Add to Watchlist

Advanced Security with GeoServer and GeoFence

130 views

Citation of segment
Embed Code
Purchasing a DVD Cite video
Series
Annotations
Transcript
hello good afternoon my name something I'm
on the presenting advanced security which is server as you can see from the life my name is not included in the presenter and that's why I didn't work on this topic and my colleagues so help me to put together this presentation but I'm I'm the only 1 here with nothing I know the topic fairly well so I'll be able to presented anyways so I
would for solutions of kind based company that provides a um consultancy supports and the customer management ontology server in other open-source projects that we are a strong contributor to GE's seriju tools of and well less a strong contribute causally Jennifer general itself and so on at least
a little review their presentation representation we go through authentication and authorization steps in a final standard user uh we consider the stack we have them proof that of authentication of the tops of the request comes in it's new of indication authentication decides whether or not we wanted this user to or have any anything to do with your server if uh if we are catering goes through sponsoring the services so there was a service called inducer is completely unaware of security and then there's is the cover which is that they got to part path is a security-aware so even if you have your own extra service producer which doesn't know anything about just serve about security you will be secured anyways because we secure the boxes in why was secure the taxes we also check what service you went through so if you want to secure a mix of their axis sensor is axis you can't do it thank you sort of
indication of integration is performed through the filter chains the filters of the security filters are classes specialized to deal with authentication solemn recognize that your indication of authenticated previously virus session or can recognize you wire a cookie or can expect that username and password for NH from an HTTP header and so on at the end of the chain of the chain has decided whether or not you really have to authenticate maybe your idea dedicated previously and in that case you don't go to the and don't have to go to authentication again but in case they decided that you have to authenticate to be probable to the authentication providers use you are pre authenticated rule some previous request then you will like to that head request and history is part of the complicated application we have web from that we have a duty to services we have the best configuration services so each a separate part of the you server services is covered by a different set of chains so so for example the user
interface that allows for FormBase authentication HTTP for sorry HTML forms uh that will allow the creation of a session if known they is uh available will use remember me cookies and so on the ones that they would you see 1 was to be as fast as possible as light as possible so it has a a lighter set alpha chains and they basically supports of Basic authentication by default then you can call to URI where the
bits that you can call during the future chain and as a set all the chains are configurable all the chains can get attached to different you of buttons there are filters that gather user credentials and handle missing authentication for authentication digest authentication and market the user as anonymous as a last resource we have pretty of indication filters that recognize that you already authenticated enough for use in interaction with the service such as a session HDB header remember me cookies J. should we start education and so In everything pluggable so if you need to integrate a different kind of authentication idle she let you can do it by in integrating your own of the filter the and then we have the authentication providers
say this is decided that you have to authenticate you we don't know where you are yeah there we go through the authentication provides the vindication providers can be as simple as searching your username and password fetched from an HDP yeah uh through a database which can be stored as an XML file or an that the base and to something different sets as the using the the provincial you provided directly to authenticate against an as that users but username and password or against the database at the opening of connection as that that username and password and again this is pluggable so you can extend the uh the ability to authenticated towards all their some for the author bution mechanisms some ideas say about all of this is based on the spring security so that the same most of our Java-based library groups up to 280 of predictions then we have the role
providers OK let's say we have this idea to authenticate we have authenticated you know now what can you do security is server is role based on the some some puddings can also make it user base but normally you cut their eyes your users by roles and then decide what to do based on the roles they have so we have all politeness when we have provide as well because authentication is sort of a genetic thing authorization is normally quite specific to that particular application so you normally have your own rules for it not practical applications so for example the roles that you might have for GeoServer models that you might have for your e-mail system right so we have again a set of pluggable of world providers In the simplest case is like a bit of self-contained urges several that you way around on your laptop normally everything is based on XML files but then you can scale up to more of production of size that all solutions as an extension for example we have the integration with a simple authentication service which is a single sign-on um solution quite popular uh which allows you to basically sign on 1 of the main series is that you have in your network and then be authenticated ignore all the others automatic and another the example of plug-in that we had before the authentication sources that is known as both the weights brace yourself decides who you are uh Bayes the owner he that you put in the you out now you wastes you USA this is crazy OK I sort of agree with you but if you are using HDPs as the transport protocol not even the URL is visible to the doctor and something like all the allows of application which are properly security unaware to play in a secure environment so just to say this is using and the that because some of the application they are using them with those of know how to do basic HDP of it or by just authentication
