Mastering Security with GeoServer and GeoFence - FOSS4G EU 2025

Transcript

1. Andrea Aime Emanuele Tajariol GeoSolutions Mastering Security with GeoServer and

   GeoFence

2. GeoSolutions Enterprise Support Services Deployment Subscription Professional Training Customized Solutions

   GeoNode • Offices in Italy & US, Global Clients/Team • 30+ collaborators, 25+ Engineers • Our products • Our Offer

3. Affiliations We strongly support Open Source, it is in our

   core We participate in OGC testbeds and get funded to advance new open standards We support standards critical to GEOINT

4. GeoServer security overview

5. Security system overview • GeoServer security system is based on

   Spring Security: Extensible and pluggable by design! • Can be configured via: • WEB administration interface • REST API, not all options are available, but growing • Allows us to secure data, services and administration!

6. Security system overview • GeoServer security offers both: • Authentication

   • Authorization • … and are supported by vanilla GeoServer! • GeoServer security terminology: • Users • Groups • Roles • Data Layers and Workspaces • Services Operations as well

7. Security system overview • GeoServer authentication: • Encryption is supported

   • Basic/Digest auth is supported • Extensions offer others authentication mechanisms • GeoServer authorization is role based: • All security rules are defined against roles!

8. Users, groups and roles • How do they related to

   each other? • Users can exist on their own • Users can belong to one or more groups • Roles can exist on their own • Roles can be assigned to one or more users • Roles can be assigned to one or more groups • By default they are all stored inside GeoServer data directory!

9. Users, groups and roles • Extension points allow us to

   integrate with other providers: • User and group service • Roles services

10. Users, groups and roles

11. GeoServer authentication

12. Authentication mechanisms • Multiple authentication mechanisms may be active at

    the same time! • What we’re about to see: • Authentication chain which contains • Authentication filters which into provide info to • Authentication provider

13. Graphical overview List of filters: auth chain

14. Authentication filter • A filter extracts credentials (headers, url, query,

    form post, ….)

15. Authentication chain

16. Authentication chain

17. Authentication provider • Validates credentials, check they are valid (or

    kick you out)

18. GeoServer core authorization

19. Authorization mechanisms • We can define authorization rules for: •

    Services and operations • Workspaces administration • Data (layers and layers groups) access • Remember authorization rules are defined with roles! • These are the Vanilla GeoServer capabilities! • GeoFence will extend these authorization capabilities!

20. Securing our services • The most specific rules win

21. Securing our services

22. Securing our data • The most specific rules win

23. Securing our data

24. Securing our data • Challenge: • Allows free access to

    metadata Data access will return HTTP 401 code • Mixed: • We can talk about this one over a beer! • Catalog modes: • Hide: • Hides layers that the user does not have read access to

25. Administration security rules • Similar to data rules, but we

    select the Admin access mode (only for workspaces!):

26. Advanced authorization with GeoFence

27. GeoFence overview • Advanced authorization engine for GeoServer: • Replaces

    the GeoServer basic authorization • Rules can be stored either on H2 (good for learning) or on PostGIS (good for production) Rules ordered by priority

28. GeoFence data rules • Several parameters: • Username or role

    • IP address • Service and | or operation • Workspace, layer or layer group • Access to the data can be DENY, ALLOW or LIMIT

29. GeoFence data rules (ALLOW) • ALLOW access enables the configuration

    of additional constraints on a layer! • A specific layer must be selected! • Fine grained control over the styles:

30. GeoFence data rules (ALLOW) • CQL read and write filters

    • Spatial area filter • Control of attributes access: • None • Read • Write

31. GeoFence data rules (LIMIT) • Limits applies if a rule

    allowing access to the resource already exists! • Unlike ALLOW No need to select a layer! • Can be defined for Layer Groups and for an entire Workspaces. • LIMIT mode allow definition of: • Spatial Filter (CLIP or INTERSECT) • Catalog mode

32. GeoFence data rules (LIMIT) • Stand alone GeoFence allow us

    to draw the area:

33. GeoFence data rules (LIMIT)

34. GeoFence data rules (LIMIT) CLIP INTERSECTS

35. GeoFence administration rules • GeoFence Admin rule give access to

    UI configuration components • Admin Rules can be defined by Role and Username

36. Roll your own auth*

37. Resource Access Manager interface • Built-in authorization and GeoFence are

    examples of this interface • You can build your own • Use custom database • Call onto an external service • Limit attributes, clip, filter, change styles and so on, just like GeoFence, with your own logic

38. Resource Access Manager interface GeoServer Custom A&A Enterprise authentication Enterprise

    authorization GIS data

39. Other authentication plugins

40. Key authentication module • Allows for a very simple authentication

    protocol for simple OGC services clients • Various Key to User mappers: • properties file • user property • web service (key refresh) • Extension point to provide custom mapper!

41. Integration with OAuth2 (OpenID) • OpenId support is configurable as

    an authentication filter • The end points can be populated automatically if the discovery URL is available • We can retrieve the roles from the ID token claims!

42. JWT headers module • Grab the user name and roles

    from either: • HTTP headers • JWT token • Meant to work in combo with Apache mod_auth_openidc Apache GeoServer OIDC Provider OIDC_CLAIM_preferred_username ODIC_CLAIM_roles Authorization (Bearer <JWT)

43. The End Questions? [email protected] [email protected] [email protected]