Merken

Advanced Security with GeoServer and GeoFence

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
hello good afternoon my name something I'm
on the presenting advanced security which is server as you can see from the life my name is not included in the presenter and that's why I didn't work on this topic and my colleagues so help me to put together this presentation but I'm I'm the only 1 here with nothing I know the topic fairly well so I'll be able to presented anyways so I
would for solutions of kind based company that provides a um consultancy supports and the customer management ontology server in other open-source projects that we are a strong contributor to GE's seriju tools of and well less a strong contribute causally Jennifer general itself and so on at least
a little review their presentation representation we go through authentication and authorization steps in a final standard user uh we consider the stack we have them proof that of authentication of the tops of the request comes in it's new of indication authentication decides whether or not we wanted this user to or have any anything to do with your server if uh if we are catering goes through sponsoring the services so there was a service called inducer is completely unaware of security and then there's is the cover which is that they got to part path is a security-aware so even if you have your own extra service producer which doesn't know anything about just serve about security you will be secured anyways because we secure the boxes in why was secure the taxes we also check what service you went through so if you want to secure a mix of their axis sensor is axis you can't do it thank you sort of
indication of integration is performed through the filter chains the filters of the security filters are classes specialized to deal with authentication solemn recognize that your indication of authenticated previously virus session or can recognize you wire a cookie or can expect that username and password for NH from an HTTP header and so on at the end of the chain of the chain has decided whether or not you really have to authenticate maybe your idea dedicated previously and in that case you don't go to the and don't have to go to authentication again but in case they decided that you have to authenticate to be probable to the authentication providers use you are pre authenticated rule some previous request then you will like to that head request and history is part of the complicated application we have web from that we have a duty to services we have the best configuration services so each a separate part of the you server services is covered by a different set of chains so so for example the user
interface that allows for FormBase authentication HTTP for sorry HTML forms uh that will allow the creation of a session if known they is uh available will use remember me cookies and so on the ones that they would you see 1 was to be as fast as possible as light as possible so it has a a lighter set alpha chains and they basically supports of Basic authentication by default then you can call to URI where the
bits that you can call during the future chain and as a set all the chains are configurable all the chains can get attached to different you of buttons there are filters that gather user credentials and handle missing authentication for authentication digest authentication and market the user as anonymous as a last resource we have pretty of indication filters that recognize that you already authenticated enough for use in interaction with the service such as a session HDB header remember me cookies J. should we start education and so In everything pluggable so if you need to integrate a different kind of authentication idle she let you can do it by in integrating your own of the filter the and then we have the authentication providers
say this is decided that you have to authenticate you we don't know where you are yeah there we go through the authentication provides the vindication providers can be as simple as searching your username and password fetched from an HDP yeah uh through a database which can be stored as an XML file or an that the base and to something different sets as the using the the provincial you provided directly to authenticate against an as that users but username and password or against the database at the opening of connection as that that username and password and again this is pluggable so you can extend the uh the ability to authenticated towards all their some for the author bution mechanisms some ideas say about all of this is based on the spring security so that the same most of our Java-based library groups up to 280 of predictions then we have the role