looking so I mean that education problem solved let's move to the authorization now we know you are we know what that euros are what can you do so
authorization wiser said we are on I use days of indication in given your user roles we decided whether or not you can also thing on ascertained resource the action could be something as generic as a read write them from the data or something specific like you called gets featuring fall on under the premise protocol on the players are you allowed or not in there seems to be a workspace layer earlier report of stuff
the authorization yes Walter is pluggable so we have our own interfaces allowing that you can implement to all of your own of security subsystem sorry you're your own authorization subsystem uh and you basically have to implement those methods back there that sack against an interface whether or not you can do something against the workspace final later on their group and in case of from us listing of of layers such as the capabilities of the length of any of request provider can specify a sister that we'll have to decide whether or not the layer can can be accessed just 0 boy you know having to layer by layer can I do this can do this command with this 100 thousand times the security subsystem actually allows a white fine-grained security you can decide whether or not an attribute is visible where there are not enough to deserve can be arrived alright you can apply agreed those invited versus so you can decide that for example the starting area source partial to 3rd can be right by your user written by the user and they can be a symmetric maybe the user can read everything but only writing a specific area which is quite common in in the gathering of a ground when you have multiple people going on in each 1 of cycles specific area but this this can be also of course semantic temporal sponsion whatever so you can easily use all the power will disappear there's to the limit of the bait facts
so implementations of this interface we have the default security subsystem that defines just sort out of the box it's pretty simple it's probably 10 years old now but he can decide whether or not you can access to us something like period is as a set pretty basic and then we have a g France which is an external applications with a star because it's turning providing turn up library uh which makes full use of their sectors manager interfaces that and then you can add your own custom implementations since from interface you can literally plug it into your enterprise system and heavy it that I know of your authorization databases of procedures if you want to know in advance of the whites common in some enterprise stops so let's talk
about geofence then the the default implement implementation is rather boring those
offense he is an extended uh authentication so sorry physician's assistant for uh just it does optional of indication but we often don't use it it's completely open source it's part of the dues a project you can never get to the coding for confirmed there so you can see from the religious organizations what's the
structure well normally price as a separate server has a separator pumped up at the point applications the user has a plugin that uses started to talk with this server and it will tell the server OK user X is trying to do this and not the server will apply a certain set of rules and decide whether or not those actions are allowed and respond back to the server uh in your 1st has its own administration API it's and i its own administration front-end so you have a user interface where the the rules because the rest API if you wanted to automate uh updating modifying the rules and that story is old they each configuration in a database could be possible Sorokin whether
so the user interface moralist looks like this that has its own user
management but I'm not going to get too much into it just 1 of the interesting factoid we have the notion of instances because of single 1st installation might be managing security for the multiple clusters of just server like security form and internal clustering security for an external fishing facing cluster we compute a different set of users and rules
um how would they have uh it was applied well you know we hear it knows about IP cables president I the tables is a way to cultured electrical axis in a this machine and then you 1st rules are actually modeled loosely uh against the IP tables approach so we have a list of rules a the of rule can be matching I user group process instance on specific here this is service aquesta workspace later and then decide whether or not that combination is allowed or denied the 1st rule matching wings so we basically go from top to bottom in the 1st couple of matching weights normally this a topic is that but you apply distinctions 1st and then sorry applied uh and the was if you you applying whatever you can do 1st and then this this the last rule denies everything so that if you ever to the last rule you don't boxes but
yeah all of this is what I just said the matching of the rule against the the the various possible population bits and this is just just this is already quite a bit of a marked improvement meant over there GeoServer default security in that in the single rule you can put together the data and the service accessing it so you can say for example that you can access a ascertain layer viable amassed but not like of effects which is not something you can do with a default built security on and so this is 1 example just rules sigh of our saying all for user u 1 instead of is the momentum workspace workspace 1 allowed so this user is allowed to access space 1 and for user u and uh and then everything starts start the nite which means that users can access everything in the workspace W 1 but only from the bloomers requests and you can't do anything else so it's a way to lock down that uses to that particular workspace answers I and then we have the
actor the type of rule of so far I showed you allow and denied but we also have limited resources address to Berlin sorry them rules mitosis something we go through and collect the limits of rules don't say you cannot access but restrict your access so they say OK you can access this layer but we are going to remove some of the views we are going to filter the data we are going to force a your a particular style so that you are constrained so there is there would be unacceptable saying that you can access the later but the the a take how you can access and as a said you can restrict unavailable area in now somatic conditions in the you can
