Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ing. Mauro Bartolomeoli Ing. Simone Giannecchini

Published byLisa Cunningham Modified over 9 years ago

Similar presentations

Presentation on theme: "Ing. Mauro Bartolomeoli Ing. Simone Giannecchini"— Presentation transcript:

1 Ing. Mauro Bartolomeoli Ing. Simone Giannecchini
Advanced Security With GeoServer Ing. Mauro Bartolomeoli Ing. Emanuele Tajariol Ing. Simone Giannecchini GeoSolutions

2 GeoSolutions Founded in Italy in late 2006
Expertise Image Processing, GeoSpatial Data Fusion Java, Java Enterprise, C++, Python JPEG2000, JPIP, Advanced 2D visualization Supporting/Developing FOSS4G projects GeoServer, MapStore GeoNetwork, GeoNode, Ckan Clients Public Agencies Private Companies FOSS4G 2015, Seoul 14th-19th September 2015

3 Overview GeoServer security handles
Authentication (filtering and credential checks) Authorization (resource access managers) In this presentation we are going to explore how GeoServer applies security, with particular attention to the authentication and authorization processes, as well as introduce an advanced authorization subsystem known as GeoFence. FOSS4G 2015, Seoul 14th-19th September 2015

4 Authentication FOSS4G 2015, Seoul 14th-19th September 2015

5 The filter chains Different chains for different URL groups
Each chain authenticates in a different way by composigin different filters Authentication is performed by authentication filters, grouped in chains and attached to certain url patterns. We can thus have different authentication mechansism for the UI, the OGC services, and the REST api. The chain decides if the user requiers to be authenticated in that request (it might have been authenticated previously) and if so, passes the information gathered about the user to the authentication providers. FOSS4G 2015, Seoul 14th-19th September 2015

6 Different usage, different chain
UI chain, with form, HTTP session (creation allowed), and remember me services OGC one, lighter, will use session if available, no creation Here are two sample chains for the the UI and the OGC services. The UI can leverage the session to check if a user got already authenticated, and will create one if not, allows for form login and logout, as well as «remmber me» cookies, while the OGC service one is simpler and mostly uses HTTP basic authentication. FOSS4G 2015, Seoul 14th-19th September 2015

7 Available auth filters
Gathering user credentials (and eventually invoking authentication providers chain) Basic Form Digest Anonymous (always the last) Preauthentication (and eventually load user details from user/group and/or role service) Session HTTP Header X.509 Remember Me J2EE Easy to implement and plug new filters Missing: authenticate from environment variables (e.g. Shibboleth SSO) FOSS4G 2015, Seoul 14th-19th September 2015

8 Authentication providers
Given credentials pulled from the filters, who is the user? Search in user/group database Auth as a LDAP user Auth as a DBMS user Authentication providers Pluggable User/Group service XML DBMS tables Authentication providers manage the verification of who the user is in different ways, from checking username/pw against a db, to auth against other services. FOSS4G 2015, Seoul 14th-19th September 2015

9 Role providers Given the user, what are her roles in GeoServer?
Fundamental, authorization is role based Extensible, new providers can be built DBMS tables LDAP DBMS XML Finally role providers, migth be the same sources as users, or not. FOSS4G 2015, Seoul 14th-19th September 2015

10 Extensions CAS ( Single Sign On integration Authkey: simple UUID to user mapper Simple key in the URL (must use HTTPS) Allows authentication unware clients to participate Pluggable: possibility to define custom mappers (e.g. webservices) URLMangler to add authkey to OGC request transparently (via GetCapabilities) FOSS4G 2015, Seoul 14th-19th September 2015

11 Authorization FOSS4G 2015, Seoul 14th-19th September 2015

12 Authorization Given the user and her roles
Can the current «action» on the current «resource» be allowed? Action: Generic read/write Specific OGC service/method call Resource Workspace Layer Layer Group Style FOSS4G 2015, Seoul 14th-19th September 2015