providers OK let's say we have this idea to authenticate we have authenticated you know now what can you do security is server is role based on the some some puddings can also make it user base but normally you cut their eyes your users by roles and then decide what to do based on the roles they have so we have all politeness when we have provide as well because authentication is sort of a genetic thing authorization is normally quite specific to that particular application so you normally have your own rules for it not practical applications so for example the roles that you might have for GeoServer models that you might have for your e-mail system right so we have again a set of pluggable of world providers In the simplest case is like a bit of self-contained urges several that you way around on your laptop normally everything is based on XML files but then you can scale up to more of production of size that all solutions as an extension for example we have the integration with a simple authentication service which is a single sign-on um solution quite popular uh which allows you to basically sign on 1 of the main series is that you have in your network and then be authenticated ignore all the others automatic and another the example of plug-in that we had before the authentication sources that is known as both the weights brace yourself decides who you are uh Bayes the owner he that you put in the you out now you wastes you USA this is crazy OK I sort of agree with you but if you are using HDPs as the transport protocol not even the URL is visible to the doctor and something like all the allows of application which are properly security unaware to play in a secure environment so just to say this is using and the that because some of the application they are using them with those of know how to do basic HDP of it or by just authentication
looking so I mean that education problem solved let's move to the authorization now we know you are we know what that euros are what can you do so
authorization wiser said we are on I use days of indication in given your user roles we decided whether or not you can also thing on ascertained resource the action could be something as generic as a read write them from the data or something specific like you called gets featuring fall on under the premise protocol on the players are you allowed or not in there seems to be a workspace layer earlier report of stuff
the authorization yes Walter is pluggable so we have our own interfaces allowing that you can implement to all of your own of security subsystem sorry you're your own authorization subsystem uh and you basically have to implement those methods back there that sack against an interface whether or not you can do something against the workspace final later on their group and in case of from us listing of of layers such as the capabilities of the length of any of request provider can specify a sister that we'll have to decide whether or not the layer can can be accessed just 0 boy you know having to layer by layer can I do this can do this command with this 100 thousand times the security subsystem actually allows a white fine-grained security you can decide whether or not an attribute is visible where there are not enough to deserve can be arrived alright you can apply agreed those invited versus so you can decide that for example the starting area source partial to 3rd can be right by your user written by the user and they can be a symmetric maybe the user can read everything but only writing a specific area which is quite common in in the gathering of a ground when you have multiple people going on in each 1 of cycles specific area but this this can be also of course semantic temporal sponsion whatever so you can easily use all the power will disappear there's to the limit of the bait facts
so implementations of this interface we have the default security subsystem that defines just sort out of the box it's pretty simple it's probably 10 years old now but he can decide whether or not you can access to us something like period is as a set pretty basic and then we have a g France which is an external applications with a star because it's turning providing turn up library uh which makes full use of their sectors manager interfaces that and then you can add your own custom implementations since from interface you can literally plug it into your enterprise system and heavy it that I know of your authorization databases of procedures if you want to know in advance of the whites common in some enterprise stops so let's talk
about geofence then the the default implement implementation is rather boring those
offense he is an extended uh authentication so sorry physician's assistant for uh just it does optional of indication but we often don't use it it's completely open source it's part of the dues a project you can never get to the coding for confirmed there so you can see from the religious organizations what's the
