Hi, in that case, Geoserver services made public, anyone could delete my database table rows through wfs-t?
One solution could be isolating geoserver and allowing client to use it only through proxy service in my app, that would be controlled by the spring security framework, right? - mika - P.S. Passing the question into geoserver users list.. 1.12.2011 17:39, [email protected] kirjoitti: > Hi Mika,you should stay on the geoserver users list. You are missing > the chance that another developer had the same problems and found a > solution. > > Anyways, the situation is not easy. If I got you right, your web app > uses spring security. Normally, web applications have different class > loaders isolating classes loaded by one app from the others. This > makes sense since you may need another version of spring security than > geoserver. > > A clean solution may be to NOT use spring security in your web app and > have all geoserver services public. (This is out of the box). Instead > use the tomcat user/role service. You can protect a web app based on > URL patterns. If you find a possibility to use the tomcat security > module you will have no problems updating geoserver in the future. > > Look here for a starting point > http://www.oxxus.net/tutorials/tomcat/security-realms > > Christian > > Zitat von [email protected]: > >> >> >> >> On Thu, 01 Dec 2011 15:11:32 +0100, [email protected] wrote: >>> Zitat von [email protected]: >>> >>>> >>>> Hi Christian, >>>> I once contacted you and asked advice on the issue mentioned on the >>>> topic. I never replied to you, I am sorry. >>>> Things come and go, but now I am facing the same challenge. >>>> >>>> I wrote an application which utilizes Geoserver services. The app is >>>> mainly written in javascript but uses jsp-pages. I implemented Spring >>>> Security 3 framework in order to create services, which are only >>>> available for the authenticated users. For example only authenticated >>>> users should be able to use WFS-T service. How that could be done? I >>>> don't want to open WFS-T for everyone. So can I somehow forward my >>>> authentication/authorization rights to Geoserver which will be running >>>> under the same Tomcat? Users database should be same for both. >>> >>> First, Justin an me are working on a new security architecture which >>> we hope to get in for 2.2.x, but there is no planned date. This new >>> architecture will make things easier, but there is a big chance that >>> all the "dirty" tricks we try will not work for 2.2.x versions. >> >> Sounds interesting. >> >>> >>> What do you mean with running under the same tomcat. I need some info >>> before I can give some advice. Please answer the next questions >>> >>> Are there 2 java virtual machines running, one for your application >>> and one for tomcat. ? >> >> As far as I understand, no. >> >>> >>> Or is there only one VM running and you deployed two web >>> applications, geoserver and your application ? >> >> Yep, that sounds right. >> >>> >>> Or is there only one VM and one web application and your jsp pages >>> run within the geoserver web application. >> >> Nope. >> >>> >>> How do you communicate with geoserver. For java script, I assume you >>> use urls, how do you communicate within your jsp pages. (URL or >>> direct java calls) >> >> With URLs, I don't even know how to do that with direct calls (don't >> know nothing about Geoserver (under hood)) >> >> >> thanks, >> - mika - >> >>> >>> Waiting for your answers :-) >>> Christian ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
