Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mastering Security with GeoServer and GeoFence (FOSS4G 2022 Edition)

Mastering Security with GeoServer and GeoFence (FOSS4G 2022 Edition)

The presentation will provide a comprehensive introduction to GeoServer's own authentication and authorization subsystems. 
The authentication part will cover the various supported authentication protocols (e.g. basic/digest authentication, CAS, OAuth2) and identity providers (such as local config files, database tables and LDAP servers). 
It will explain how to combine various authentication mechanisms in a single comprehensive authentication tool, as well as providing examples of custom authentication plugins for GeoServer, integrating it in a home-grown security architecture.
We’ll then move on to authorization, describing the GeoServer pluggable authorization mechanism, and comparing it with proxy based solution. We will explain the default service and data security system, reviewing its benefits and limitations.
Finally we’ll explore the advanced authorization provider, GeoFence. The different levels of integration with GeoServer will be presented, from the simple and seamless direct integration to the more sophisticated external setup. Finally we’ll explore GeoFence’s complex authorization rules using:

The current user and its roles.
The OGC services, workspace, layer, layer group.
CQL read and write filters.
Attribute selection.
Cropping raster and vector data to areas of interest.

Simone Giannecchini

August 31, 2022

More Decks by Simone Giannecchini

Other Decks in Technology


  1. GeoSolutions Enterprise Support Services Deployment Subscription Professional Training Customized Solutions

    GeoNode • Offices in Italy & US, Global Clients/Team • 40+ collaborators, 30+ Engineers • Our products • Our Offer
  2. Affiliations We strongly support Open Source, it Is in our

    core We actively participate in OGC working groups and get funded to advance new open standards We support standards critical to GEOINT
  3. Security system overview • GeoServer security system is based on

    Spring Security: Extensible and pluggable by design! • Can be configured via: • WEB administration interface • REST API, not all options are available • Allows us to secure data, services and administration!
  4. Security system overview • GeoServer security offers both: • Authentication

    • Authorization • … and are supported by vanilla GeoServer! • GeoServer security terminology: • Users • Groups • Roles • Data Layers and Workspaces • Services Operations as well
  5. Security system overview • GeoServer authentication: • Encryption is supported

    • Extensions offer others authentication mechanisms • GeoServer authorization is role based: • All security rules are defined against roles!
  6. Users, groups and roles • How do they related to

    each other? • Users can exist on their own • Users can belong to one or more groups • Roles can exist on their own • Roles can be assigned to one or more users • Roles can be assigned to one or more groups • By default they are all stored inside GeoServer data directory!
  7. Users, groups and roles • Extension points allow us to

    integrate with other providers: • User and group service • Roles services
  8. Users, groups and roles • Is not only about where

    users, groups and roles are stored • Integration between systems!: • Three levels of integrations
  9. Authentication mechanisms • Multiple authentication mechanisms may be active at

    the same time! What’s an authentication mechanism? • Let’s review the terminology: • Authentication provider • Authenticates using the provided data • Authentication filter • Retrieves the authentication information • Authentication chain • Defines what authentication filter is used for each endpoint
  10. Authorization mechanisms • We can define authorization rules for: •

    Services and operations • Workspaces administration • Data (layers and layers groups) access • Remember authorization rules are defined with roles! • These are the Vanilla GeoServer capabilities! • GeoFence will extend these authorization capabilities!
  11. Securing our data • Challenge: • Allows free access to

    metadata Data access will return HTTP 401 code • Mixed: • Hides the layers the user cannot read from the capabilities documents triggers authentication for any other attempt • Catalog modes: • Hide: • Hides layers that the user does not have read access to
  12. Administration security rules • Similar to data rules, but we

    select the Admin access mode (only for workspaces!):
  13. GeoFence overview • Advanced authorization engine for GeoServer: • Acts

    at the access manager level • Only one access manager per time! • Available either as: • A a independent service with its own powerful UI Can applies rules per GeoServer instance • Embedded in GeoServer • Rules can be stored either on h2 (default) or on PostGIS (additional configuration is needed)
  14. GeoFence data rules • Rules prioritization definition is supported •

    Several parameters: • Username or role • IP address • Service and | or operation • Workspace, layer or layer group • Access to the data can be DENY, ALLOW or LIMIT
  15. GeoFence data rules • Rules are shown ordered by priority:

    ◦ The lower the value, the higher the priority
  16. GeoFence data rules (ALLOW) • ALLOW access enables the configuration

    of additional constraints on a layer! • A specific layer must be selected! • Fine grained control over the styles:
  17. GeoFence data rules (ALLOW) • CQL read and write filters

    • Spatial area filter • Control of attributes access: • None • Read • Write
  18. GeoFence data rules (LIMIT) • Limits applies if a rule

    allowing access to the resource already exists! • Unlike ALLOW No need to select a layer! • Can be defined for Layer Groups and for an entire Workspaces. • LIMIT mode allow definition of: • Spatial Filter (CLIP or INTERSECT) • Catalog mode
  19. GeoFence administration rules • GeoFence Admin rule give access to

    UI configuration components • Admin Rules can be defined by Role and Username
  20. Access manager extension point • For advanced use cases it’s

    relatively common to define a custom access manager: • Authorized based on a specific value of a feature • We need to retrieve the authorization rules from a third party service • This makes GeoServer authorization system integrable in complex enterprise architectures!
  21. Key authentication module • Allows for a very simple authentication

    protocol for simple OGC services clients • Various Key to User mappers: • properties file • user property • web service (key refresh) • Extension point to provide custom mapper!
  22. Integration with OAuth2 (OpenID) • OpenId support is configurable as

    an authentication filter • The end points can be populated automatically if the discovery URL is available • We can retrieve the roles from the ID token claims!
  23. Integration with Keycloak • Copy paste the JSON Keycloak config

    on the GeoServer filter configuration • GeoServer Keycloak integration provides: • Keycloak Authentication Filter • Keycloak Role Service