structure well normally price as a separate server has a separator pumped up at the point applications the user has a plugin that uses started to talk with this server and it will tell the server OK user X is trying to do this and not the server will apply a certain set of rules and decide whether or not those actions are allowed and respond back to the server uh in your 1st has its own administration API it's and i its own administration front-end so you have a user interface where the the rules because the rest API if you wanted to automate uh updating modifying the rules and that story is old they each configuration in a database could be possible Sorokin whether
so the user interface moralist looks like this that has its own user
management but I'm not going to get too much into it just 1 of the interesting factoid we have the notion of instances because of single 1st installation might be managing security for the multiple clusters of just server like security form and internal clustering security for an external fishing facing cluster we compute a different set of users and rules
um how would they have uh it was applied well you know we hear it knows about IP cables president I the tables is a way to cultured electrical axis in a this machine and then you 1st rules are actually modeled loosely uh against the IP tables approach so we have a list of rules a the of rule can be matching I user group process instance on specific here this is service aquesta workspace later and then decide whether or not that combination is allowed or denied the 1st rule matching wings so we basically go from top to bottom in the 1st couple of matching weights normally this a topic is that but you apply distinctions 1st and then sorry applied uh and the was if you you applying whatever you can do 1st and then this this the last rule denies everything so that if you ever to the last rule you don't boxes but
yeah all of this is what I just said the matching of the rule against the the the various possible population bits and this is just just this is already quite a bit of a marked improvement meant over there GeoServer default security in that in the single rule you can put together the data and the service accessing it so you can say for example that you can access a ascertain layer viable amassed but not like of effects which is not something you can do with a default built security on and so this is 1 example just rules sigh of our saying all for user u 1 instead of is the momentum workspace workspace 1 allowed so this user is allowed to access space 1 and for user u and uh and then everything starts start the nite which means that users can access everything in the workspace W 1 but only from the bloomers requests and you can't do anything else so it's a way to lock down that uses to that particular workspace answers I and then we have the
actor the type of rule of so far I showed you allow and denied but we also have limited resources address to Berlin sorry them rules mitosis something we go through and collect the limits of rules don't say you cannot access but restrict your access so they say OK you can access this layer but we are going to remove some of the views we are going to filter the data we are going to force a your a particular style so that you are constrained so there is there would be unacceptable saying that you can access the later but the the a take how you can access and as a said you can restrict unavailable area in now somatic conditions in the you can
also order steak that they are available at the news and and say something like the result you you will not see it that often viewed is only and the 3rd of the beauty of actually right on that we use in the preface so in our situation is that you have a
stand-alone your friends so server running and all these years server stock intuitive idea this you applied in on since there is network traffic we have cash uh location the decisions from that long of course but enough to avoid asking 100 time the same question in a 2nd on and we have API to manipulate those in case you want immediate purging also all the cached information because you made an important change the defense itself as our extensive rest API that allows tool of query page page through uh all the rules and in the modified them so that you can automate no any change you will any kind of must change you want to do security rules and also we have that and the cover story of service attached tools REST services so that you can what the cover a store and bring the the consideration maybe from test environment election by it now the I have
always said that of opt to know is the last year and he was maybe the maybe ritual in which we and old news this is new and this is due faster direct integration so uh
