Using geofence download that matches geoserver 2.7.2 right now... I'm running into more and more situations where it becomes necessary for me to repeat the same layer details on multiple geofence rules. I can see that certain rule-strategies lead to that unnecessarily. And yet for some problems it seems essential. This is a setup/maintenance burden because I have an extensive set of visibility or read-only settings for layer attributes.
Here's an example: Assume LayerA that I want to provide access to GroupA. I can create an ALLOW rule for the layer that restricts access to just that group. On that rule I can specify all the layer details. But recognize that I really need to provide unauthenticated access to DescribeFeatureType for this layer (that's because (at least) GeoTools will send such a request while parsing XML. Otherwise you get a org.xml.sax.SAXException). That's not much of a security hole I guess since you have to know the layer name to execute DescribeFeatureType, and you don't get back any feature data from that. So in addition to the ALLOW rule for LayerA that's specific to GroupA, now I need another ALLOW rule that let's any user execute DescribeFeatureType on the layer. Since my layer wants to expose only certain attributes, I need to repeat (at least the NONE selections on attributes) in both rules for LayerA. Other cases that are a bit more convoluted lead to a similar problem - repeated layer details. Of course it's essential that you be able to have distinct layer details too. But it seems like it would be good to be able to share rules. I'm thinking that geotools could maybe let the user setup named layer-details settings. Then on a given rule you could enter the settings explicitly as now-provided, or you could simply select from your list of named layer details. Are there better ways to solve this problem? Would this be a good feature for geofence to have? Thanks - Walter Stovall
------------------------------------------------------------------------------
_______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
