Advanced Security with GeoServer and GeoFence

Video thumbnail (Frame 0) Video thumbnail (Frame 642) Video thumbnail (Frame 1224) Video thumbnail (Frame 2715) Video thumbnail (Frame 4432) Video thumbnail (Frame 5181) Video thumbnail (Frame 6506) Video thumbnail (Frame 8095) Video thumbnail (Frame 11613) Video thumbnail (Frame 12701) Video thumbnail (Frame 15312) Video thumbnail (Frame 16486) Video thumbnail (Frame 17158) Video thumbnail (Frame 18414) Video thumbnail (Frame 19251) Video thumbnail (Frame 20830) Video thumbnail (Frame 22597) Video thumbnail (Frame 23901) Video thumbnail (Frame 26106) Video thumbnail (Frame 27641) Video thumbnail (Frame 28313) Video thumbnail (Frame 28873) Video thumbnail (Frame 29799) Video thumbnail (Frame 30723) Video thumbnail (Frame 31260) Video thumbnail (Frame 31840) Video thumbnail (Frame 32460) Video thumbnail (Frame 35101) Video thumbnail (Frame 39241)
Video in TIB AV-Portal: Advanced Security with GeoServer and GeoFence

Formal Metadata

Advanced Security with GeoServer and GeoFence
Title of Series
CC Attribution - NonCommercial - ShareAlike 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date
Production Year
Production Place
Seoul, South Korea

Content Metadata

Subject Area
The presentation will provide an introduction to GeoServer own authentication and authorization subsystems. We’ll cover the supported authentication protocols, such as from basic/digest authentication and CAS support, check through the various identity providers, such as local config files, database tables and LDAP servers, and how it’s possible to combine the various bits in a single comprehensive authentication tool, as well as providing examples of custom authentication plugins for GeoServer, integrating it in a home grown security architecture. We’ll then move on to authorization, describing the GeoServer pluggable authorization mechanism and comparing it with proxy based solution, and check the built in service and data security system, reviewing its benefits and limitations. Finally we’ll explore the advanced authentication provider, GeoFence, explore the levels on integration with GeoSErver, from the simple and seamless direct integration to the more sophisticated external setup, and see how it can provide GeoServer with complex authorization rules over data and OGC services, taking into account the current user, OGC request and requested layers to enforce spatial filters and alphanumeric filters, attribute selection as well as cropping raster data to areas of interest.
Presentation of a group Server (computing) Computer animation Video game Information security
Authentication Covering space Server (computing) Presentation of a group Open source Projective plane Price index Mereology Cartesian coordinate system Information technology consulting Proof theory Computer animation Customer relationship management Ontology Mixed reality Internet service provider Authorization Representation (politics) Cuboid Information security
Filter <Stochastik> Computer virus INTEGRAL 1 (number) Set (mathematics) Mereology Disk read-and-write head Rule of inference Different (Kate Ryan album) Information security Social class Form (programming) Alpha (investment) Authentication Default (computer science) Email Interface (computing) Price index Cartesian coordinate system Filtration Computer animation Personal digital assistant Internet service provider Password Chain Configuration space HTTP cookie
Filter <Stochastik> Musical ensemble Computer file Set (mathematics) Open set Mechanism design Different (Kate Ryan album) Authorization Information security Authentication Predictability Email Interactive television Bit Database Price index Connected space Filtration Spring (hydrology) Computer animation Internet service provider Password Chain HTTP cookie Library (computing)
Laptop Server (computing) Computer file INTEGRAL Source code Set (mathematics) Rule of inference Product (business) Sign (mathematics) Authorization Series (mathematics) Endliche Modelltheorie Extension (kinesiology) Information security Plug-in (computing) Physical system Authentication Email Weight Cartesian coordinate system Computer animation Software Integrated development environment Personal digital assistant Internet service provider Single sign-on Right angle Natural language Quicksort Communications protocol
Area Group action Musical ensemble Length Multiplication sign Interface (computing) Source code Generic programming Temporal logic Price index Limit (category theory) Semantics (computer science) Power (physics) Attribute grammar Latent heat Computer animation Personal digital assistant Internet service provider Authorization Cycle (graph theory) Traffic reporting Communications protocol Information security Reading (process)
Enterprise architecture Default (computer science) Implementation Interface (computing) Set (mathematics) Database Cartesian coordinate system Frequency Computer animation Customer relationship management Authorization Cuboid Procedural programming Information security Sinc function Library (computing) Physical system
Point (geometry) Server (computing) Group action Open source System administrator Decision theory Set (mathematics) Mereology Code Rule of inference Front and back ends Data structure Plug-in (computing) Authentication User interface Projective plane Database Price index Representational state transfer Cartesian coordinate system Flow separation Computer animation Personal digital assistant Self-organization Configuration space
User interface Computer animation Different (Kate Ryan album) Customer relationship management Gene cluster Set (mathematics) Instance (computer science) Rule of inference Information security Form (programming)