also order steak that they are available at the news and and say something like the result you you will not see it that often viewed is only and the 3rd of the beauty of actually right on that we use in the preface so in our situation is that you have a
stand-alone your friends so server running and all these years server stock intuitive idea this you applied in on since there is network traffic we have cash uh location the decisions from that long of course but enough to avoid asking 100 time the same question in a 2nd on and we have API to manipulate those in case you want immediate purging also all the cached information because you made an important change the defense itself as our extensive rest API that allows tool of query page page through uh all the rules and in the modified them so that you can automate no any change you will any kind of must change you want to do security rules and also we have that and the cover story of service attached tools REST services so that you can what the cover a store and bring the the consideration maybe from test environment election by it now the I have
always said that of opt to know is the last year and he was maybe the maybe ritual in which we and old news this is new and this is due faster direct integration so uh
as we your cash people started complaining OK but it's external I have on another server of why do I have to go through such complications I want just my single just over with everything in the Justice you are cash got sucked being into GeoServer and it's still possible to run it externally but only a few deployment do without you serve as you France's On the road on being sucked into into GeoServer as the new default security subsystem it would be along the road is not gonna happen tomorrow but we are the 1st steps of Soldier France's Java Bayes they can be on in in in in just over just as if it was a library the rules are stored in another that is just as
before we're doing it so just like you cash God integrated my bed steps so they integrate version is not giving you the full power of our external geofence it's gonna give you enough convenience enough extra power cords compared to the default system to be interesting so um you yeah so just Austral to
the user interface that we have a configuration of their in terminology of science so for example are 1 of the things that we might want to to move it to the general gist of a configuration is whether or not you allow dynamic citing biodynamic is so the you know so the past through the request on and we have control of the
cash so of how long leave the the entries in the in the cache are and in some statistics like caches cache misses the song
come and then we have a user interface to create the rules which she is very very similar to the uh bezeq system is just the accelerating just works very slow and access you have also very close this the use old and if you can roll it over this simple as you can see most it it's not down special funding from the use of duration and
the past playing around a bit with their with it you get with a list of rules Dr. define your overall security behavior of a linear show you an
example of the and here I have 3 rules the 1st as whatever you know workspace particle axis so the folks are sorted out part of Tiger workspaces wide open the 2nd says on the workspace to storage sharing of from should from the flows of the fish and linear oxides allow and everything else than I so if you have a bit the familiarity with they're just really a preview that we
are going to new users of your asperities layers we are going to lose the Tasmania layers and so on and the result is this we have on the bottom layers and just oxides and everything else is gone Alesci Levinas I'm not insight about Mr. is is all-powerful so and I mean will see every I got another
example here in this case we allow the workspace tiger and then deny specifically the oxide layer yeah but then allowed that anything else in the most perfect there and then deny everything so I'm basically switching them uh the other thing that indication disperse fish uh
workspace and the result is that I see everything from tiger and almost everything from Spearfish but not what was it blocks of this course you can
get more sophisticated by adding more rules we have some deployments that have a few hundred because they got many many many many years this quite
a bit of work to do on this as a said we made it just interesting enough to be a step all over the default security subsystem but we of course we have to add the support for the limit rules the rules are not supported in immigration and that's of course not big limitation of so we you don't have a way to the force the 4th style limit that would be useful for my convincing the filter by area is something that we see left to do them the day when we do that are welding there they damage effects would be almost as powerful as the excel or other moment is just a step over there from the default of and we still don't have the ability to control the rights of the ruling Level which she is something that we have to work on uh the rules are or the basis so we need out a better way in the user interface toward that them and changed their position but I can of something like that the moments of uh we are just using an embedded H. Chou database and about actually so this is meant for a single server deployment uh we don't uh again difference can connect to an external server system their user interface it's not that the court hearing so we will have to adapt and it would be also nice to be able to migrate all security system rules which you find that as you upgrade your near that of actor in so just like we still have it but it's possible all of this of course is spending and well funding or some project that can store or this work the this is
