[Geoserver-devel] About cloud native geoserver and security integrations

Gabe,

Question for you as I look at the spring-framework-6 update and rewriting OIDC support.

How does the cloud native geoserver spring boot setup handle security? Does it use the geoserver security system as is - or does it have to do something earlier at the “gateway” level that dispatches to micro services?

···

Jody Garnett

Okay in a case of RTFM:

Advanced ACL system is available through the project GeoServer ACL which offers the same capacities as GeoFence.

OAuth is available by using the geOrchestra Gateway in replacement of the GeoServer Cloud one.

So it uses an external security service for authorization (so each micro service can have a party), and trusts authentication from gateway responsible for dispatch.

···

Jody Garnett

Jody Garnett

Hi Jody,

For the most part, it uses GeoServer security as-is.

But it’s true the GeoServer OAuth2 plugins haven’t been integrated, and I didn’t want to, since Spring/Boot provide out of the box OAuth2/OIDC support.
For that reason, and in order to avoid duplication and keep the gscloud gateway as simple as possible, all our deployments that require OAuth2/OIDC have the georchestra gateway in front of the gscloud gateway.
That is not a full solution though, because for historical reasons, the georchestra gateway does perform the authentication, but then translates the username and roles to request headers. Hence I’m looking forward for the Spring 6 security upgrade, which means Spring-Boot 3 upgrade for gscloud.

···

camptocamp
INNOVATIVE SOLUTIONS
BY OPEN SOURCE EXPERTS

Gabriel Roldán
Geospatial Developer

Jody Garnett

Jody Garnett