Default (computer science) Greatest element Musical ensemble Momentum Matching (graph theory) Weight Electronic mailing list Virtual machine Combinational logic Sound effect Bit Instance (computer science) Cartesian coordinate system Rule of inference Process (computing) Computer animation Internet service provider Table (information) Information security Spacetime
Area Type theory Filtration Computer animation View (database) Order (biology) Limit (category theory) Rule of inference Address space Resultant Condition number
Web page Covering space Information INTEGRAL Decision theory Multiplication sign Representational state transfer Rule of inference Uniform resource locator Mathematics Computer animation Integrated development environment Personal digital assistant Query language Internet service provider Software testing Extension (kinesiology) Information security
Revision control Default (computer science) Server (computing) Computer animation Java applet Information security Rule of inference Library (computing) God Power (physics) Physical system
User interface Cache (computing) Game controller Statistics Computer animation Configuration space
User interface Computer animation Electronic mailing list Bit Rule of inference Information security Physical system
Particle system Dataflow Computer animation Data storage device Linearization Bit Mereology Rule of inference Proxy server Resultant
Computer animation Personal digital assistant Block (periodic table) Dispersion (chemistry) Price index Resultant
User interface Area Default (computer science) Server (computing) Forcing (mathematics) Projective plane Moment (mathematics) Sound effect Database Bit Basis <Mathematik> Limit (category theory) Rule of inference 4 (number) Filtration Computer animation Different (Kate Ryan album) Single-precision floating-point format Energy level Right angle Information security Position operator Physical system
Filter <Stochastik> Presentation of a group Musical ensemble Game controller INTEGRAL State of matter Direction (geometry) Multiplication sign Moment (mathematics) Archaeological field survey Control flow Computer programming Revision control Type theory Frequency Computer animation Software Lecture/Conference Universe (mathematics) Circle Right angle Endliche Modelltheorie
hello good afternoon my name something I'm
on the presenting advanced security which is server as you can see from the life my name is not included in the presenter and that's why I didn't work on this topic and my colleagues so help me to put together this presentation but I'm I'm the only 1 here with nothing I know the topic fairly well so I'll be able to presented anyways so I
would for solutions of kind based company that provides a um consultancy supports and the customer management ontology server in other open-source projects that we are a strong contributor to GE's seriju tools of and well less a strong contribute causally Jennifer general itself and so on at least
a little review their presentation representation we go through authentication and authorization steps in a final standard user uh we consider the stack we have them proof that of authentication of the tops of the request comes in it's new of indication authentication decides whether or not we wanted this user to or have any anything to do with your server if uh if we are catering goes through sponsoring the services so there was a service called inducer is completely unaware of security and then there's is the cover which is that they got to part path is a security-aware so even if you have your own extra service producer which doesn't know anything about just serve about security you will be secured anyways because we secure the boxes in why was secure the taxes we also check what service you went through so if you want to secure a mix of their axis sensor is axis you can't do it thank you sort of
indication of integration is performed through the filter chains the filters of the security filters are classes specialized to deal with authentication solemn recognize that your indication of authenticated previously virus session or can recognize you wire a cookie or can expect that username and password for NH from an HTTP header and so on at the end of the chain of the chain has decided whether or not you really have to authenticate maybe your idea dedicated previously and in that case you don't go to the and don't have to go to authentication again but in case they decided that you have to authenticate to be probable to the authentication providers use you are pre authenticated rule some previous request then you will like to that head request and history is part of the complicated application we have web from that we have a duty to services we have the best configuration services so each a separate part of the you server services is covered by a different set of chains so so for example the user
interface that allows for FormBase authentication HTTP for sorry HTML forms uh that will allow the creation of a session if known they is uh available will use remember me cookies and so on the ones that they would you see 1 was to be as fast as possible as light as possible so it has a a lighter set alpha chains and they basically supports of Basic authentication by default then you can call to URI where the
bits that you can call during the future chain and as a set all the chains are configurable all the chains can get attached to different you of buttons there are filters that gather user credentials and handle missing authentication for authentication digest authentication and market the user as anonymous as a last resource we have pretty of indication filters that recognize that you already authenticated enough for use in interaction with the service such as a session HDB header remember me cookies J. should we start education and so In everything pluggable so if you need to integrate a different kind of authentication idle she let you can do it by in integrating your own of the filter the and then we have the authentication providers
