I think you are on the right way. I can image the following architecture. 1) Create a new servlet in your app, this servlet plays the role of the secure proxy 2) Within your Java Server Pages, forward geoserver requests to the above servlet 3) Within the servlet, you have access to authenticated object of spring security (spring security uses a thread local variable ). The authenticated object has its roles attached. You have the roles, the request and the request parameters and can make access allowed/denied decisions.
Christian Zitat von [email protected]: > > Maybe something like this, though then I wouldn't need spring security > at all anymore.. > http://wiki.deegree.org/deegreeWiki/iGeoSecurity > > Maybe I could grab the proxy part out of that package.. I wouldn't want > to build all from the scratch again. > > - mika - > > > On Fri, 02 Dec 2011 06:04:48 +0100, [email protected] wrote: >> Zitat von Mika Lehtonen <[email protected]>: >> >>> Hi, >>> in that case, Geoserver services made public, anyone could delete my >>> database table rows through wfs-t? >> >> Not if you can protect wfs-t using url patterns as described by the >> J2EE specification. But I am not sure that this works. >> >>> >>> One solution could be isolating geoserver and allowing client to use it >>> only through proxy service in my app, that would be controlled by the >>> spring security framework, right? >> >> Yep, this will work. First disable geoserver security completely as >> described here >> http://docs.geoserver.org/latest/en/user/security/sec_disable.html >> >> Second isolate geoserver from public access. If your webapp is taking >> the role of a security proxy, you can do anything you need. Good idea >> !!! >> >> Hope this helps >> Christian >> >> >>> >>> - mika - >>> >>> P.S. Passing the question into geoserver users list.. >>> >>> >>> 1.12.2011 17:39, [email protected] kirjoitti: >>>> Hi Mika,you should stay on the geoserver users list. You are >>>> missing the chance that another developer had the same problems >>>> and found a solution. >>>> >>>> Anyways, the situation is not easy. If I got you right, your web >>>> app uses spring security. Normally, web applications have >>>> different class loaders isolating classes loaded by one app from >>>> the others. This makes sense since you may need another version >>>> of spring security than geoserver. >>>> >>>> A clean solution may be to NOT use spring security in your web >>>> app and have all geoserver services public. (This is out of the >>>> box). Instead use the tomcat user/role service. You can protect >>>> a web app based on URL patterns. If you find a possibility to >>>> use the tomcat security module you will have no problems >>>> updating geoserver in the future. >>>> >>>> Look here for a starting point >>>> http://www.oxxus.net/tutorials/tomcat/security-realms >>>> >>>> Christian >>>> >>>> Zitat von [email protected]: >>>> >>>>> >>>>> >>>>> >>>>> On Thu, 01 Dec 2011 15:11:32 +0100, [email protected] wrote: >>>>>> Zitat von [email protected]: >>>>>> >>>>>>> >>>>>>> Hi Christian, >>>>>>> I once contacted you and asked advice on the issue mentioned on the >>>>>>> topic. I never replied to you, I am sorry. >>>>>>> Things come and go, but now I am facing the same challenge. >>>>>>> >>>>>>> I wrote an application which utilizes Geoserver services. The app is >>>>>>> mainly written in javascript but uses jsp-pages. I implemented Spring >>>>>>> Security 3 framework in order to create services, which are only >>>>>>> available for the authenticated users. For example only authenticated >>>>>>> users should be able to use WFS-T service. How that could be done? I >>>>>>> don't want to open WFS-T for everyone. So can I somehow forward my >>>>>>> authentication/authorization rights to Geoserver which will be running >>>>>>> under the same Tomcat? Users database should be same for both. >>>>>> >>>>>> First, Justin an me are working on a new security architecture which >>>>>> we hope to get in for 2.2.x, but there is no planned date. This new >>>>>> architecture will make things easier, but there is a big chance that >>>>>> all the "dirty" tricks we try will not work for 2.2.x versions. >>>>> >>>>> Sounds interesting. >>>>> >>>>>> >>>>>> What do you mean with running under the same tomcat. I need some info >>>>>> before I can give some advice. Please answer the next questions >>>>>> >>>>>> Are there 2 java virtual machines running, one for your application >>>>>> and one for tomcat. ? >>>>> >>>>> As far as I understand, no. >>>>> >>>>>> >>>>>> Or is there only one VM running and you deployed two web >>>>>> applications, geoserver and your application ? >>>>> >>>>> Yep, that sounds right. >>>>> >>>>>> >>>>>> Or is there only one VM and one web application and your jsp pages >>>>>> run within the geoserver web application. >>>>> >>>>> Nope. >>>>> >>>>>> >>>>>> How do you communicate with geoserver. For java script, I assume you >>>>>> use urls, how do you communicate within your jsp pages. (URL or >>>>>> direct java calls) >>>>> >>>>> With URLs, I don't even know how to do that with direct calls (don't >>>>> know nothing about Geoserver (under hood)) >>>>> >>>>> >>>>> thanks, >>>>> - mika - >>>>> >>>>>> >>>>>> Waiting for your answers :-) >>>>>> Christian >>> >> >> >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. > > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ All the data continuously generated in your IT infrastructure contains a definitive record of customers, application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-novd2d _______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