13 ResourceAccessManager
Pluggable interface, multiple implementations Define AccessLimits for the various Catalog Resources (Workspace, Layer, Style, LayerGroup) Can access the current request (service/method/details) Allows for fine grained limits Attributes visible Read filters (which features can be read) Write filters (which features can be written) Filters: Alphanumeric Temporal Spatial FOSS4G 2015, Seoul 14th-19th September 2015

14 Implementations Default security subsystem
Simple per workspace/layer authentication GeoFence External application (*) Full use of ResourceAccessManager abilities Other custom implementations Integrate with existing in-house authorization mechanism Quite popular in large enterprise setup FOSS4G 2015, Seoul 14th-19th September 2015

15 GeoFence FOSS4G 2015, Seoul 14th-19th September 2015

16 GeoFence Extended A&A for GeoServer
Optional Authentication, Sophisticated authorization Open Source, GPL FOSS4G 2015, Seoul 14th-19th September 2015

17 Structure FOSS4G 2015, Seoul 14th-19th September 2015
GS has a plugin that makes it call GeoFence for auth FOSS4G 2015, Seoul 14th-19th September 2015

18 Stand alone User interface
FOSS4G 2015, Seoul 14th-19th September 2015

19 User management FOSS4G 2015, Seoul 14th-19th September 2015
User, group and instance management. A single GeoFence might be authorizing more than one cluster of GeoServer instances. FOSS4G 2015, Seoul 14th-19th September 2015

20 GeoFence rules Authorizations are expressed as a priority-based rule set Type of Rules are ALLOW/DENY/LIMIT The first matching rule is the one that determines the outcome of the auth request FOSS4G 2015, Seoul 14th-19th September 2015

21 GeoFence rules matching
Rules are matched based on: Username Group the provided user belongs to GeoServer Instance (single GeoFence  multiple GS clusters) OGC Service (e.g., WMS) OGC Service Operation (e.g., GetFeatureInfo) Workspace (E.g. it.geosolutions) Layer name (E.g. topp:states) FOSS4G 2015, Seoul 14th-19th September 2015

22 Example Example Let’s assume we have configured these rules :
User: u1, Service:WMS, Workspace=W1,ALLOW User: u1, DENY These rules will grant access for user u1 to all the layers in worspace W1 only for WMS request All other types of request will be DENIED. FOSS4G 2015, Seoul 14th-19th September 2015

23 Restrictions (LIMIT rules)
When an ALLOW rule is matched, the user will have access to the requested resource:  Restrictions on available area  Restrictions on alphanumeric conditions FOSS4G 2015, Seoul 14th-19th September 2015

24 Restrictions (LIMIT rules)
 Restrictions on available attributes FOSS4G 2015, Seoul 14th-19th September 2015

25 Stand-alone GeoFence The GeoFence ResourceAccessManager (Geofence Probe) calls GeoFence REST services. A cache is setup to minimize network traffic A cache can be configured on different aspects: number of entries, expiration time The cache provides REST operations (using GeoServer’s own REST dispatcher) in order to Invalidate the cache Query the cache statistics FOSS4G 2015, Seoul 14th-19th September 2015

26 GeoFence REST API REST interface for administration  automation
Complete CRUD access to the various entities managed by GeoFence: Users and groups GeoServer instances Rules Paging support Priority ordering in rules is fundamental: different ways to insert and set a position for the new rules. Batch mode, backup and restore available See details at: FOSS4G 2015, Seoul 14th-19th September 2015

27 GeoFence direct integration
FOSS4G 2015, Seoul 14th-19th September 2015

28 GeoFence integration Simple setups demand simple solution
Have GeoFence run inside GeoServer Integration similar to GWC one, runs like a plugin GeoServer GeoWebCache GeoFence Rules DB FOSS4G 2015, Seoul 14th-19th September 2015

29 Baby steps Born as a more future-proof alternative to improving the internal security subsystem Community module, available via nightly builds Delivers a subset of the full functionality: access/deny based on mix of user/layer/workspace/request Integrated UI FOSS4G 2015, Seoul 14th-19th September 2015

