The presentation will provide an introduction to GeoServer own authentication and authorization subsystems. We’ll cover the supported authentication protocols, such as from basic/digest authentication and CAS support, check through the various identity providers, such as local config files, database tables and LDAP servers, and how it’s possible to combine the various bits in a single comprehensive authentication tool, as well as providing examples of custom authentication plugins for GeoServer, integrating it in a home grown security architecture.
We’ll then move on to authorization, describing the GeoServer pluggable authorization mechanism and comparing it with proxy based solution, and check the built in service and data security system, reviewing its benefits and limitations.
Finally we’ll explore an advanced authentication tool called GeoFence, and see how it can plug into GeoServer to provide graphical configuration abilities for use complex authorization rules over data and OGC services, taking into account spatial filters, attribute filters, attribute hiding as well as cropping raster data to areas of interest. Finally we’ll show how using LDAP both GeoFence and GeoServer can use a common users database, simplifying administrators job, and provide some real world examples.
1. Advanced Security With GeoServer
Ing. Mauro Bartolomeoli, GeoSolutions
Ing. Emanuele Tajariol, GeoSolutions
Ing. Simone Giannecchini, GeoSolutions
Ing. Alessio Fabiani, GeoSolutions
FOSS4G 2014, Portland
10th September 2014
2. GeoSolutions
Founded in Italy in late 2006
Expertise
• Image Processing, GeoSpatial Data Fusion
• Java, Java Enterprise, C++, Python
• JPEG2000, JPIP, Advanced 2D visualization
Supporting/Developing FOSS4G projects
GeoServer, MapStore
GeoBatch, GeoNetwork
Clients
Public Agencies
Private Companies
http://www.geo-solutions.it
FOSS4G 2014, Portland
10th September 2014
5. GeoServer Security Subsystem Overview
Based on Spring Security
Users / Groups / Roles
User/group services
Role services
Authentication
Chains
Filters
Providers
Authorization
Auth on data: e.g. layers, workspaces
Auth on services: e.g. WMS, WFS
By role
FOSS4G 2014, Portland
10th September 2014
6. Users / Groups / Roles Storage
FOSS4G 2014, Portland
10th September 2014
7. Users / Groups / Roles Storage
User/Group service
Storage for users and groups details
Storage for user credentials (e.g. passwords)
Password encryption handling
Read/Write or Read-only
Default implementations
XML files
Database through JDBC
Easy to implement and plug new services
Used by many filters/providers as a source for
authenticated users detail
Missing: Read/Write LDAP User/Group service
FOSS4G 2014, Portland
10th September 2014
8. Users / Groups / Roles Storage
Role service
Storage for roles
Read/Write or Read-only
Assign roles to users and or groups
Default implementations
XML files
Database through JDBC
J2EE (from the Java Web Container)
LDAP
Easy to implement and plug new services
Active (Default) Role service
Used by many filters/providers as a source for
authenticated users roles
FOSS4G 2014, Portland
10th September 2014
10. Authentication
Filter Chains
By «request url» pattern matching
Web UI
OGC Services
REST API
…
By Method: GET, POST, …
HTTP Session handling
Each chain applies a sequence of configured Filters to
matching requests
Only SSL flag
FOSS4G 2014, Portland
10th September 2014
11. Authentication
Filters
Gathering user credentials (and eventually invoking
authentication providers chain)
Basic
Form
Anonymous (always the last)
Preauthentication (and eventually load user details from
user/group and/or role service)
HTTP Header
Digest
X.509
Remember Me
J2EE
Easy to implement and plug new filters
Missing: authenticate from environment variables (e.g. Shibboleth SSO)
FOSS4G 2014, Portland
10th September 2014
12. Authentication
Authentication Providers
Used if filters require further authentication of
gathered credentials (no preauthentication can be
applied)
Username Password (using user/group service)
Database through JDBC (uses credentials to connect to a database,
very different from the JDBC user/group service)
LDAP
with ActiveDirectory support
Easy to implement and plug new providers
Providers chain, to allow for different authentication