and I any questions and users for support time of day and counterattack filters you can restrict access for a certain time period certain weeks things like that on nominal at the moment we see we don't do that at in the external not the universe the non assuming this circle of some so we have something close in the control flow model which is meant to to train traffic uh there's a lot of fighter controller that you can attach to our specific type your user so that they don't ever go on our survey thing right of requests and if they go above we slow them down so that's the closest thing we have but we don't know if you are not what you asked the but then again that the and subsystem in contraflow could be used for to apply it to set yeah OK thanks again for this great piece of software 1st at answering a question regarding the compatibility chair friends direct integration introduced several doesn't work was to adopt a tall and at 9 to the state promoted to detect all working Group centered is they moved to the presentation of the self what presented so all I can rest but wait yeah like if many people show up they can find thing I can start all over the world so you it is just you we can talk over a beer here in the the there the the program was changed the from the printed version today the online version says this is the 3rd not afford but it printed version says it support that yeah the anyways if there is enough people that want to see this presentation again I can start over no problem no show I this is my 5th presentation I have another like in the seventies and it the
Server (computing)
Video game
Computer animation
Presentation of a group
Information security
Authentication
Covering space
Server (computing)
Open source
Presentation of a group
Projective plane
Price index
Cartesian coordinate system
Mereology
Information technology consulting
Proof theory
Computer animation
Ontology
Customer relationship management
Internet service provider
Mixed reality
Authorization
Representation (politics)
Cuboid
Information security
Computer virus
Filter <Stochastik>
INTEGRAL
1 (number)
Disk read-and-write head
Mereology
Rule of inference
Chaining
Subtraction
Information security
Social class
Form (programming)
Alpha (investment)
Authentication
Default (computer science)
Email
Interface (computing)
Set (mathematics)
Price index
Cartesian coordinate system
Filtration
Computer animation
Personal digital assistant
Internet service provider
Password
Configuration space
HTTP cookie
Filter <Stochastik>
Computer file
Auto mechanic
Open set
Chaining
Database
Authorization
Subtraction
Information security
Authentication
Email
Interactive television
Bit
Price index
Prediction
Set (mathematics)
Local Group
Connected space
Filtration
Spring (hydrology)
Computer animation
Internet service provider
Password
HTTP cookie
Library (computing)
Laptop
Server (computing)
Computer file
INTEGRAL
Scientific modelling
Source code
Weight
Rule of inference
Authorization
Extension (kinesiology)
Information security
Plug-in (computing)
Physical system
Authentication
Series (mathematics)
Email
Product (category theory)
Set (mathematics)
Cartesian coordinate system
Computer animation
Integrated development environment
Personal digital assistant
Internet service provider
Computer network
Single sign-on
Right angle
Natural language
Quicksort
Communications protocol
Area
Group action
Length
Multiplication sign
Source code
Generic programming
Interface (computing)
Temporal logic
Price index
Limit (category theory)
Semantics (computer science)
Local Group
Attribute grammar
Power (physics)
Latent heat
Computer animation
Personal digital assistant
Internet service provider
Authorization
Cycle (graph theory)
Communications protocol
Traffic reporting
Information security
Reading (process)
Default (computer science)
Enterprise architecture
Implementation
Interface (computing)
Set (mathematics)
Cartesian coordinate system
Frequency
Computer animation
Database
Authorization
Cuboid
Procedural programming
Information security
Data management
Sinc function
Library (computing)
Physical system
Authentication
User interface
Point (geometry)
Server (computing)
Group action
Open source
System administrator
Decision theory
Projective plane
Price index
Set (mathematics)
Mereology
Cartesian coordinate system
Code
Rule of inference
Front and back ends
Computer animation
Personal digital assistant
Database
Self-organization
Configuration space
Data structure
Plug-in (computing)
Separation axiom
User interface
Computer animation
Gene cluster
Instance (computer science)
Set (mathematics)
Information security
Rule of inference
Subtraction
Data management
Form (programming)
Default (computer science)
Greatest element
Process (computing)
Matching (graph theory)
Spacetime
Momentum
Virtual machine
Combinational logic
Electronic mailing list
Sound effect
Bit
Instance (computer science)
Cartesian coordinate system
Weight
Rule of inference
Local Group
Table (information)
Computer animation
Internet service provider
Information security
Area
Filtration
Computer animation
View (database)
Order (biology)
Limit (category theory)
Rule of inference
Data type
Address space
Resultant
Condition number
Web page
Covering space
Information
INTEGRAL
Multiplication sign
Decision theory
Rule of inference
Uniform resource locator
Mathematics
Computer animation
Integrated development environment
Personal digital assistant
Query language
Internet service provider
Software testing
Extension (kinesiology)
Information security
Revision control
Default (computer science)
Server (computing)
Computer animation
Information security
Rule of inference
Library (computing)
Power (physics)
Physical system
God
User interface
Cache (computing)
Game controller
Statistics
Computer animation
Configuration space
User interface
Computer animation
Electronic mailing list
Bit
Rule of inference
Information security
Physical system
Particle system
Dataflow
Computer animation
Data storage device
Shared memory
Linearization
Bit
Mereology
Rule of inference
Resultant
Computer animation
Personal digital assistant
Block (periodic table)
Dispersion (chemistry)
Price index
Resultant
Area
User interface
Default (computer science)
Server (computing)
Forcing (mathematics)
Moment (mathematics)
Projective plane
Basis (linear algebra)
Sound effect
Bit
Limit (category theory)
Rule of inference
4 (number)
Filtration
Computer animation
Single-precision floating-point format
Database
Energy level
Right angle
Information security
Subtraction
Position operator
Physical system
Filter <Stochastik>
Computer programming
Game controller
Presentation of a group
State of matter
INTEGRAL
Multiplication sign
Scientific modelling
Direction (geometry)
Moment (mathematics)
Archaeological field survey
Control flow
Local Group
Revision control
Frequency
Computer animation
Software
Lecture/Conference
Universe (mathematics)
Right angle
Circle
Data type
Loading...

