Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Advanced Security With GeoServer 
Ing. Mauro Bartolomeoli, GeoSolutions 
Ing. Emanuele Tajariol, GeoSolutions 
Ing. Simone...
GeoSolutions 
 Founded in Italy in late 2006 
 Expertise 
• Image Processing, GeoSpatial Data Fusion 
• Java, Java Enter...
GeoServer Security Subsystem Overview 
FOSS4G 2014, Portland 
10th September 2014
GeoServer Security Subsystem Overview 
 GeoServer security handles 
 Authentication (filtering and credential checks) 
...
GeoServer Security Subsystem Overview 
 Based on Spring Security 
 Users / Groups / Roles 
 User/group services 
 Role...
Users / Groups / Roles Storage 
FOSS4G 2014, Portland 
10th September 2014
Users / Groups / Roles Storage 
 User/Group service 
 Storage for users and groups details 
 Storage for user credentia...
Users / Groups / Roles Storage 
 Role service 
 Storage for roles 
 Read/Write or Read-only 
 Assign roles to users an...
Authentication 
FOSS4G 2014, Portland 
10th September 2014
Authentication 
 Filter Chains 
 By «request url» pattern matching 
 Web UI 
 OGC Services 
 REST API 
 … 
 By Meth...
Authentication 
 Filters 
 Gathering user credentials (and eventually invoking 
authentication providers chain) 
 Basic...
Authentication 
 Authentication Providers 
 Used if filters require further authentication of 
gathered credentials (no ...
Authentication 
 Extensions 
 CAS (https://www.apereo.org/cas): example of SSO 
integration 
 Community modules 
 Auth...
Authentication 
 Future improvements 
 Clean up and filling holes 
 Increase LDAP support (e.g. LDAP User/Group 
Servic...
Authorization 
FOSS4G 2014, Portland 
10th September 2014
Authorization 
 Simple default implementation 
 Permissions assigned only by user role(s) 
 Data Access Authorization R...
Authorization 
 ResourceAccessManager 
 Define AccessLimits for the various Catalog Resources 
(Workspace, Layer, Style,...
Meet GeoFence 
FOSS4G 2014, Portland 
10th September 2014
GeoFence 
 Extended A&A for GeoServer 
 Authentication 
 Optional 
 Integrated with GeoServer authorization 
architect...
GeoFence 
 Based on GSIP 57 
 Mixed Interceptor + Probe approach 
 Extended authorization management for GeoServer 
 E...
GeoFence 
 Fine Grain Authorization Control 
 Services 
 Operations 
 Workspaces 
 Layers 
 Attributes (alphanumeric...
GeoFence 
 Java Enterprise infrastructure 
 Spring/Spring-Remoting 
 Hibernate 
 Apache CXF 
 Supports DBMS 
 Postgr...
GeoServer Security Model 
FOSS4G 2014, Portland 
10th September 2014
GeoServer Security Model 
 The GeoFence Authentication provider delegates 
credential checks to GeoFence 
 The GeoFence ...
GeoServer Security Model 
FOSS4G 2014, Portland 
10th September 2014
Digging GeoFence 
FOSS4G 2014, Portland 
10th September 2014
GeoFence Architecture 
 Geofence Stack (again…) 
FOSS4G 2014, Portland 
10th September 2014
GeoFence Architecture 
Modules and 
packages 
 GUI 
 core: GUI logic, implemented using GWT 
 webapp: produces the fina...
GeoFence Architecture 
 The GeoFence ResourceAccessManager 
(Geofence Probe) is deployed in each GeoServer 
 GeoServer i...
GeoFence Architecture 
 The GeoFence ResourceAccessManager 
(Geofence Probe) uses a cache which 
minimizes the requests t...
GeoFence Rule System 
 Authorizations are expressed as a 
priority-based rule set 
 Type of Rules are ALLOW/DENY/LIMIT 
...
GeoFence Rule System 
 Source geoserver instance 
 We can control multiple GeoServer clusters 
 OGC Service 
 E.g. WMS...
GeoFence Rule System 
Example 
 Let’s assume we have configured these rules : 
 User: u1, Service:WMS, Workspace=W1,ALLO...
GeoFence Rule System 
 When an ALLOW rule is matched, the user will 
have access to the requested resource. 