as we your cash people started complaining OK but it's external I have on another server of why do I have to go through such complications I want just my single just over with everything in the Justice you are cash got sucked being into GeoServer and it's still possible to run it externally but only a few deployment do without you serve as you France's On the road on being sucked into into GeoServer as the new default security subsystem it would be along the road is not gonna happen tomorrow but we are the 1st steps of Soldier France's Java Bayes they can be on in in in in just over just as if it was a library the rules are stored in another that is just as
before we're doing it so just like you cash God integrated my bed steps so they integrate version is not giving you the full power of our external geofence it's gonna give you enough convenience enough extra power cords compared to the default system to be interesting so um you yeah so just Austral to
the user interface that we have a configuration of their in terminology of science so for example are 1 of the things that we might want to to move it to the general gist of a configuration is whether or not you allow dynamic citing biodynamic is so the you know so the past through the request on and we have control of the
cash so of how long leave the the entries in the in the cache are and in some statistics like caches cache misses the song
come and then we have a user interface to create the rules which she is very very similar to the uh bezeq system is just the accelerating just works very slow and access you have also very close this the use old and if you can roll it over this simple as you can see most it it's not down special funding from the use of duration and
the past playing around a bit with their with it you get with a list of rules Dr. define your overall security behavior of a linear show you an
example of the and here I have 3 rules the 1st as whatever you know workspace particle axis so the folks are sorted out part of Tiger workspaces wide open the 2nd says on the workspace to storage sharing of from should from the flows of the fish and linear oxides allow and everything else than I so if you have a bit the familiarity with they're just really a preview that we
are going to new users of your asperities layers we are going to lose the Tasmania layers and so on and the result is this we have on the bottom layers and just oxides and everything else is gone Alesci Levinas I'm not insight about Mr. is is all-powerful so and I mean will see every I got another
example here in this case we allow the workspace tiger and then deny specifically the oxide layer yeah but then allowed that anything else in the most perfect there and then deny everything so I'm basically switching them uh the other thing that indication disperse fish uh
workspace and the result is that I see everything from tiger and almost everything from Spearfish but not what was it blocks of this course you can
get more sophisticated by adding more rules we have some deployments that have a few hundred because they got many many many many years this quite
a bit of work to do on this as a said we made it just interesting enough to be a step all over the default security subsystem but we of course we have to add the support for the limit rules the rules are not supported in immigration and that's of course not big limitation of so we you don't have a way to the force the 4th style limit that would be useful for my convincing the filter by area is something that we see left to do them the day when we do that are welding there they damage effects would be almost as powerful as the excel or other moment is just a step over there from the default of and we still don't have the ability to control the rights of the ruling Level which she is something that we have to work on uh the rules are or the basis so we need out a better way in the user interface toward that them and changed their position but I can of something like that the moments of uh we are just using an embedded H. Chou database and about actually so this is meant for a single server deployment uh we don't uh again difference can connect to an external server system their user interface it's not that the court hearing so we will have to adapt and it would be also nice to be able to migrate all security system rules which you find that as you upgrade your near that of actor in so just like we still have it but it's possible all of this of course is spending and well funding or some project that can store or this work the this is
