Advanced SecurityWith GeoServer

Ing. Mauro BartolomeoliIng. Emanuele Tajariol

Ing. Simone GiannecchiniGeoSolutions

GeoSolutions

Founded in Italy in late 2006 Expertise

• Image Processing, GeoSpatial Data Fusion

• Java, Java Enterprise, C++, Python

• JPEG2000, JPIP, Advanced 2D visualization

Supporting/Developing FOSS4G projects GeoServer, MapStore

GeoNetwork, GeoNode, Ckan

Clients Public Agencies

Private Companies

http://www.geo-solutions.it

FOSS4G 2015, Seoul14th-19th September 2015

Overview

FOSS4G 2015, Seoul14th-19th September 2015

GeoServer security handles Authentication (filtering and credential checks) Authorization (resource access managers)

Authentication

FOSS4G 2015, Seoul14th-19th September 2015

The filter chains

FOSS4G 2015, Seoul14th-19th September 2015

Different chains for different URL groups Each chain authenticates in a different way by

composigin different filters

UI chain, with form, HTTP session (creation allowed), and remember me services

OGC one, lighter, will use session if available, no creation

Different usage, different chain

FOSS4G 2015, Seoul14th-19th September 2015

Available auth filters

FOSS4G 2015, Seoul14th-19th September 2015

Gathering user credentials (and eventually invoking authentication providers chain)

Basic Form Digest Anonymous (always the last)

Preauthentication (and eventually load user details from user/group and/or role service)

Session HTTP Header X.509 Remember Me J2EE

Easy to implement and plug new filters Missing: authenticate from environment variables (e.g. Shibboleth SSO)

Authentication providers

FOSS4G 2015, Seoul14th-19th September 2015

Given credentials pulled from the filters, who is the user?

Search in user/group database

Auth as aLDAP user

Auth as aDBMS user

XML DBMS tables

Authenticationproviders

User/Groupservice

Pluggable

Role providers

FOSS4G 2015, Seoul14th-19th September 2015

Given the user, what are her roles in GeoServer?

Fundamental, authorization is role based

Extensible, new providers can be built

LDAP DBMS XMLDBMS tables

Extensions

FOSS4G 2015, Seoul14th-19th September 2015

CAS (https://www.apereo.org/cas): Single Sign On integration

Authkey: simple UUID to user mapper Simple key in the URL (must use HTTPS) Allows authentication unware clients to participate Pluggable: possibility to define custom mappers (e.g.

webservices) URLMangler to add authkey to OGC request transparently (via

GetCapabilities)

Authorization

FOSS4G 2015, Seoul14th-19th September 2015

Authorization

FOSS4G 2015, Seoul14th-19th September 2015

Given the user and her roles Can the current «action» on the current «resource»

be allowed?

Action: Generic read/write Specific OGC service/method call

Resource Workspace Layer Layer Group Style

ResourceAccessManager

FOSS4G 2015, Seoul14th-19th September 2015

Pluggable interface, multiple implementations Define AccessLimits for the various Catalog

Resources (Workspace, Layer, Style, LayerGroup) Can access the current request

(service/method/details) Allows for fine grained limits

Attributes visible Read filters (which features can be read) Write filters (which features can be written)

Filters: Alphanumeric Temporal Spatial

Implementations

FOSS4G 2015, Seoul14th-19th September 2015

Default security subsystem Simple per workspace/layer authentication

GeoFence External application (*) Full use of ResourceAccessManager abilities

Other custom implementations Integrate with existing in-house authorization

mechanism Quite popular in large enterprise setup

GeoFence

FOSS4G 2015, Seoul14th-19th September 2015

GeoFence

FOSS4G 2015, Seoul14th-19th September 2015

Extended A&A for GeoServer Optional Authentication, Sophisticated

authorization Open Source, GPL

https://github.com/geoserver/geofence

Structure

FOSS4G 2015, Seoul14th-19th September 2015

Stand alone User interface

FOSS4G 2015, Seoul14th-19th September 2015

User management

FOSS4G 2015, Seoul14th-19th September 2015

GeoFence rules

FOSS4G 2015, Seoul14th-19th September 2015

Authorizations are expressed as a priority-based rule set

Type of Rules are ALLOW/DENY/LIMIT The first matching rule is the one that determines

the outcome of the auth request

GeoFence rules matching

FOSS4G 2015, Seoul14th-19th September 2015

Rules are matched based on:

Username Group the provided user belongs to GeoServer Instance (single GeoFence multiple

GS clusters) OGC Service (e.g., WMS) OGC Service Operation (e.g., GetFeatureInfo) Workspace (E.g. it.geosolutions) Layer name (E.g. topp:states)

Example

FOSS4G 2015, Seoul14th-19th September 2015

Example Let’s assume we have configured these rules :

User: u1, Service:WMS, Workspace=W1,ALLOW User: u1, DENY

These rules will grant access for user u1 to all the layers in worspace W1 only for WMS request

All other types of request will be DENIED.

Restrictions (LIMIT rules)

FOSS4G 2015, Seoul14th-19th September 2015

When an ALLOW rule is matched, the user will have access to the requested resource:

Restrictions on available area Restrictions on alphanumeric conditions

Restrictions (LIMIT rules)

FOSS4G 2015, Seoul14th-19th September 2015

Restrictions on available attributes

Stand-alone GeoFence

FOSS4G 2015, Seoul14th-19th September 2015

The GeoFence ResourceAccessManager (Geofence Probe) calls GeoFence REST services.

A cache is setup to minimize network traffic

A cache can be configured on different aspects: number of entries, expiration time

The cache provides REST operations (using GeoServer’s own REST dispatcher) in order to

Invalidate the cache Query the cache statistics

GeoFence REST API

FOSS4G 2015, Seoul14th-19th September 2015

REST interface for administration automation Complete CRUD access to the various entities

managed by GeoFence: Users and groups GeoServer instances Rules

Paging support Priority ordering in rules is fundamental: different ways

to insert and set a position for the new rules. Batch mode, backup and restore available See details at:

https://github.com/geosolutions-it/geofence/wiki/REST-API

GeoFence direct integration

FOSS4G 2015, Seoul14th-19th September 2015

GeoFence integration

FOSS4G 2015, Seoul14th-19th September 2015

Simple setups demand simple solution Have GeoFence run inside GeoServer Integration similar to GWC one, runs like a plugin

GeoServer GeoWebCache

GeoFence

Rules DB

Baby steps

FOSS4G 2015, Seoul14th-19th September 2015

Born as a more future-proof alternative to improving the internal security subsystem

Community module, available via nightly builds

Delivers a subset of the full functionality: access/deny based on mix of user/layer/workspace/request

Integrated UI

Baby steps

FOSS4G 2015, Seoul14th-19th September 2015

Born as a more future-proof alternative to improving the internal security subsystem

Community module, available via nightly builds

Delivers a subset of the full functionality: access/deny based on mix of user/layer/workspace/request

Integrated UI

General Configuration

FOSS4G 2015, Seoul14th-19th September 2015

General Configuration (continued)

FOSS4G 2015, Seoul14th-19th September 2015

Creating rules

FOSS4G 2015, Seoul14th-19th September 2015

Rules list

FOSS4G 2015, Seoul14th-19th September 2015

Example 1

FOSS4G 2015, Seoul14th-19th September 2015

Example 1 – layer preview

FOSS4G 2015, Seoul14th-19th September 2015

Example 2

FOSS4G 2015, Seoul14th-19th September 2015

Example 2 – layer preview

FOSS4G 2015, Seoul14th-19th September 2015

TODO

FOSS4G 2015, Seoul14th-19th September 2015

Allow to edit LIMIT rules Force default style Limit attributes Filter contents Limit by area

Control writes at the rule level

Better/Easier way to re-order rules

Configuration of external database (now using embedded H2 in data dir, not cluster friendly)

Migrate old security system rules to GeoFence as possible

That’s all folks!

Questions?info@geo-solutions.it

FOSS4G 2015, Seoul14th-19th September 2015