say this is decided that you have to authenticate you we don't know where you are yeah there we go through the authentication provides the vindication providers can be as simple as searching your username and password fetched from an HDP yeah uh through a database which can be stored as an XML file or an that the base and to something different sets as the using the the provincial you provided directly to authenticate against an as that users but username and password or against the database at the opening of connection as that that username and password and again this is pluggable so you can extend the uh the ability to authenticated towards all their some for the author bution mechanisms some ideas say about all of this is based on the spring security so that the same most of our Java-based library groups up to 280 of predictions then we have the role
providers OK let's say we have this idea to authenticate we have authenticated you know now what can you do security is server is role based on the some some puddings can also make it user base but normally you cut their eyes your users by roles and then decide what to do based on the roles they have so we have all politeness when we have provide as well because authentication is sort of a genetic thing authorization is normally quite specific to that particular application so you normally have your own rules for it not practical applications so for example the roles that you might have for GeoServer models that you might have for your e-mail system right so we have again a set of pluggable of world providers In the simplest case is like a bit of self-contained urges several that you way around on your laptop normally everything is based on XML files but then you can scale up to more of production of size that all solutions as an extension for example we have the integration with a simple authentication service which is a single sign-on um solution quite popular uh which allows you to basically sign on 1 of the main series is that you have in your network and then be authenticated ignore all the others automatic and another the example of plug-in that we had before the authentication sources that is known as both the weights brace yourself decides who you are uh Bayes the owner he that you put in the you out now you wastes you USA this is crazy OK I sort of agree with you but if you are using HDPs as the transport protocol not even the URL is visible to the doctor and something like all the allows of application which are properly security unaware to play in a secure environment so just to say this is using and the that because some of the application they are using them with those of know how to do basic HDP of it or by just authentication
looking so I mean that education problem solved let's move to the authorization now we know you are we know what that euros are what can you do so
authorization wiser said we are on I use days of indication in given your user roles we decided whether or not you can also thing on ascertained resource the action could be something as generic as a read write them from the data or something specific like you called gets featuring fall on under the premise protocol on the players are you allowed or not in there seems to be a workspace layer earlier report of stuff
the authorization yes Walter is pluggable so we have our own interfaces allowing that you can implement to all of your own of security subsystem sorry you're your own authorization subsystem uh and you basically have to implement those methods back there that sack against an interface whether or not you can do something against the workspace final later on their group and in case of from us listing of of layers such as the capabilities of the length of any of request provider can specify a sister that we'll have to decide whether or not the layer can can be accessed just 0 boy you know having to layer by layer can I do this can do this command with this 100 thousand times the security subsystem actually allows a white fine-grained security you can decide whether or not an attribute is visible where there are not enough to deserve can be arrived alright you can apply agreed those invited versus so you can decide that for example the starting area source partial to 3rd can be right by your user written by the user and they can be a symmetric maybe the user can read everything but only writing a specific area which is quite common in in the gathering of a ground when you have multiple people going on in each 1 of cycles specific area but this this can be also of course semantic temporal sponsion whatever so you can easily use all the power will disappear there's to the limit of the bait facts
so implementations of this interface we have the default security subsystem that defines just sort out of the box it's pretty simple it's probably 10 years old now but he can decide whether or not you can access to us something like period is as a set pretty basic and then we have a g France which is an external applications with a star because it's turning providing turn up library uh which makes full use of their sectors manager interfaces that and then you can add your own custom implementations since from interface you can literally plug it into your enterprise system and heavy it that I know of your authorization databases of procedures if you want to know in advance of the whites common in some enterprise stops so let's talk