and I any questions and users for support time of day and counterattack filters you can restrict access for a certain time period certain weeks things like that on nominal at the moment we see we don't do that at in the external not the universe the non assuming this circle of some so we have something close in the control flow model which is meant to to train traffic uh there's a lot of fighter controller that you can attach to our specific type your user so that they don't ever go on our survey thing right of requests and if they go above we slow them down so that's the closest thing we have but we don't know if you are not what you asked the but then again that the and subsystem in contraflow could be used for to apply it to set yeah OK thanks again for this great piece of software 1st at answering a question regarding the compatibility chair friends direct integration introduced several doesn't work was to adopt a tall and at 9 to the state promoted to detect all working Group centered is they moved to the presentation of the self what presented so all I can rest but wait yeah like if many people show up they can find thing I can start all over the world so you it is just you we can talk over a beer here in the the there the the program was changed the from the printed version today the online version says this is the 3rd not afford but it printed version says it support that yeah the anyways if there is enough people that want to see this presentation again I can start over no problem no show I this is my 5th presentation I have another like in the seventies and it the
Videospiel
Computersicherheit
Computersicherheit
Server
Kombinatorische Gruppentheorie
Computeranimation
Quader
Selbstrepräsentation
EDV-Beratung
Bildverarbeitung
Kartesische Koordinaten
Kombinatorische Gruppentheorie
Computeranimation
Überlagerung <Mathematik>
Web Services
Authentifikation
Autorisierung
Computersicherheit
Mixed Reality
Indexberechnung
Kundendatenbank
Autorisierung
Ontologie <Wissensverarbeitung>
Open Source
Computersicherheit
Java Enterprise
Applet
Dienst <Informatik>
Beweistheorie
Mereologie
ATM
Server
Client
Authentifikation
Projektive Ebene
Visualisierung
Datenfusion
Computervirus
Subtraktion
Klasse <Mathematik>
Kartesische Koordinaten
Service provider
Computeranimation
Eins
Bildschirmmaske
Web Services
Gruppentheorie
Jensen-Maß
Passwort
Indexberechnung
Default
E-Mail
Konfigurationsraum
Filterung <Stochastik>
URL
Kette <Mathematik>
Schreib-Lese-Kopf
Schnittstelle
Web Services
Filter <Stochastik>
Computersicherheit
Schlussregel
Digitalfilter
Integral
Verkettung <Informatik>
Menge
Mereologie
Cookie <Internet>
Authentifikation
Quelle <Physik>
Bit
Subtraktion
Gruppenkeim
Interaktives Fernsehen
E-Mail
Service provider
Computeranimation
Service provider
Prognoseverfahren
Authentifikation
Programmbibliothek
Passwort
Indexberechnung
E-Mail
Filterung <Stochastik>
Kette <Mathematik>
Autorisierung
Einfach zusammenhängender Raum
Kraftfahrzeugmechatroniker
Filter <Stochastik>
Computersicherheit
Datenhaltung
Digitalfilter
Programmierumgebung
Elektronische Publikation
Variable
Bildschirmmaske
Verkettung <Informatik>
Gruppenkeim
Menge
Offene Menge
Cookie <Internet>
Authentifikation
Gewicht <Mathematik>
Desintegration <Mathematik>
Kartesische Koordinaten
Service provider
Computeranimation
Informationsmodellierung
Authentifikation
Autorisierung
Notebook-Computer
Maßerweiterung
E-Mail
URL
Autorisierung
Protokoll <Datenverarbeitungssystem>
Datennetz
Computersicherheit
Reihe
Vorzeichen <Mathematik>
Schlussregel
Plug in
Physikalisches System
Quellcode
Elektronische Publikation
Biprodukt
Natürliche Sprache
Quick-Sort
Einfache Genauigkeit
Integral
Fundamentalsatz der Algebra
Dienst <Informatik>
Menge
Rechter Winkel
Client
Server
Authentifikation
Single Sign-On
Programmierumgebung
Schnittstelle
Gruppenoperation
Gruppenkeim
Service provider
Computeranimation
Formale Semantik
Online-Katalog
Umwandlungsenthalpie
Temporale Logik
Inverser Limes
Indexberechnung
Strom <Mathematik>
Schnittstelle
Leistung <Physik>
Attributierte Grammatik
Autorisierung
Umwandlungsenthalpie
Schreiben <Datenverarbeitung>
Dicke
Protokoll <Datenverarbeitungssystem>
Computersicherheit
Temporale Logik
Digitalfilter
Quellcode
Inverser Limes
Gruppenoperation
Generizität
Flächeninhalt
Zellularer Automat
Dreiecksfreier Graph
Generizität
Lesen <Datenverarbeitung>
Verkehrsinformation
Lesen <Datenverarbeitung>
Autorisierung
Quader
Datenhaltung
Computersicherheit
Default
sinc-Funktion
Implementierung
Kartesische Koordinaten
Physikalisches System
Frequenz
Mechanismus-Design-Theorie
Algorithmische Programmiersprache
Computeranimation
Unternehmensarchitektur
Datenmanagement
Menge
Authentifikation
Autorisierung
Computersicherheit
Programmbibliothek
Unternehmensarchitektur
Default
Schnittstelle
Punkt
Selbst organisierendes System
Gruppenoperation
Kartesische Koordinaten
Computeranimation
Open Source
Front-End <Software>
Autorisierung
Notepad-Computer
Indexberechnung
Datenstruktur
Konfigurationsraum
Trennungsaxiom
Benutzeroberfläche
Open Source
Datenhaltung
Systemverwaltung
Schlussregel
Plug in
Entscheidungstheorie
Menge
Mereologie
Server
Codierung
Authentifikation
Projektive Ebene
Subtraktion
Bildschirmmaske
Datenmanagement
Benutzeroberfläche
Menge
Computersicherheit
Schlussregel
Benutzeroberfläche
Cluster <Rechnernetz>
Computeranimation