 Finer Grai...
GeoFence Rule System 
 Examples 
 Limiting users access to 
 a subset of the attributes (R/W) 
 a specific geographic ...
GeoFence Rule System 
FOSS4G 2014, Portland 
10th September 2014
GeoFence REST Interface 
 GeoFence provides a REST interface for administration 
 Allows automation! 
 It allows a comp...
GeoFence REST Interface 
 The REST interface also provides a batch mode 
 multiple CRUD commands can be issued at once 
...
GeoFence User Interface 
 Top Categories 
 Users 
 Groups 
 Instances 
 Rules 
FOSS4G 2014, Portland 
10th September ...
GeoFence User Interface 
Users 
FOSS4G 2014, Portland 
10th September 2014 
Groups 
Instances
GeoFence User Interface 
Rules 
FOSS4G 2014, Portland 
10th September 2014 
Details 
Details
GeoFence and LDAP 
 An LDAP server can be used as a repository for user and 
groups, including the optional ldap module i...
GeoFence and Existing Auth Proxies 
External Auth Source 
LDAP UserDAO LDAP GroupDAO UserDAO GroupDAO RuleDAO 
Persistence...
GeoFence Use Cases 
FOSS4G 2014, Portland 
10th September 2014 
SIAN
GeoFence Use Cases 
MapManager 
MapStore 
GeoFence 
GeoFence GeoStore GeoServer 
JMX Agents 
FOSS4G 2014, Portland 
10th S...
GeoFence Use Cases 
FOSS4G 2014, Portland 
10th September 2014 
Astrium GetGeo
GeoFence Use Cases 
 Layers filtered (CQL filters) by user profile to constrain 
access to advanced functionality 
 Poss...
GeoFence Status 
 Project Released as Open Source 
 Continuous Build is in place 
 Dev and Users Mailing Lists are in p...
The End 
Thanks for not sleeping 
(loudly) 
alessio.fabiani@geo-solutions.it 
mauro.bartolomeoli@geo-solutions.it 
FOSS4G ...
Nächste SlideShare
Wird geladen in …5
×

Advanced Security With GeoServer

6.142 Aufrufe

Veröffentlicht am

The presentation will provide an introduction to GeoServer own authentication and authorization subsystems. We’ll cover the supported authentication protocols, such as from basic/digest authentication and CAS support, check through the various identity providers, such as local config files, database tables and LDAP servers, and how it’s possible to combine the various bits in a single comprehensive authentication tool, as well as providing examples of custom authentication plugins for GeoServer, integrating it in a home grown security architecture.
We’ll then move on to authorization, describing the GeoServer pluggable authorization mechanism and comparing it with proxy based solution, and check the built in service and data security system, reviewing its benefits and limitations.
Finally we’ll explore an advanced authentication tool called GeoFence, and see how it can plug into GeoServer to provide graphical configuration abilities for use complex authorization rules over data and OGC services, taking into account spatial filters, attribute filters, attribute hiding as well as cropping raster data to areas of interest. Finally we’ll show how using LDAP both GeoFence and GeoServer can use a common users database, simplifying administrators job, and provide some real world examples.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Advanced Security With GeoServer

  1. 1. Advanced Security With GeoServer Ing. Mauro Bartolomeoli, GeoSolutions Ing. Emanuele Tajariol, GeoSolutions Ing. Simone Giannecchini, GeoSolutions Ing. Alessio Fabiani, GeoSolutions FOSS4G 2014, Portland 10th September 2014
  2. 2. GeoSolutions  Founded in Italy in late 2006  Expertise • Image Processing, GeoSpatial Data Fusion • Java, Java Enterprise, C++, Python • JPEG2000, JPIP, Advanced 2D visualization  Supporting/Developing FOSS4G projects  GeoServer, MapStore  GeoBatch, GeoNetwork  Clients  Public Agencies  Private Companies  http://www.geo-solutions.it FOSS4G 2014, Portland 10th September 2014
  3. 3. GeoServer Security Subsystem Overview FOSS4G 2014, Portland 10th September 2014
  4. 4. GeoServer Security Subsystem Overview  GeoServer security handles  Authentication (filtering and credential checks)  Authorization (resource access managers) FOSS4G 2014, Portland 10th September 2014
