Ing. Mauro Bartolomeoli Ing. Simone Giannecchini

Slides:



Advertisements
Similar presentations
Central Authentication Service Roadmap JA-SIG Winter 2004.
Advertisements

Name Title Company Microsoft SharePoint 2010 The business collaboration platform for the Enterprise and the Web.
METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
VAMDC Registry Portal Proof of Concept. Registry VAMDC Registry is available at – ex.jsp
NGT Information Technology Technical Discussion Bob DeHoff Info Tech, Inc.
Software Frameworks for Acquisition and Control European PhD – 2009 Horácio Fernandes.
EASY LOGISTICS CENTER - the TURNTABLE for information, documents and processes EASY LOGISTICS CENTER DOCUMENTS SHOP CONTENT COMMUNITY MODULES EASY ENTERPRISE.
New uPortal Contributions from the University of Wisconsin-Madison Jim Helwig University of Wisconsin-Madison Eric Dalquist Unicon, Inc. JA-SIG December.
Implementing An Extensible Role-Based Security Module in a Java Web Development Framework Joe Hesse Technology Director, UCSF Memory and Aging Center Dept.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
Understanding and Managing WebSphere V5
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
Oracle Application Express 3.0 Joel R. Kallman Software Development Manager.
Survey of Identity Repository Security Models JSR 351, Sep 2012.
W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.
Jan Hatje, DESY CSS ITER March 2009: Alarm System, Authorization, Remote Management XFEL The European X-Ray Laser Project X-Ray Free-Electron.
Extending Vista The PowerLinks WebServices SDK John Hallett Senior Product Manager WebCT, Inc
INTEGRATION WITH OTHER IDM SOLUTIONS Remember… The primary goal of KIM was to build a service- oriented abstraction layer for Identity and Access Management.
Developing Applications for SSO Justen Stepka Authentisoft, LLC
ArcGIS Server and Portal for ArcGIS An Introduction to Security
8.1 Lawson Security Overview Del Dehn Product Manager.
Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.
New uPortal Contributions from the University of Wisconsin-Madison Jim Helwig University of Wisconsin-Madison Eric Dalquist Unicon, Inc. JA-SIG December.
1 ® Copyright 2009 Adobe Systems Incorporated. All rights reserved. Adobe confidential. 1 Building Portlets with ColdFusion Pete Freitag Foundeo, Inc.
Development of Dynamic SLD and Understanding WCS Using Geo-server Supervisor Prof N.L Sarda Dept. of Computer Science & Engg. IIT-Bombay Bharti M.Tech.
XML Registries Source: Java TM API for XML Registries Specification.
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
@CloudOps_www.cloudops.com Swift UI in CloudStack with Single Sign-On CloudStack Collaboration Conference 2012.
ArcGIS Server for Administrators
Kuali Enterprise Workflow Kuali Days – November 2008 Scott Gibson, University of Maryland Bryan Hutchinson, Cornell University James Smith, University.
Shibboleth: An Introduction
Zdenek Nejedly, Campus Services Rasim Duric, Lelio Fulgenzi, Deborah MacDougall, Networking Services Computing & Communications Services University of.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
Integrating and Troubleshooting Citrix Access Gateway.
Mapping in GeoServer with SLD and CSS
Strictly Business Using “StrictlyFused” to Create an Extensible Knowledge Portal.
CS562 Advanced Java and Internet Application Introduction to the Computer Warehouse Web Application. Java Server Pages (JSP) Technology. By Team Alpha.
IST 220 – Intro to Databases Lecture 2 Touring Microsoft Access.
WEB SERVER SOFTWARE FEATURE SETS
EWS Redesign Business Case A look at creating a reports client for new or small market participants.
Groups, More than Just Collaboration Christopher Smoak.
Interstage BPM v11.2 1Copyright © 2010 FUJITSU LIMITED INTERSTAGE BPM ARCHITECTURE BPMS.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
Virtual Collections VIRTUAL COLLECTIONS LDI Architecture Meeting, Tuesday, July 19.
A Fully-integrated Timekeeping Solution Through PlatinumPay Xpress.
European Grid Initiative e-Infrastructure Directory Service: GOCDB Tiziana Ferrari/EGI.eu on behalf of David Meredith/STFC 1 Wiki:
GeoServer Prof. Wenwen Li School of Geographical Sciences and Urban Planning 5644 Coor Hall
CMS Showdown What Is A Content Management System (CMS)? CMS Website Content Outside Content Social Media Connections with CRM Programs Statistics and.
Unlocking the Secrets of Alfresco Authentication Mehdi BELMEKKI, Consultancy Team Alfresco.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
MetaFrame Secure Access Manager Overview Presented by Douglas A. Brown.
Office of Information Technology GT Identity and Access Management JA-SIG CAS project (introducing login.gatech.edu) April 29th,
Portlet Development Konrad Rokicki (SAIC) Manav Kher (SemanticBits) Joshua Phillips (SemanticBits) Arch/VCDE F2F November 28, 2008.
October 2014 HYBRIS ARCHITECTURE & TECHNOLOGY 01 OVERVIEW.
The Holmes Platform and Applications
Ask the Experts – Building Login-Based Sites in AEM
IST 220 – Intro to Databases
Section 13 - Integrating with Third Party Tools
Open Source distributed document DB for an enterprise
Beyond the BDC\BCS Model
Welcome to the 20th Anniversary of the IUG
Securing the Network Perimeter with ISA 2004
SERVICENOW ADMIN & ADVANCED ONLINE TRAINING
IBM Certified WAS 8.5 Administrator
Session Abstract This session will provide an overview of the latest improvements and enhancements made to the Ed-Fi ODS/API in 2016, as well as a preview.
Presentation transcript:

Ing. Mauro Bartolomeoli Ing. Simone Giannecchini Advanced Security With GeoServer Ing. Mauro Bartolomeoli Ing. Emanuele Tajariol Ing. Simone Giannecchini GeoSolutions

GeoSolutions Founded in Italy in late 2006 Expertise Image Processing, GeoSpatial Data Fusion Java, Java Enterprise, C++, Python JPEG2000, JPIP, Advanced 2D visualization Supporting/Developing FOSS4G projects GeoServer, MapStore GeoNetwork, GeoNode, Ckan Clients Public Agencies Private Companies http://www.geo-solutions.it FOSS4G 2015, Seoul 14th-19th September 2015

Overview GeoServer security handles Authentication (filtering and credential checks) Authorization (resource access managers) In this presentation we are going to explore how GeoServer applies security, with particular attention to the authentication and authorization processes, as well as introduce an advanced authorization subsystem known as GeoFence. FOSS4G 2015, Seoul 14th-19th September 2015

Authentication FOSS4G 2015, Seoul 14th-19th September 2015

The filter chains Different chains for different URL groups Each chain authenticates in a different way by composigin different filters Authentication is performed by authentication filters, grouped in chains and attached to certain url patterns. We can thus have different authentication mechansism for the UI, the OGC services, and the REST api. The chain decides if the user requiers to be authenticated in that request (it might have been authenticated previously) and if so, passes the information gathered about the user to the authentication providers. FOSS4G 2015, Seoul 14th-19th September 2015

Different usage, different chain UI chain, with form, HTTP session (creation allowed), and remember me services OGC one, lighter, will use session if available, no creation Here are two sample chains for the the UI and the OGC services. The UI can leverage the session to check if a user got already authenticated, and will create one if not, allows for form login and logout, as well as «remmber me» cookies, while the OGC service one is simpler and mostly uses HTTP basic authentication. FOSS4G 2015, Seoul 14th-19th September 2015

Available auth filters Gathering user credentials (and eventually invoking authentication providers chain) Basic Form Digest Anonymous (always the last) Preauthentication (and eventually load user details from user/group and/or role service) Session HTTP Header X.509 Remember Me J2EE Easy to implement and plug new filters Missing: authenticate from environment variables (e.g. Shibboleth SSO) FOSS4G 2015, Seoul 14th-19th September 2015

Authentication providers Given credentials pulled from the filters, who is the user? Search in user/group database Auth as a LDAP user Auth as a DBMS user Authentication providers Pluggable User/Group service XML DBMS tables Authentication providers manage the verification of who the user is in different ways, from checking username/pw against a db, to auth against other services. FOSS4G 2015, Seoul 14th-19th September 2015

Role providers Given the user, what are her roles in GeoServer? Fundamental, authorization is role based Extensible, new providers can be built DBMS tables LDAP DBMS XML Finally role providers, migth be the same sources as users, or not. FOSS4G 2015, Seoul 14th-19th September 2015

Extensions CAS (https://www.apereo.org/cas): Single Sign On integration Authkey: simple UUID to user mapper Simple key in the URL (must use HTTPS) Allows authentication unware clients to participate Pluggable: possibility to define custom mappers (e.g. webservices) URLMangler to add authkey to OGC request transparently (via GetCapabilities) FOSS4G 2015, Seoul 14th-19th September 2015

Authorization FOSS4G 2015, Seoul 14th-19th September 2015

Authorization Given the user and her roles Can the current «action» on the current «resource» be allowed? Action: Generic read/write Specific OGC service/method call Resource Workspace Layer Layer Group Style FOSS4G 2015, Seoul 14th-19th September 2015

ResourceAccessManager Pluggable interface, multiple implementations Define AccessLimits for the various Catalog Resources (Workspace, Layer, Style, LayerGroup) Can access the current request (service/method/details) Allows for fine grained limits Attributes visible Read filters (which features can be read) Write filters (which features can be written) Filters: Alphanumeric Temporal Spatial FOSS4G 2015, Seoul 14th-19th September 2015