about geofence then the the default implement implementation is rather boring those
offense he is an extended uh authentication so sorry physician's assistant for uh just it does optional of indication but we often don't use it it's completely open source it's part of the dues a project you can never get to the coding for confirmed there so you can see from the religious organizations what's the
structure well normally price as a separate server has a separator pumped up at the point applications the user has a plugin that uses started to talk with this server and it will tell the server OK user X is trying to do this and not the server will apply a certain set of rules and decide whether or not those actions are allowed and respond back to the server uh in your 1st has its own administration API it's and i its own administration front-end so you have a user interface where the the rules because the rest API if you wanted to automate uh updating modifying the rules and that story is old they each configuration in a database could be possible Sorokin whether
so the user interface moralist looks like this that has its own user
management but I'm not going to get too much into it just 1 of the interesting factoid we have the notion of instances because of single 1st installation might be managing security for the multiple clusters of just server like security form and internal clustering security for an external fishing facing cluster we compute a different set of users and rules
um how would they have uh it was applied well you know we hear it knows about IP cables president I the tables is a way to cultured electrical axis in a this machine and then you 1st rules are actually modeled loosely uh against the IP tables approach so we have a list of rules a the of rule can be matching I user group process instance on specific here this is service aquesta workspace later and then decide whether or not that combination is allowed or denied the 1st rule matching wings so we basically go from top to bottom in the 1st couple of matching weights normally this a topic is that but you apply distinctions 1st and then sorry applied uh and the was if you you applying whatever you can do 1st and then this this the last rule denies everything so that if you ever to the last rule you don't boxes but
yeah all of this is what I just said the matching of the rule against the the the various possible population bits and this is just just this is already quite a bit of a marked improvement meant over there GeoServer default security in that in the single rule you can put together the data and the service accessing it so you can say for example that you can access a ascertain layer viable amassed but not like of effects which is not something you can do with a default built security on and so this is 1 example just rules sigh of our saying all for user u 1 instead of is the momentum workspace workspace 1 allowed so this user is allowed to access space 1 and for user u and uh and then everything starts start the nite which means that users can access everything in the workspace W 1 but only from the bloomers requests and you can't do anything else so it's a way to lock down that uses to that particular workspace answers I and then we have the
actor the type of rule of so far I showed you allow and denied but we also have limited resources address to Berlin sorry them rules mitosis something we go through and collect the limits of rules don't say you cannot access but restrict your access so they say OK you can access this layer but we are going to remove some of the views we are going to filter the data we are going to force a your a particular style so that you are constrained so there is there would be unacceptable saying that you can access the later but the the a take how you can access and as a said you can restrict unavailable area in now somatic conditions in the you can
also order steak that they are available at the news and and say something like the result you you will not see it that often viewed is only and the 3rd of the beauty of actually right on that we use in the preface so in our situation is that you have a
stand-alone your friends so server running and all these years server stock intuitive idea this you applied in on since there is network traffic we have cash uh location the decisions from that long of course but enough to avoid asking 100 time the same question in a 2nd on and we have API to manipulate those in case you want immediate purging also all the cached information because you made an important change the defense itself as our extensive rest API that allows tool of query page page through uh all the rules and in the modified them so that you can automate no any change you will any kind of must change you want to do security rules and also we have that and the cover story of service attached tools REST services so that you can what the cover a store and bring the the consideration maybe from test environment election by it now the I have
always said that of opt to know is the last year and he was maybe the maybe ritual in which we and old news this is new and this is due faster direct integration so uh
as we your cash people started complaining OK but it's external I have on another server of why do I have to go through such complications I want just my single just over with everything in the Justice you are cash got sucked being into GeoServer and it's still possible to run it externally but only a few deployment do without you serve as you France's On the road on being sucked into into GeoServer as the new default security subsystem it would be along the road is not gonna happen tomorrow but we are the 1st steps of Soldier France's Java Bayes they can be on in in in in just over just as if it was a library the rules are stored in another that is just as