mechanisms (e.g intranet users from LDAP, internet
users from db)
FOSS4G 2014, Portland
10th September 2014
13. Authentication
Extensions
CAS (https://www.apereo.org/cas): example of SSO
integration
Community modules
Authkey: simple UUID to user mapper
Pluggable: possibility to define custom mappers (e.g. webservices)
URLMangler to add authkey to OGC request transparently (via
GetCapabilities)
Real World Use Cases
Shibboleth SSO (using Headers or CGI environment
variables)
Mixing filters/providers: LDAP/AD for internal users,
jdbc for external users
FOSS4G 2014, Portland
10th September 2014
14. Authentication
Future improvements
Clean up and filling holes
Increase LDAP support (e.g. LDAP User/Group
Service for LDAP read-write support)
Greater flexibility
Improve authkey community module (new webservice
based mappers) and promote to extension
New authentication filters (e.g. reading credentials
from CGI environment variables)
FOSS4G 2014, Portland
10th September 2014
16. Authorization
Simple default implementation
Permissions assigned only by user role(s)
Data Access Authorization Rules
Workspace
Single Layer
Access Mode: Read, Write, Admin
Services Authorization Rules
Service (WMS, WFS, …)
Method (GetMap, GetLegendGraphic, …)
Pluggable ResourceAccessManager
SecureCatalog
Security Wrapped Catalog Objects (e.g. ReadOnlyDataStore)
FOSS4G 2014, Portland
10th September 2014
17. Authorization
ResourceAccessManager
Define AccessLimits for the various Catalog Resources
(Workspace, Layer, Style, LayerGroup)
Allows for fine grained limits
Read filters
Write filters
Spatial filters
SecureCatalog
Wraps original Catalog objects with secured implementations,
aware of ResourceAccessManager defined limits
Secured wrappers take care of enforcing authorization rules,
transparently
FOSS4G 2014, Portland
10th September 2014
24. GeoServer Security Model
The GeoFence Authentication provider delegates
credential checks to GeoFence
The GeoFence Resource Access Manager asks for
permissions to the GeoFence authorization engine
FOSS4G 2014, Portland
10th September 2014
28. GeoFence Architecture
Modules and
packages
GUI
core: GUI logic, implemented using GWT
webapp: produces the final web application .war file
Geoserver (GeoFence Probe)
security: the GeoServer/GeoFence bridge: implements
the ResourceAccessManager, forwarding the
authorization requests to a remote GeoFence
instance
FOSS4G 2014, Portland
10th September 2014
29. GeoFence Architecture
The GeoFence ResourceAccessManager
(Geofence Probe) is deployed in each GeoServer
GeoServer instances in a cluster must share the same
ClusterID (instance name)
GeoFence uses the instance name to select rules
The Probe queries GeoFence on each
request* with proper info
Instance name
User
Request Details
GeoFence provide Access Policy rules to
manipulate the request on the fly within
the Probe
FOSS4G 2014, Portland
10th September 2014
30. GeoFence Architecture
The GeoFence ResourceAccessManager
(Geofence Probe) uses a cache which
minimizes the requests toward
GeoFence.
The cache can be configured on
different aspects:
number of entries,
expiration time
The cache provides REST operations
(using GeoServer’s own REST
dispatcher) in order to
Invalidate the cache
Query the cache statistics
FOSS4G 2014, Portland
10th September 2014
31. GeoFence Rule System
Authorizations are expressed as a
priority-based rule set
Type of Rules are ALLOW/DENY/LIMIT
The first matching rule is the one that determines the
outcome of the auth request
Incoming authorization requests are transformed
in a rule filter
Filtering can be performed on one or more of
these fields:
Username
Group the provided user belongs to
FOSS4G 2014, Portland
10th September 2014
32. GeoFence Rule System
Source geoserver instance
We can control multiple GeoServer clusters
OGC Service
E.g. WMS
OGC Service Operation
E.g. GetCapabilities
Workspace
E.g. it.geosolutions
Layer name
E.g. topp:states
FOSS4G 2014, Portland
10th September 2014
33. GeoFence Rule System
Example
Let’s assume we have configured these rules :
User: u1, Service:WMS, Workspace=W1,ALLOW
User: u1, DENY
These rules will grant access for user u1 to
all the layers in worspace W1
only for WMS request
All other types of request will be DENIED.