  5. 5. GeoServer Security Subsystem Overview  Based on Spring Security  Users / Groups / Roles  User/group services  Role services  Authentication  Chains  Filters  Providers  Authorization  Auth on data: e.g. layers, workspaces  Auth on services: e.g. WMS, WFS  By role FOSS4G 2014, Portland 10th September 2014
  6. 6. Users / Groups / Roles Storage FOSS4G 2014, Portland 10th September 2014
  7. 7. Users / Groups / Roles Storage  User/Group service  Storage for users and groups details  Storage for user credentials (e.g. passwords)  Password encryption handling  Read/Write or Read-only  Default implementations  XML files  Database through JDBC  Easy to implement and plug new services  Used by many filters/providers as a source for authenticated users detail  Missing: Read/Write LDAP User/Group service FOSS4G 2014, Portland 10th September 2014
  8. 8. Users / Groups / Roles Storage  Role service  Storage for roles  Read/Write or Read-only  Assign roles to users and or groups  Default implementations  XML files  Database through JDBC  J2EE (from the Java Web Container)  LDAP  Easy to implement and plug new services  Active (Default) Role service  Used by many filters/providers as a source for authenticated users roles FOSS4G 2014, Portland 10th September 2014
  9. 9. Authentication FOSS4G 2014, Portland 10th September 2014
  10. 10. Authentication  Filter Chains  By «request url» pattern matching  Web UI  OGC Services  REST API  …  By Method: GET, POST, …  HTTP Session handling  Each chain applies a sequence of configured Filters to matching requests  Only SSL flag FOSS4G 2014, Portland 10th September 2014
  11. 11. Authentication  Filters  Gathering user credentials (and eventually invoking authentication providers chain)  Basic  Form  Anonymous (always the last)  Preauthentication (and eventually load user details from user/group and/or role service)  HTTP Header  Digest  X.509  Remember Me  J2EE  Easy to implement and plug new filters  Missing: authenticate from environment variables (e.g. Shibboleth SSO) FOSS4G 2014, Portland 10th September 2014
  12. 12. Authentication  Authentication Providers  Used if filters require further authentication of gathered credentials (no preauthentication can be applied)  Username Password (using user/group service)  Database through JDBC (uses credentials to connect to a database, very different from the JDBC user/group service)  LDAP  with ActiveDirectory support  Easy to implement and plug new providers  Providers chain, to allow for different authentication mechanisms (e.g intranet users from LDAP, internet users from db) FOSS4G 2014, Portland 10th September 2014
  13. 13. Authentication  Extensions  CAS (https://www.apereo.org/cas): example of SSO integration  Community modules  Authkey: simple UUID to user mapper  Pluggable: possibility to define custom mappers (e.g. webservices)  URLMangler to add authkey to OGC request transparently (via GetCapabilities)  Real World Use Cases  Shibboleth SSO (using Headers or CGI environment variables)  Mixing filters/providers: LDAP/AD for internal users, jdbc for external users FOSS4G 2014, Portland 10th September 2014
  14. 14. Authentication  Future improvements  Clean up and filling holes  Increase LDAP support (e.g. LDAP User/Group Service for LDAP read-write support)  Greater flexibility  Improve authkey community module (new webservice based mappers) and promote to extension  New authentication filters (e.g. reading credentials from CGI environment variables) FOSS4G 2014, Portland 10th September 2014
  15. 15. Authorization FOSS4G 2014, Portland 10th September 2014
  16. 16. Authorization  Simple default implementation  Permissions assigned only by user role(s)  Data Access Authorization Rules  Workspace  Single Layer  Access Mode: Read, Write, Admin  Services Authorization Rules  Service (WMS, WFS, …)  Method (GetMap, GetLegendGraphic, …)  Pluggable ResourceAccessManager  SecureCatalog  Security Wrapped Catalog Objects (e.g. ReadOnlyDataStore) FOSS4G 2014, Portland 10th September 2014
  17. 17. Authorization  ResourceAccessManager  Define AccessLimits for the various Catalog Resources (Workspace, Layer, Style, LayerGroup)  Allows for fine grained limits  Read filters  Write filters  Spatial filters  SecureCatalog  Wraps original Catalog objects with secured implementations, aware of ResourceAccessManager defined limits  Secured wrappers take care of enforcing authorization rules, transparently FOSS4G 2014, Portland 10th September 2014