before we're doing it so just like you cash God integrated my bed steps so they integrate version is not giving you the full power of our external geofence it's gonna give you enough convenience enough extra power cords compared to the default system to be interesting so um you yeah so just Austral to
the user interface that we have a configuration of their in terminology of science so for example are 1 of the things that we might want to to move it to the general gist of a configuration is whether or not you allow dynamic citing biodynamic is so the you know so the past through the request on and we have control of the
cash so of how long leave the the entries in the in the cache are and in some statistics like caches cache misses the song
come and then we have a user interface to create the rules which she is very very similar to the uh bezeq system is just the accelerating just works very slow and access you have also very close this the use old and if you can roll it over this simple as you can see most it it's not down special funding from the use of duration and
the past playing around a bit with their with it you get with a list of rules Dr. define your overall security behavior of a linear show you an
example of the and here I have 3 rules the 1st as whatever you know workspace particle axis so the folks are sorted out part of Tiger workspaces wide open the 2nd says on the workspace to storage sharing of from should from the flows of the fish and linear oxides allow and everything else than I so if you have a bit the familiarity with they're just really a preview that we
are going to new users of your asperities layers we are going to lose the Tasmania layers and so on and the result is this we have on the bottom layers and just oxides and everything else is gone Alesci Levinas I'm not insight about Mr. is is all-powerful so and I mean will see every I got another
example here in this case we allow the workspace tiger and then deny specifically the oxide layer yeah but then allowed that anything else in the most perfect there and then deny everything so I'm basically switching them uh the other thing that indication disperse fish uh
workspace and the result is that I see everything from tiger and almost everything from Spearfish but not what was it blocks of this course you can
get more sophisticated by adding more rules we have some deployments that have a few hundred because they got many many many many years this quite
a bit of work to do on this as a said we made it just interesting enough to be a step all over the default security subsystem but we of course we have to add the support for the limit rules the rules are not supported in immigration and that's of course not big limitation of so we you don't have a way to the force the 4th style limit that would be useful for my convincing the filter by area is something that we see left to do them the day when we do that are welding there they damage effects would be almost as powerful as the excel or other moment is just a step over there from the default of and we still don't have the ability to control the rights of the ruling Level which she is something that we have to work on uh the rules are or the basis so we need out a better way in the user interface toward that them and changed their position but I can of something like that the moments of uh we are just using an embedded H. Chou database and about actually so this is meant for a single server deployment uh we don't uh again difference can connect to an external server system their user interface it's not that the court hearing so we will have to adapt and it would be also nice to be able to migrate all security system rules which you find that as you upgrade your near that of actor in so just like we still have it but it's possible all of this of course is spending and well funding or some project that can store or this work the this is
and I any questions and users for support time of day and counterattack filters you can restrict access for a certain time period certain weeks things like that on nominal at the moment we see we don't do that at in the external not the universe the non assuming this circle of some so we have something close in the control flow model which is meant to to train traffic uh there's a lot of fighter controller that you can attach to our specific type your user so that they don't ever go on our survey thing right of requests and if they go above we slow them down so that's the closest thing we have but we don't know if you are not what you asked the but then again that the and subsystem in contraflow could be used for to apply it to set yeah OK thanks again for this great piece of software 1st at answering a question regarding the compatibility chair friends direct integration introduced several doesn't work was to adopt a tall and at 9 to the state promoted to detect all working Group centered is they moved to the presentation of the self what presented so all I can rest but wait yeah like if many people show up they can find thing I can start all over the world so you it is just you we can talk over a beer here in the the there the the program was changed the from the printed version today the online version says this is the 3rd not afford but it printed version says it support that yeah the anyways if there is enough people that want to see this presentation again I can start over no problem no show I this is my 5th presentation I have another like in the seventies and it the