibility of the system also to improve some existing models like the out the community model of an impossible promoted to an extension of feature station and always and also if possible to create a new word indication to end of summits cases that are not for currently supported for K this bus
to deal tualization part the it
is a companion to the indication when I know what the user is able to decide what it can do inside edges of subsistence for these I use the optimization system edges over uh by default implements a big white in and out is how to efficiently and uh mechanism uh basically permission can only be assignment role is not directly to user or groups of so you have to face the assignment of formation you have 1st to decide which loss and what and then decide out assigned those roles to users or groups you and for what really is related to which kind of information I can go if you were here uh opposition the basic properties this your system uh doesn't seem opportunities that is decide which data can be uh can be permitted so uh at the worst basis or a layer level and at the service level which kind of services the user can access that domestic affairs and so on but C the utilization system is very pluggable it's possible to extend it very easy to implement a more complex set cultivation system and for this for example we as
you solutions and created that their particle solution that is that you offensive that extends the standard optimization system at being a some kind of rules that are more finer-grained for example of how we the vesicle composition system you can only decide if if 1 layer is accessible by the user or not using just as you can't for example
say I to these user can access these layer but only for the specific area considered a colleague inside the United States not when you're up for I can also decide a for example
which i to the use of adventure they are visible by certain user and other outages that are not the I that the possibility of decided more easily what the user can do and what not also since the massacre opposition system is to enable a toad arises role was not directly using ropes which your friends you can also say that a signed permission directly user by user so it's a simple extension uh to the best you could use server so security system that allows you to a specified whether which kind of permission the users the fish and some of the questions the the any questions about focus and this was 1st I would you say it's easier to implement and Active Directory were sugarless yeah is what is the rule of 3 people see me and I know what you in In the medical Doppler uh configuration because of for example of what the director needs so that the user is indicated before he can get to the groups bounded to the user so we had to add support for this and some other flags the tunnel was to decide how to extract the dying actor-director that store and it'll be different than a basic open adopt a repository for example so with these new fields so we have to support for the she was part of what we did is basically an at the front end up on the web server we that the model for she bullets b I that your server that that communicate the front-end reduce server using for example GCP proxy brought to court so that a party with psoriasis response for responsible for the she will part and then due server can use of the information that the from 10 cents to trust the identity of the user this is the way we integrated should of with yourself OK they have and
Default (computer science)
Category of being
Existence
Presentation of a group
Lecture/Conference
File format
Expandierender Graph
Bit
Information security
Form (programming)
Series (mathematics)
Server (computing)
Process (computing)
Open source
Multiplication sign
Software developer
Projective plane
Sheaf (mathematics)
Bit
Field (computer science)
Information technology consulting
Word
Computer animation
Information security
Task (computing)
Point (geometry)
Slide rule
Greatest element
Server (computing)
Connectivity (graph theory)
Multiplication sign
Sheaf (mathematics)
Mereology
Rule of inference
Chaining
Sign (mathematics)
Authorization
Software framework
Information security
Physical system
Computer architecture
Information
Wrapper (data mining)
Moment (mathematics)
Basis (linear algebra)
Library catalog
Price index
Local Group
Flow separation
Word
Spring (hydrology)
Computer animation
Data storage device
Internet service provider
Phase transition
Iteration
Right angle
Local ring
Teilnehmerrechensystem
Server (computing)
Implementation
Computer file
Similarity (geometry)
Mereology
Dressing (medical)
Database
Damping
Error message
Traffic reporting
Information security
Physical system
Default (computer science)
Information
Moment (mathematics)
Interface (computing)
Price index
Local Group
Table (information)
Connected space
Category of being
Particle system
Process (computing)
Computer animation
Data storage device
Query language
Internet service provider
Quicksort
Reading (process)
Asynchronous Transfer Mode
Computer file
Multiplication sign
Source code
Bit
Set (mathematics)
Rule of inference
Local Group
Computer animation
Personal digital assistant
Computer configuration
Internet service provider
Database
Phase transition
Differential (mechanical device)
State of matter
System administrator
Proper map
Public key certificate
Chaining
Web 2.0
Web service
Forest
Formal verification
Software framework
Information security
Physical system
Email
Moment (mathematics)
Interface (computing)
Price index
Sequence
Flow separation
Internet service provider
Pattern language
Quicksort
Identical particles
Filter <Stochastik>
Web page
Metre
Dataflow
Modul <Software>
Numbering scheme
Server (computing)
Mass
Web browser
Computer
Field (computer science)
Internetworking
Subtraction
Units of measurement
Form (programming)
Authentication
Series (mathematics)
Default (computer science)
Information
Set (mathematics)
Line (geometry)
Local Group
Word
Spring (hydrology)
Computer animation
Personal digital assistant
Password
Greatest element
Computer file
Observational study
INTEGRAL
Scientific modelling
Mereology
Field (computer science)
Chaining
Web service
Computer configuration
Internetworking
Database
Core dump
Extension (kinesiology)
Information security
Physical system
Enterprise architecture
Default (computer science)
Addition
Standard deviation
Information
Key (cryptography)
Directory service
Set (mathematics)
Price index
Cartesian coordinate system
Local Group
Computer animation
Repository (publishing)
Personal digital assistant
Internet service provider
Password
Phase transition
Configuration space
Complex system
Single sign-on
Knowledge-based configuration
Object (grammar)
Quicksort
Complex (psychology)
Scientific modelling
Price index
Mereology
Local Group
Workstation
Word
Computer animation
Beta distribution
Personal digital assistant
Internet service provider
Bus (computing)
Extension (kinesiology)
Physical system
Default (computer science)
Complex (psychology)
Standard deviation
Information
File format
Basis (linear algebra)
Auto mechanic
Insertion loss
Price index
Set (mathematics)
Rule of inference
Local Group
Category of being
Particle system
Computer animation
Internet service provider
Utility software
Energy level
Mathematical optimization
Physical system
Server (computing)
Scientific modelling
Mereology
Rule of inference
Field (computer science)
Web 2.0
Doppler-Effekt
Flag
Extension (kinesiology)
Subtraction
Proxy server
Physical system
Area
Adventure game
Focus (optics)
Information
Debugger
Directory service
Local Group
Computer animation
Repository (publishing)
Data storage device
Dependent and independent variables
Configuration space
Identical particles
Loading...
Feedback

Timings

  405 ms - page object

Version

AV-Portal 3.8.2 (0bb840d79881f4e1b2f2d6f66c37060441d4bb2e)