  18. 18. Meet GeoFence FOSS4G 2014, Portland 10th September 2014
  19. 19. GeoFence  Extended A&A for GeoServer  Authentication  Optional  Integrated with GeoServer authorization architecture  Open Source  GPL  Code on GitHub  Authorization  Auth on data: e.g. layers, workspaces  Auth on services: e.g. WMS, WFS FOSS4G 2014, Portland 10th September 2014
  20. 20. GeoFence  Based on GSIP 57  Mixed Interceptor + Probe approach  Extended authorization management for GeoServer  External Rule-Based System  GeoServer Internal Probe  On-the-fly manipulation of incoming requests  Role Based Access Control  Users  Groups  Rule-based database  IPTables-like FOSS4G 2014, Portland 10th September 2014
  21. 21. GeoFence  Fine Grain Authorization Control  Services  Operations  Workspaces  Layers  Attributes (alphanumeric and geospatial)  External Web Application  REST Interface  GUI  Scalable  1 GeoFence controls N GeoServer cluster FOSS4G 2014, Portland 10th September 2014
  22. 22. GeoFence  Java Enterprise infrastructure  Spring/Spring-Remoting  Hibernate  Apache CXF  Supports DBMS  PostgreSQL/PostGIS  Oracle spatial  H2  Performance ensured thanks to a fine-tunable cache FOSS4G 2014, Portland 10th September 2014
  23. 23. GeoServer Security Model FOSS4G 2014, Portland 10th September 2014
  24. 24. GeoServer Security Model  The GeoFence Authentication provider delegates credential checks to GeoFence  The GeoFence Resource Access Manager asks for permissions to the GeoFence authorization engine FOSS4G 2014, Portland 10th September 2014
  25. 25. GeoServer Security Model FOSS4G 2014, Portland 10th September 2014
  26. 26. Digging GeoFence FOSS4G 2014, Portland 10th September 2014
  27. 27. GeoFence Architecture  Geofence Stack (again…) FOSS4G 2014, Portland 10th September 2014
  28. 28. GeoFence Architecture Modules and packages  GUI  core: GUI logic, implemented using GWT  webapp: produces the final web application .war file  Geoserver (GeoFence Probe)  security: the GeoServer/GeoFence bridge: implements the ResourceAccessManager, forwarding the authorization requests to a remote GeoFence instance FOSS4G 2014, Portland 10th September 2014
  29. 29. GeoFence Architecture  The GeoFence ResourceAccessManager (Geofence Probe) is deployed in each GeoServer  GeoServer instances in a cluster must share the same ClusterID (instance name)  GeoFence uses the instance name to select rules  The Probe queries GeoFence on each request* with proper info  Instance name  User  Request Details  GeoFence provide Access Policy rules to manipulate the request on the fly within the Probe FOSS4G 2014, Portland 10th September 2014
  30. 30. GeoFence Architecture  The GeoFence ResourceAccessManager (Geofence Probe) uses a cache which minimizes the requests toward GeoFence.  The cache can be configured on different aspects:  number of entries,  expiration time  The cache provides REST operations (using GeoServer’s own REST dispatcher) in order to  Invalidate the cache  Query the cache statistics FOSS4G 2014, Portland 10th September 2014
  31. 31. GeoFence Rule System  Authorizations are expressed as a priority-based rule set  Type of Rules are ALLOW/DENY/LIMIT  The first matching rule is the one that determines the outcome of the auth request  Incoming authorization requests are transformed in a rule filter  Filtering can be performed on one or more of these fields:  Username  Group the provided user belongs to FOSS4G 2014, Portland 10th September 2014
  32. 32. GeoFence Rule System  Source geoserver instance  We can control multiple GeoServer clusters  OGC Service  E.g. WMS  OGC Service Operation  E.g. GetCapabilities  Workspace  E.g. it.geosolutions  Layer name  E.g. topp:states FOSS4G 2014, Portland 10th September 2014
  33. 33. GeoFence Rule System Example  Let’s assume we have configured these rules :  User: u1, Service:WMS, Workspace=W1,ALLOW  User: u1, DENY  These rules will grant access for user u1 to  all the layers in worspace W1  only for WMS request  All other types of request will be DENIED. FOSS4G 2014, Portland 10th September 2014