Instantiierung
Impuls
Bit
Prozess <Physik>
Gewicht <Mathematik>
Schaltnetz
Gruppenkeim
Kartesische Koordinaten
Raum-Zeit
Computeranimation
Virtuelle Maschine
Typentheorie
Minimum
Gruppoid
Default
Soundverarbeitung
Web Services
Datentyp
Computersicherheit
Mailing-Liste
Schlussregel
Instantiierung
Matching
Schlussregel
Dienst <Informatik>
Gruppenkeim
Klumpenstichprobe
Tabelle <Informatik>
Instantiierung
Resultante
Sichtenkonzept
Adressraum
Schlussregel
Computeranimation
Schlussregel
Flächeninhalt
Konditionszahl
Datentyp
Konditionszahl
Attributierte Grammatik
Inverser Limes
Flächeninhalt
Ordnung <Mathematik>
Filterung <Stochastik>
Schnittstelle
Retrievalsprache
Desintegration <Mathematik>
Mathematisierung
Stapelverarbeitung
Datensicherung
Computeranimation
Homepage
Überlagerung <Mathematik>
Multi-Tier-Architektur
Web Services
Gruppentheorie
Datennetz
Statistische Analyse
Maßerweiterung
Operations Research
Softwaretest
Caching
Web Services
Gerichtete Menge
Computersicherheit
Abfrage
Schlussregel
Entscheidungstheorie
Integral
Schlussregel
Fundamentalsatz der Algebra
Dienst <Informatik>
ATM
Information
URL
Vollständigkeit
Programmierumgebung
Teilmenge
Computersicherheit
Plug in
Desintegration <Mathematik>
Versionsverwaltung
Schlussregel
Physikalisches System
Ähnlichkeitsgeometrie
Computeranimation
Funktion <Mathematik>
Grundsätze ordnungsmäßiger Datenverarbeitung
Computersicherheit
Server
Programmbibliothek
Default
Beweistheorie
Modul
Leistung <Physik>
Statistik
Konfiguration <Informatik>
Benutzeroberfläche
Einheit <Mathematik>
Caching
Konfigurationsraum
Gamecontroller
Neunzehn
Konfigurationsraum
Computeranimation
Homepage
Bit
Server
Benutzeroberfläche
Gruppe <Mathematik>
Computersicherheit
Schlussregel
Mailing-Liste
Physikalisches System
Computeranimation
Schlussregel
Wurm <Informatik>
Diskrete-Elemente-Methode
Authentifikation
Resultante
Server
Bit
Gemeinsamer Speicher
Mereologie
Schlussregel
Partikelsystem
Speicher <Informatik>
Datenfluss
Computeranimation
Linearisierung
Resultante
Webforum
SCI <Informatik>
Server
Lemma <Logik>
Dispersion <Welle>
COM
Konfigurationsraum
Punkt
p-Block
Indexberechnung
Dateiformat
Computeranimation
Bit
Subtraktion
SCI <Informatik>
Kontrollstruktur
Momentenproblem
Ortsoperator
Content <Internet>
Kraft
Computeranimation
Datenhaltung
Übergang
Physikalisches System
Spezialrechner
Vier
Computersicherheit
Inverser Limes
Flächeninhalt
Default
Filterung <Stochastik>
Soundverarbeitung
Benutzeroberfläche
Computersicherheit
Datenhaltung
Default
Konfigurationsraum
Einfache Genauigkeit
Schlussregel
Digitalfilter
Physikalisches System
Migration <Informatik>
Inverser Limes
Schlussregel
Forcing
Flächeninhalt
Rechter Winkel
Basisvektor
Server
Attributierte Grammatik
Projektive Ebene
Filter <Stochastik>
Kreisfläche
Momentenproblem
Versionsverwaltung
Gruppenkeim
Sondierung
Kombinatorische Gruppentheorie
Frequenz
Computeranimation
Richtung
Integral
Informationsmodellierung
Rechter Winkel
Software
Datentyp
Gamecontroller
Kontrollstruktur
Vorlesung/Konferenz
Optimierung
Grundraum
Aggregatzustand

Metadaten

Formale Metadaten

Titel Advanced Security with GeoServer and GeoFence
Serientitel FOSS4G Seoul 2015
Autor Aime, Andrea
Lizenz CC-Namensnennung - keine kommerzielle Nutzung - Weitergabe unter gleichen Bedingungen 3.0 Deutschland:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben.
DOI 10.5446/32100
Herausgeber FOSS4G
Erscheinungsjahr 2015
Sprache Englisch
Produzent FOSS4G KOREA
Produktionsjahr 2015
Produktionsort Seoul, South Korea

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract The presentation will provide an introduction to GeoServer own authentication and authorization subsystems. We’ll cover the supported authentication protocols, such as from basic/digest authentication and CAS support, check through the various identity providers, such as local config files, database tables and LDAP servers, and how it’s possible to combine the various bits in a single comprehensive authentication tool, as well as providing examples of custom authentication plugins for GeoServer, integrating it in a home grown security architecture. We’ll then move on to authorization, describing the GeoServer pluggable authorization mechanism and comparing it with proxy based solution, and check the built in service and data security system, reviewing its benefits and limitations. Finally we’ll explore the advanced authentication provider, GeoFence, explore the levels on integration with GeoSErver, from the simple and seamless direct integration to the more sophisticated external setup, and see how it can provide GeoServer with complex authorization rules over data and OGC services, taking into account the current user, OGC request and requested layers to enforce spatial filters and alphanumeric filters, attribute selection as well as cropping raster data to areas of interest.

Ähnliche Filme

Loading...