30 Baby steps Born as a more future-proof alternative to improving the internal security subsystem Community module, available via nightly builds Delivers a subset of the full functionality: access/deny based on mix of user/layer/workspace/request Integrated UI FOSS4G 2015, Seoul 14th-19th September 2015

31 General Configuration
FOSS4G 2015, Seoul 14th-19th September 2015

32 General Configuration (continued)
FOSS4G 2015, Seoul 14th-19th September 2015

33 Creating rules FOSS4G 2015, Seoul 14th-19th September 2015

34 Rules list FOSS4G 2015, Seoul 14th-19th September 2015

35 Example 1 FOSS4G 2015, Seoul 14th-19th September 2015

36 Example 1 – layer preview
FOSS4G 2015, Seoul 14th-19th September 2015

37 Example 2 FOSS4G 2015, Seoul 14th-19th September 2015

38 Example 2 – layer preview
FOSS4G 2015, Seoul 14th-19th September 2015

39 TODO Allow to edit LIMIT rules Force default style Limit attributes
Filter contents Limit by area Control writes at the rule level Better/Easier way to re-order rules Configuration of external database (now using embedded H2 in data dir, not cluster friendly) Migrate old security system rules to GeoFence as possible FOSS4G 2015, Seoul 14th-19th September 2015

40 Questions? That’s all folks! info@geo-solutions.it FOSS4G 2015, Seoul
14th-19th September 2015

Download ppt "Ing. Mauro Bartolomeoli Ing. Simone Giannecchini"

Similar presentations

Central Authentication Service Roadmap JA-SIG Winter 2004.

Central Authentication Service Roadmap JA-SIG Winter 2004.
Name Title Company Microsoft SharePoint 2010 The business collaboration platform for the Enterprise and the Web.

Name Title Company Microsoft SharePoint 2010 The business collaboration platform for the Enterprise and the Web.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
VAMDC Registry Portal Proof of Concept. Registry VAMDC Registry is available at – ex.jsp

VAMDC Registry Portal Proof of Concept. Registry VAMDC Registry is available at – ex.jsp
NGT Information Technology Technical Discussion Bob DeHoff Info Tech, Inc.

NGT Information Technology Technical Discussion Bob DeHoff Info Tech, Inc.
Software Frameworks for Acquisition and Control European PhD – 2009 Horácio Fernandes.

Software Frameworks for Acquisition and Control European PhD – 2009 Horácio Fernandes.
EASY LOGISTICS CENTER - the TURNTABLE for information, documents and processes EASY LOGISTICS CENTER DOCUMENTS SHOP CONTENT COMMUNITY MODULES EASY ENTERPRISE.

EASY LOGISTICS CENTER - the TURNTABLE for information, documents and processes EASY LOGISTICS CENTER DOCUMENTS SHOP CONTENT COMMUNITY MODULES EASY ENTERPRISE.
New uPortal Contributions from the University of Wisconsin-Madison Jim Helwig University of Wisconsin-Madison Eric Dalquist Unicon, Inc. JA-SIG December.

New uPortal Contributions from the University of Wisconsin-Madison Jim Helwig University of Wisconsin-Madison Eric Dalquist Unicon, Inc. JA-SIG December.
Implementing An Extensible Role-Based Security Module in a Java Web Development Framework Joe Hesse Technology Director, UCSF Memory and Aging Center Dept.

Implementing An Extensible Role-Based Security Module in a Java Web Development Framework Joe Hesse Technology Director, UCSF Memory and Aging Center Dept.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.

LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
Understanding and Managing WebSphere V5

Understanding and Managing WebSphere V5
Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.

Sharepoint Portal Server Basics. Introduction Sharepoint server belongs to Microsoft family of servers Integrated suite of server capabilities Hosted.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.

Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
Oracle Application Express 3.0 Joel R. Kallman Software Development Manager.

Oracle Application Express 3.0 Joel R. Kallman Software Development Manager.
Survey of Identity Repository Security Models JSR 351, Sep 2012.

Survey of Identity Repository Security Models JSR 351, Sep 2012.
W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.

W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.

Similar presentations

Ads by Google