  34. 34. GeoFence Rule System  When an ALLOW rule is matched, the user will have access to the requested resource.  Finer Grain Control on single layer rules  further restrictions may be defined  i.e only a subset of the data contained in the layer could be made queryeable/visibile to the requesting user   Restrictions on visible Area   Restrictions on Queryable Attributes   Restrictions on Available Styles FOSS4G 2014, Portland 10th September 2014
  35. 35. GeoFence Rule System  Examples  Limiting users access to  a subset of the attributes (R/W)  a specific geographic area.  a subset of the available styles (or the default style can be forced on all requests)  A specific view of the data via a CQL filter  For reading  For writing (delete, create, update) FOSS4G 2014, Portland 10th September 2014
  36. 36. GeoFence Rule System FOSS4G 2014, Portland 10th September 2014
  37. 37. GeoFence REST Interface  GeoFence provides a REST interface for administration  Allows automation!  It allows a complete CRUD access to the various entities managed by GeoFence:  Users and groups  GeoServer instances  Rules  The Find operation can be optionally paged  a Count operation is provided as well to take advantage of the pagination capability.  Priority ordering in rules is fundamental   there are different ways to insert and set a position for the new rules.  https://github.com/geosolutions-it/geofence/wiki/REST-API FOSS4G 2014, Portland 10th September 2014
  38. 38. GeoFence REST Interface  The REST interface also provides a batch mode  multiple CRUD commands can be issued at once  The commands in the batch are processed in the same transaction  Extremely important for automation!  Backup and restore operations are provided as part of the REST interface as well  REST API documentation available at https://github.com/geosolutions-it/geofence/wiki/REST-API FOSS4G 2014, Portland 10th September 2014
  39. 39. GeoFence User Interface  Top Categories  Users  Groups  Instances  Rules FOSS4G 2014, Portland 10th September 2014
  40. 40. GeoFence User Interface Users FOSS4G 2014, Portland 10th September 2014 Groups Instances
  41. 41. GeoFence User Interface Rules FOSS4G 2014, Portland 10th September 2014 Details Details
  42. 42. GeoFence and LDAP  An LDAP server can be used as a repository for user and groups, including the optional ldap module in the deploy  LDAP can be configured through the datasource properties file  When using LDAP users and groups are not editable from the GeoFence interface (they are READ-ONLY)  LDAP module documentation at https://github.com/geosolutions-it/geofence/wiki/LDAP-module FOSS4G 2014, Portland 10th September 2014
  43. 43. GeoFence and Existing Auth Proxies External Auth Source LDAP UserDAO LDAP GroupDAO UserDAO GroupDAO RuleDAO Persistence  When LDAP is enabled, specific DAOs are used for users and groups instead of the default ones FOSS4G 2014, Portland 10th September 2014 Users Groups GeoFence DB GeoFence
  44. 44. GeoFence Use Cases FOSS4G 2014, Portland 10th September 2014 SIAN
  45. 45. GeoFence Use Cases MapManager MapStore GeoFence GeoFence GeoStore GeoServer JMX Agents FOSS4G 2014, Portland 10th September 2014 GeoGraphic Building Block
  46. 46. GeoFence Use Cases FOSS4G 2014, Portland 10th September 2014 Astrium GetGeo
  47. 47. GeoFence Use Cases  Layers filtered (CQL filters) by user profile to constrain access to advanced functionality  Possibility of spatial filters to allow regional access only FOSS4G 2014, Portland 10th September 2014 Destination
  48. 48. GeoFence Status  Project Released as Open Source  Continuous Build is in place  Dev and Users Mailing Lists are in place  Latest Improvements  IP based filter rules  Catalog Mode support  GeoServer community module for the probe  Probe Wicket Configuration Page  Further Improvements FOSS4G 2014, Portland 10th September 2014  Documentation  Official Releases  UI Refactor (based on REST APIs)
  49. 49. The End Thanks for not sleeping (loudly) alessio.fabiani@geo-solutions.it mauro.bartolomeoli@geo-solutions.it FOSS4G 2014, Portland 10th September 2014

×