Mastering Security with GeoServer and GeoFence - FOSS4G EU 2025

by Simone Giannecchini

Embed

Start on current slide

Slide 1

Slide 1 text

Andrea Aime Emanuele Tajariol GeoSolutions Mastering Security with GeoServer and GeoFence

Slide 2

Slide 2 text

GeoSolutions Enterprise Support Services Deployment Subscription Professional Training Customized Solutions GeoNode • Offices in Italy & US, Global Clients/Team • 30+ collaborators, 25+ Engineers • Our products • Our Offer

Slide 3

Slide 3 text

Affiliations We strongly support Open Source, it is in our core We participate in OGC testbeds and get funded to advance new open standards We support standards critical to GEOINT

Slide 4

Slide 4 text

GeoServer security overview

Slide 5

Slide 5 text

Security system overview • GeoServer security system is based on Spring Security: Extensible and pluggable by design! • Can be configured via: • WEB administration interface • REST API, not all options are available, but growing • Allows us to secure data, services and administration!

Slide 6

Slide 6 text

Security system overview • GeoServer security offers both: • Authentication • Authorization • … and are supported by vanilla GeoServer! • GeoServer security terminology: • Users • Groups • Roles • Data Layers and Workspaces • Services Operations as well

Slide 7

Slide 7 text

Security system overview • GeoServer authentication: • Encryption is supported • Basic/Digest auth is supported • Extensions offer others authentication mechanisms • GeoServer authorization is role based: • All security rules are defined against roles!

Slide 8

Slide 8 text

Users, groups and roles • How do they related to each other? • Users can exist on their own • Users can belong to one or more groups • Roles can exist on their own • Roles can be assigned to one or more users • Roles can be assigned to one or more groups • By default they are all stored inside GeoServer data directory!

Slide 9

Slide 9 text

Users, groups and roles • Extension points allow us to integrate with other providers: • User and group service • Roles services

Slide 10

Slide 10 text

Users, groups and roles

Slide 11

Slide 11 text

GeoServer authentication

Slide 12

Slide 12 text

Authentication mechanisms • Multiple authentication mechanisms may be active at the same time! • What we’re about to see: • Authentication chain which contains • Authentication filters which into provide info to • Authentication provider

Slide 13

Slide 13 text

Graphical overview List of filters: auth chain

Slide 14

Slide 14 text

Authentication filter • A filter extracts credentials (headers, url, query, form post, ….)

Slide 15

Slide 15 text

Authentication chain

Slide 16

Slide 16 text

Authentication chain

Slide 17

Slide 17 text

Authentication provider • Validates credentials, check they are valid (or kick you out)

Slide 18

Slide 18 text

GeoServer core authorization

Slide 19

Slide 19 text

Authorization mechanisms • We can define authorization rules for: • Services and operations • Workspaces administration • Data (layers and layers groups) access • Remember authorization rules are defined with roles! • These are the Vanilla GeoServer capabilities! • GeoFence will extend these authorization capabilities!

Slide 20

Slide 20 text

Securing our services • The most specific rules win

Slide 21

Slide 21 text

Securing our services

Slide 22

Slide 22 text

Securing our data • The most specific rules win

Slide 23

Slide 23 text

Securing our data

Slide 24

Slide 24 text

Securing our data • Challenge: • Allows free access to metadata Data access will return HTTP 401 code • Mixed: • We can talk about this one over a beer! • Catalog modes: • Hide: • Hides layers that the user does not have read access to

Slide 25

Slide 25 text

Administration security rules • Similar to data rules, but we select the Admin access mode (only for workspaces!):

Slide 26

Slide 26 text

Advanced authorization with GeoFence

Slide 27

Slide 27 text

GeoFence overview • Advanced authorization engine for GeoServer: • Replaces the GeoServer basic authorization • Rules can be stored either on H2 (good for learning) or on PostGIS (good for production) Rules ordered by priority

Slide 28

Slide 28 text

GeoFence data rules • Several parameters: • Username or role • IP address • Service and | or operation • Workspace, layer or layer group • Access to the data can be DENY, ALLOW or LIMIT

Slide 29

Slide 29 text

GeoFence data rules (ALLOW) • ALLOW access enables the configuration of additional constraints on a layer! • A specific layer must be selected! • Fine grained control over the styles:

Slide 30

Slide 30 text

GeoFence data rules (ALLOW) • CQL read and write filters • Spatial area filter • Control of attributes access: • None • Read • Write

Slide 31

Slide 31 text

GeoFence data rules (LIMIT) • Limits applies if a rule allowing access to the resource already exists! • Unlike ALLOW No need to select a layer! • Can be defined for Layer Groups and for an entire Workspaces. • LIMIT mode allow definition of: • Spatial Filter (CLIP or INTERSECT) • Catalog mode

Slide 32

Slide 32 text

GeoFence data rules (LIMIT) • Stand alone GeoFence allow us to draw the area:

Slide 33

Slide 33 text

GeoFence data rules (LIMIT)

Slide 34

Slide 34 text

GeoFence data rules (LIMIT) CLIP INTERSECTS

Slide 35

Slide 35 text

GeoFence administration rules • GeoFence Admin rule give access to UI configuration components • Admin Rules can be defined by Role and Username

Slide 36

Slide 36 text

Roll your own auth*

Slide 37

Slide 37 text

Resource Access Manager interface • Built-in authorization and GeoFence are examples of this interface • You can build your own • Use custom database • Call onto an external service • Limit attributes, clip, filter, change styles and so on, just like GeoFence, with your own logic

Slide 38

Slide 38 text

Resource Access Manager interface GeoServer Custom A&A Enterprise authentication Enterprise authorization GIS data

Slide 39

Slide 39 text

Other authentication plugins

Slide 40

Slide 40 text

Key authentication module • Allows for a very simple authentication protocol for simple OGC services clients • Various Key to User mappers: • properties file • user property • web service (key refresh) • Extension point to provide custom mapper!

Slide 41

Slide 41 text

Integration with OAuth2 (OpenID) • OpenId support is configurable as an authentication filter • The end points can be populated automatically if the discovery URL is available • We can retrieve the roles from the ID token claims!

Slide 42

Slide 42 text

JWT headers module • Grab the user name and roles from either: • HTTP headers • JWT token • Meant to work in combo with Apache mod_auth_openidc Apache GeoServer OIDC Provider OIDC_CLAIM_preferred_username ODIC_CLAIM_roles Authorization (Bearer

Slide 43

Slide 43 text

The End Questions? [email protected] [email protected] [email protected]