Implementations Default security subsystem Simple per workspace/layer authentication GeoFence External application (*) Full use of ResourceAccessManager abilities Other custom implementations Integrate with existing in-house authorization mechanism Quite popular in large enterprise setup FOSS4G 2015, Seoul 14th-19th September 2015

GeoFence FOSS4G 2015, Seoul 14th-19th September 2015

GeoFence Extended A&A for GeoServer Optional Authentication, Sophisticated authorization Open Source, GPL https://github.com/geoserver/geofence FOSS4G 2015, Seoul 14th-19th September 2015

Structure FOSS4G 2015, Seoul 14th-19th September 2015 GS has a plugin that makes it call GeoFence for auth FOSS4G 2015, Seoul 14th-19th September 2015

Stand alone User interface FOSS4G 2015, Seoul 14th-19th September 2015

User management FOSS4G 2015, Seoul 14th-19th September 2015 User, group and instance management. A single GeoFence might be authorizing more than one cluster of GeoServer instances. FOSS4G 2015, Seoul 14th-19th September 2015

GeoFence rules Authorizations are expressed as a priority-based rule set Type of Rules are ALLOW/DENY/LIMIT The first matching rule is the one that determines the outcome of the auth request FOSS4G 2015, Seoul 14th-19th September 2015

GeoFence rules matching Rules are matched based on: Username Group the provided user belongs to GeoServer Instance (single GeoFence  multiple GS clusters) OGC Service (e.g., WMS) OGC Service Operation (e.g., GetFeatureInfo) Workspace (E.g. it.geosolutions) Layer name (E.g. topp:states) FOSS4G 2015, Seoul 14th-19th September 2015

Example Example Let’s assume we have configured these rules : User: u1, Service:WMS, Workspace=W1,ALLOW User: u1, DENY These rules will grant access for user u1 to all the layers in worspace W1 only for WMS request All other types of request will be DENIED. FOSS4G 2015, Seoul 14th-19th September 2015

Restrictions (LIMIT rules) When an ALLOW rule is matched, the user will have access to the requested resource:  Restrictions on available area  Restrictions on alphanumeric conditions FOSS4G 2015, Seoul 14th-19th September 2015

Restrictions (LIMIT rules)  Restrictions on available attributes FOSS4G 2015, Seoul 14th-19th September 2015

Stand-alone GeoFence The GeoFence ResourceAccessManager (Geofence Probe) calls GeoFence REST services. A cache is setup to minimize network traffic A cache can be configured on different aspects: number of entries, expiration time The cache provides REST operations (using GeoServer’s own REST dispatcher) in order to Invalidate the cache Query the cache statistics FOSS4G 2015, Seoul 14th-19th September 2015

GeoFence REST API REST interface for administration  automation Complete CRUD access to the various entities managed by GeoFence: Users and groups GeoServer instances Rules Paging support Priority ordering in rules is fundamental: different ways to insert and set a position for the new rules. Batch mode, backup and restore available See details at: https://github.com/geosolutions-it/geofence/wiki/REST-API FOSS4G 2015, Seoul 14th-19th September 2015

GeoFence direct integration FOSS4G 2015, Seoul 14th-19th September 2015

GeoFence integration Simple setups demand simple solution Have GeoFence run inside GeoServer Integration similar to GWC one, runs like a plugin GeoServer GeoWebCache GeoFence Rules DB FOSS4G 2015, Seoul 14th-19th September 2015

Baby steps Born as a more future-proof alternative to improving the internal security subsystem Community module, available via nightly builds Delivers a subset of the full functionality: access/deny based on mix of user/layer/workspace/request Integrated UI FOSS4G 2015, Seoul 14th-19th September 2015

Baby steps Born as a more future-proof alternative to improving the internal security subsystem Community module, available via nightly builds Delivers a subset of the full functionality: access/deny based on mix of user/layer/workspace/request Integrated UI FOSS4G 2015, Seoul 14th-19th September 2015

General Configuration FOSS4G 2015, Seoul 14th-19th September 2015

General Configuration (continued) FOSS4G 2015, Seoul 14th-19th September 2015

Creating rules FOSS4G 2015, Seoul 14th-19th September 2015

Rules list FOSS4G 2015, Seoul 14th-19th September 2015

Example 1 FOSS4G 2015, Seoul 14th-19th September 2015

Example 1 – layer preview FOSS4G 2015, Seoul 14th-19th September 2015

Example 2 FOSS4G 2015, Seoul 14th-19th September 2015

Example 2 – layer preview FOSS4G 2015, Seoul 14th-19th September 2015

TODO Allow to edit LIMIT rules Force default style Limit attributes Filter contents Limit by area Control writes at the rule level Better/Easier way to re-order rules Configuration of external database (now using embedded H2 in data dir, not cluster friendly) Migrate old security system rules to GeoFence as possible FOSS4G 2015, Seoul 14th-19th September 2015

Questions? That’s all folks! info@geo-solutions.it FOSS4G 2015, Seoul 14th-19th September 2015

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.