Mika,
I'd look to some of the reviews of different security options for
OWS, e.g. this http://2010.foss4g.org/presentations/3235.pdf from FOSS4G
2010. Also, in the spirit of shameless self-promotion, a less complete and
somewhat derivative review:
http://smathermather.wordpress.com/2011/10/05/ogc-web-services-and-security/
Best,
Steve
Stephen Mather
Geographic Information Systems (GIS) Manager
(216) 635-3243
[email protected]
clevelandmetroparks.com
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Friday, December 02, 2011 2:39 AM
To: [email protected]; [email protected]
Subject: Re: [Geoserver-users] Integrating Geoserver and application
security
Maybe something like this, though then I wouldn't need spring security
at all anymore..
http://wiki.deegree.org/deegreeWiki/iGeoSecurity
Maybe I could grab the proxy part out of that package.. I wouldn't want
to build all from the scratch again.
- mika -
On Fri, 02 Dec 2011 06:04:48 +0100, [email protected] wrote:
> Zitat von Mika Lehtonen <[email protected]>:
>
>> Hi,
>> in that case, Geoserver services made public, anyone could delete my
>> database table rows through wfs-t?
>
> Not if you can protect wfs-t using url patterns as described by the
> J2EE specification. But I am not sure that this works.
>
>>
>> One solution could be isolating geoserver and allowing client to use
>> it
>> only through proxy service in my app, that would be controlled by
>> the
>> spring security framework, right?
>
> Yep, this will work. First disable geoserver security completely as
> described here
> http://docs.geoserver.org/latest/en/user/security/sec_disable.html
>
> Second isolate geoserver from public access. If your webapp is taking
> the role of a security proxy, you can do anything you need. Good idea
> !!!
>
> Hope this helps
> Christian
>
>
>>
>> - mika -
>>
>> P.S. Passing the question into geoserver users list..
>>
>>
>> 1.12.2011 17:39, [email protected] kirjoitti:
>>> Hi Mika,you should stay on the geoserver users list. You are
>>> missing the chance that another developer had the same problems and
>>> found a solution.
>>>
>>> Anyways, the situation is not easy. If I got you right, your web
>>> app uses spring security. Normally, web applications have different
>>> class loaders isolating classes loaded by one app from the others.
>>> This makes sense since you may need another version of spring
>>> security than geoserver.
>>>
>>> A clean solution may be to NOT use spring security in your web app
>>> and have all geoserver services public. (This is out of the box).
>>> Instead use the tomcat user/role service. You can protect a web app
>>> based on URL patterns. If you find a possibility to use the tomcat
>>> security module you will have no problems updating geoserver in the
>>> future.
>>>
>>> Look here for a starting point
>>> http://www.oxxus.net/tutorials/tomcat/security-realms
>>>
>>> Christian
>>>
>>> Zitat von [email protected]:
>>>
>>>>
>>>>
>>>>
>>>> On Thu, 01 Dec 2011 15:11:32 +0100, [email protected]
>>>> wrote:
>>>>> Zitat von [email protected]:
>>>>>
>>>>>>
>>>>>> Hi Christian,
>>>>>> I once contacted you and asked advice on the issue mentioned on
>>>>>> the
>>>>>> topic. I never replied to you, I am sorry.
>>>>>> Things come and go, but now I am facing the same challenge.
>>>>>>
>>>>>> I wrote an application which utilizes Geoserver services. The
>>>>>> app is
>>>>>> mainly written in javascript but uses jsp-pages. I implemented
>>>>>> Spring
>>>>>> Security 3 framework in order to create services, which are only
>>>>>> available for the authenticated users. For example only
>>>>>> authenticated
>>>>>> users should be able to use WFS-T service. How that could be
>>>>>> done? I
>>>>>> don't want to open WFS-T for everyone. So can I somehow forward
>>>>>> my
>>>>>> authentication/authorization rights to Geoserver which will be
>>>>>> running
>>>>>> under the same Tomcat? Users database should be same for both.
>>>>>
>>>>> First, Justin an me are working on a new security architecture
>>>>> which
>>>>> we hope to get in for 2.2.x, but there is no planned date. This
>>>>> new
>>>>> architecture will make things easier, but there is a big chance
>>>>> that
>>>>> all the "dirty" tricks we try will not work for 2.2.x versions.
>>>>
>>>> Sounds interesting.
>>>>
>>>>>
>>>>> What do you mean with running under the same tomcat. I need some
>>>>> info
>>>>> before I can give some advice. Please answer the next questions
>>>>>
>>>>> Are there 2 java virtual machines running, one for your
>>>>> application
>>>>> and one for tomcat. ?
>>>>
>>>> As far as I understand, no.
>>>>
>>>>>
>>>>> Or is there only one VM running and you deployed two web
>>>>> applications, geoserver and your application ?
>>>>
>>>> Yep, that sounds right.
>>>>
>>>>>
>>>>> Or is there only one VM and one web application and your jsp
>>>>> pages
>>>>> run within the geoserver web application.
>>>>
>>>> Nope.
>>>>
>>>>>
>>>>> How do you communicate with geoserver. For java script, I assume
>>>>> you
>>>>> use urls, how do you communicate within your jsp pages. (URL or
>>>>> direct java calls)
>>>>
>>>> With URLs, I don't even know how to do that with direct calls
>>>> (don't
>>>> know nothing about Geoserver (under hood))
>>>>
>>>>
>>>> thanks,
>>>> - mika -
>>>>
>>>>>
>>>>> Waiting for your answers :-)
>>>>> Christian
>>
>
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
----------------------------------------------------------------------------
--
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Geoserver-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