FOSS4G 2014, Portland
10th September 2014
34. GeoFence Rule System
When an ALLOW rule is matched, the user will
have access to the requested resource.
Finer Grain Control on single layer rules
further restrictions may be defined
i.e only a subset of the data contained in the
layer could be made queryeable/visibile to the
requesting user
Restrictions on visible Area
Restrictions on Queryable Attributes
Restrictions on Available Styles
FOSS4G 2014, Portland
10th September 2014
35. GeoFence Rule System
Examples
Limiting users access to
a subset of the attributes (R/W)
a specific geographic area.
a subset of the available styles (or the default style
can be forced on all requests)
A specific view of the data via a CQL filter
For reading
For writing (delete, create, update)
FOSS4G 2014, Portland
10th September 2014
37. GeoFence REST Interface
GeoFence provides a REST interface for administration
Allows automation!
It allows a complete CRUD access to the various entities
managed by GeoFence:
Users and groups
GeoServer instances
Rules
The Find operation can be optionally paged
a Count operation is provided as well to take
advantage of the pagination capability.
Priority ordering in rules is fundamental
there are different ways to insert and set a position
for the new rules.
https://github.com/geosolutions-it/geofence/wiki/REST-API
FOSS4G 2014, Portland
10th September 2014
38. GeoFence REST Interface
The REST interface also provides a batch mode
multiple CRUD commands can be issued at once
The commands in the batch are processed in the
same transaction
Extremely important for automation!
Backup and restore operations are provided as part of the
REST interface as well
REST API documentation available at
https://github.com/geosolutions-it/geofence/wiki/REST-API
FOSS4G 2014, Portland
10th September 2014
39. GeoFence User Interface
Top Categories
Users
Groups
Instances
Rules
FOSS4G 2014, Portland
10th September 2014
42. GeoFence and LDAP
An LDAP server can be used as a repository for user and
groups, including the optional ldap module in the deploy
LDAP can be configured through the datasource
properties file
When using LDAP users and groups are not editable from
the GeoFence interface (they are READ-ONLY)
LDAP module documentation at
https://github.com/geosolutions-it/geofence/wiki/LDAP-module
FOSS4G 2014, Portland
10th September 2014
43. GeoFence and Existing Auth Proxies
External Auth Source
LDAP UserDAO LDAP GroupDAO UserDAO GroupDAO RuleDAO
Persistence
When LDAP is enabled, specific DAOs are used for users
and groups instead of the default ones
FOSS4G 2014, Portland
10th September 2014
Users
Groups
GeoFence DB
GeoFence
45. GeoFence Use Cases
MapManager
MapStore
GeoFence
GeoFence GeoStore GeoServer
JMX Agents
FOSS4G 2014, Portland
10th September 2014
GeoGraphic
Building Block
46. GeoFence Use Cases
FOSS4G 2014, Portland
10th September 2014
Astrium GetGeo
47. GeoFence Use Cases
Layers filtered (CQL filters) by user profile to constrain
access to advanced functionality
Possibility of spatial filters to allow regional access only
FOSS4G 2014, Portland
10th September 2014
Destination
48. GeoFence Status
Project Released as Open Source
Continuous Build is in place
Dev and Users Mailing Lists are in place
Latest Improvements
IP based filter rules
Catalog Mode support
GeoServer community module for the probe
Probe Wicket Configuration Page
Further Improvements
FOSS4G 2014, Portland
10th September 2014
Documentation
Official Releases
UI Refactor (based on REST APIs)
49. The End
Thanks for not sleeping
(loudly)
alessio.fabiani@geo-solutions.it
mauro.bartolomeoli@geo-solutions.it
FOSS4G 2014, Portland
10th September 2014