Metadata

Formal Metadata

Title Advanced Security with GeoServer and GeoFence
Title of Series FOSS4G Seoul 2015
Author Aime, Andrea
License CC Attribution - NonCommercial - ShareAlike 3.0 Germany:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
DOI 10.5446/32100
Publisher FOSS4G, Open Source Geospatial Foundation (OSGeo)
Release Date 2015
Language English
Producer FOSS4G KOREA
Production Year 2015
Production Place Seoul, South Korea

Content Metadata

Subject Area Information technology
Abstract The presentation will provide an introduction to GeoServer own authentication and authorization subsystems. We’ll cover the supported authentication protocols, such as from basic/digest authentication and CAS support, check through the various identity providers, such as local config files, database tables and LDAP servers, and how it’s possible to combine the various bits in a single comprehensive authentication tool, as well as providing examples of custom authentication plugins for GeoServer, integrating it in a home grown security architecture. We’ll then move on to authorization, describing the GeoServer pluggable authorization mechanism and comparing it with proxy based solution, and check the built in service and data security system, reviewing its benefits and limitations. Finally we’ll explore the advanced authentication provider, GeoFence, explore the levels on integration with GeoSErver, from the simple and seamless direct integration to the more sophisticated external setup, and see how it can provide GeoServer with complex authorization rules over data and OGC services, taking into account the current user, OGC request and requested layers to enforce spatial filters and alphanumeric filters, attribute selection as well as cropping raster data to areas of interest.
Loading...
Feedback

Timings

  474 ms - page object

Version

AV-Portal 3.7.0 (943df4b4639bec127ddc6b93adb0c7d8d995f77c)