$30 off During Our Annual Pro Sale. View Details »

Mastering Security with GeoServer and GeoFence (FOSS4G 2022 Edition)

Mastering Security with GeoServer and GeoFence (FOSS4G 2022 Edition)

The presentation will provide a comprehensive introduction to GeoServer's own authentication and authorization subsystems. 
The authentication part will cover the various supported authentication protocols (e.g. basic/digest authentication, CAS, OAuth2) and identity providers (such as local config files, database tables and LDAP servers). 
It will explain how to combine various authentication mechanisms in a single comprehensive authentication tool, as well as providing examples of custom authentication plugins for GeoServer, integrating it in a home-grown security architecture.
We’ll then move on to authorization, describing the GeoServer pluggable authorization mechanism, and comparing it with proxy based solution. We will explain the default service and data security system, reviewing its benefits and limitations.
Finally we’ll explore the advanced authorization provider, GeoFence. The different levels of integration with GeoServer will be presented, from the simple and seamless direct integration to the more sophisticated external setup. Finally we’ll explore GeoFence’s complex authorization rules using:

The current user and its roles.
The OGC services, workspace, layer, layer group.
CQL read and write filters.
Attribute selection.
Cropping raster and vector data to areas of interest.

Simone Giannecchini

August 31, 2022

More Decks by Simone Giannecchini

Other Decks in Technology


  1. Nuno Oliveira Marco Volpini GeoSolutions Mastering Security with GeoServer and

  2. GeoSolutions Enterprise Support Services Deployment Subscription Professional Training Customized Solutions

    GeoNode • Offices in Italy & US, Global Clients/Team • 40+ collaborators, 30+ Engineers • Our products • Our Offer
  3. Affiliations We strongly support Open Source, it Is in our

    core We actively participate in OGC working groups and get funded to advance new open standards We support standards critical to GEOINT
  4. GeoServer security overview

  5. Security system overview • GeoServer security system is based on

    Spring Security: Extensible and pluggable by design! • Can be configured via: • WEB administration interface • REST API, not all options are available • Allows us to secure data, services and administration!
  6. Security system overview • GeoServer security offers both: • Authentication

    • Authorization • … and are supported by vanilla GeoServer! • GeoServer security terminology: • Users • Groups • Roles • Data Layers and Workspaces • Services Operations as well
  7. Security system overview • GeoServer authentication: • Encryption is supported

    • Extensions offer others authentication mechanisms • GeoServer authorization is role based: • All security rules are defined against roles!
  8. Users, groups and roles • How do they related to

    each other? • Users can exist on their own • Users can belong to one or more groups • Roles can exist on their own • Roles can be assigned to one or more users • Roles can be assigned to one or more groups • By default they are all stored inside GeoServer data directory!
  9. Users, groups and roles • Extension points allow us to

    integrate with other providers: • User and group service • Roles services
  10. Users, groups and roles

  11. Users, groups and roles • Is not only about where

    users, groups and roles are stored • Integration between systems!: • Three levels of integrations
  12. GeoServer authentication

  13. Authentication mechanisms • Multiple authentication mechanisms may be active at

    the same time! What’s an authentication mechanism? • Let’s review the terminology: • Authentication provider • Authenticates using the provided data • Authentication filter • Retrieves the authentication information • Authentication chain • Defines what authentication filter is used for each endpoint
  14. Authentication filters and providers

  15. Authentication provider

  16. Authentication filter

  17. Authentication chain • Binds incoming request URL and authentication filters:

  18. Authentication chain

  19. Authentication chain

  20. Authentication chain

  21. GeoServer authorization

  22. Authorization mechanisms • We can define authorization rules for: •

    Services and operations • Workspaces administration • Data (layers and layers groups) access • Remember authorization rules are defined with roles! • These are the Vanilla GeoServer capabilities! • GeoFence will extend these authorization capabilities!
  23. Securing our services • The less generic rules is always

    applied first!
  24. Securing our services

  25. Securing our data • The less generic rules is always

    applied first!
  26. Securing our data

  27. Securing our data • Challenge: • Allows free access to

    metadata Data access will return HTTP 401 code • Mixed: • Hides the layers the user cannot read from the capabilities documents triggers authentication for any other attempt • Catalog modes: • Hide: • Hides layers that the user does not have read access to
  28. Administration security rules • Similar to data rules, but we

    select the Admin access mode (only for workspaces!):
  29. Advanced authorization with GeoFence

  30. GeoFence overview • Advanced authorization engine for GeoServer: • Acts

    at the access manager level • Only one access manager per time! • Available either as: • A a independent service with its own powerful UI Can applies rules per GeoServer instance • Embedded in GeoServer • Rules can be stored either on h2 (default) or on PostGIS (additional configuration is needed)
  31. GeoFence data rules • Rules prioritization definition is supported •

    Several parameters: • Username or role • IP address • Service and | or operation • Workspace, layer or layer group • Access to the data can be DENY, ALLOW or LIMIT
  32. GeoFence data rules • Rules are shown ordered by priority:

    ◦ The lower the value, the higher the priority
  33. GeoFence data rules • Efficient caching of rules and users!

    • Cache control from Admin UI
  34. GeoFence data rules (ALLOW) • ALLOW access enables the configuration

    of additional constraints on a layer! • A specific layer must be selected! • Fine grained control over the styles:
  35. GeoFence data rules (ALLOW) • CQL read and write filters

    • Spatial area filter • Control of attributes access: • None • Read • Write
  36. GeoFence data rules (LIMIT) • Limits applies if a rule

    allowing access to the resource already exists! • Unlike ALLOW No need to select a layer! • Can be defined for Layer Groups and for an entire Workspaces. • LIMIT mode allow definition of: • Spatial Filter (CLIP or INTERSECT) • Catalog mode
  37. GeoFence data rules (LIMIT) • Stand alone GeoFence allow us

    to draw the area:
  38. GeoFence data rules (LIMIT)

  39. GeoFence data rules (LIMIT) CLIP INTERSECTS

  40. GeoFence administration rules • GeoFence Admin rule give access to

    UI configuration components • Admin Rules can be defined by Role and Username
  41. Access manager extension point • For advanced use cases it’s

    relatively common to define a custom access manager: • Authorized based on a specific value of a feature • We need to retrieve the authorization rules from a third party service • This makes GeoServer authorization system integrable in complex enterprise architectures!
  42. Advanced integrations highlights

  43. Key authentication module • Allows for a very simple authentication

    protocol for simple OGC services clients • Various Key to User mappers: • properties file • user property • web service (key refresh) • Extension point to provide custom mapper!
  44. Integration with OAuth2 (OpenID) • OpenId support is configurable as

    an authentication filter • The end points can be populated automatically if the discovery URL is available • We can retrieve the roles from the ID token claims!
  45. Integration with Keycloak • Copy paste the JSON Keycloak config

    on the GeoServer filter configuration • GeoServer Keycloak integration provides: • Keycloak Authentication Filter • Keycloak Role Service
  46. The End Questions? nuno.oliveira@geosolutionsgroup.com marco.volpini@geosolutionsgroup.com info@geosolutionsgroup.com