[Geoserver-devel] Fine-grained entitlements

I’m trying to set up fine-grained security with Geoserver, but I can’t find a hook to intercept the request and modify it based on the users permission. For example, we sell access at the state or county level. I want to request a WMS layer, and have Geoserver only return features in the state or county I’ve purchased. I’ve got an entitlements server that gives the state or county names that the user can access. I just need to modify the query or results to narrow to that region.

Is this possible with Geoserver’s security? Has anyone tried doing this?

Thanks,
Ron

Ron Romero
Sr. Software Architect

On Wed, Jul 2, 2014 at 6:55 PM, Ron Romero <ron.romero@anonymised.com>
wrote:

I'm trying to set up fine-grained security with Geoserver, but I can't
find a hook to intercept the request and modify it based on the users
permission. For example, we sell access at the state or county level. I
want to request a WMS layer, and have Geoserver only return features in the
state or county I've purchased. I've got an entitlements server that gives
the state or county names that the user can access. I just need to modify
the query or results to narrow to that region.

Is this possible with Geoserver's security? Has anyone tried doing this?

We do this a lot with GeoFence (https://github.com/geosolutions-it/geofence
).
You can do the same with your security backend by implementing a custom
ResourceAccessManager and plug it in
(e.g. declare it as a spring bean).

I guess you can use the GeoFence own resource access manager implementation
as a template to implement yours:
https://github.com/geosolutions-it/geofence/blob/master/src/geoserver/security/src/main/java/it/geosolutions/geofence/GeofenceAccessManager.java

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Thank you, that makes sense.

I’ve been looking deeper into our use case, and it turns out everything wanted can be done by filtering based on attributes on the feature.

So I would write a class that implements ResourceAccessManager and override getAccessLimits (I think the DataAccessLimits version). It would call the web service to get the attribute names and values to filter with. It would then filter out any entries that don’t match.

Does that sound right? Is there some easier way to do that?

Thanks again for your help,
Ron

···

On Wed, Jul 2, 2014 at 12:46 PM, Andrea Aime <andrea.aime@anonymised.com> wrote:

Ron Romero
Sr. Software Architect

On Wed, Jul 2, 2014 at 6:55 PM, Ron Romero <ron.romero@anonymised.com> wrote:

I’m trying to set up fine-grained security with Geoserver, but I can’t find a hook to intercept the request and modify it based on the users permission. For example, we sell access at the state or county level. I want to request a WMS layer, and have Geoserver only return features in the state or county I’ve purchased. I’ve got an entitlements server that gives the state or county names that the user can access. I just need to modify the query or results to narrow to that region.

Is this possible with Geoserver’s security? Has anyone tried doing this?

We do this a lot with GeoFence (https://github.com/geosolutions-it/geofence).
You can do the same with your security backend by implementing a custom ResourceAccessManager and plug it in
(e.g. declare it as a spring bean).

I guess you can use the GeoFence own resource access manager implementation as a template to implement yours:
https://github.com/geosolutions-it/geofence/blob/master/src/geoserver/security/src/main/java/it/geosolutions/geofence/GeofenceAccessManager.java

Cheers
Andrea

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it


On Tue, Jul 8, 2014 at 9:20 PM, Ron Romero <ron.romero@anonymised.com>
wrote:

Thank you, that makes sense.

I've been looking deeper into our use case, and it turns out everything
wanted can be done by filtering based on attributes on the feature.

So I would write a class that implements ResourceAccessManager and
override getAccessLimits (I think the DataAccessLimits version). It
would call the web service to get the attribute names and values to
filter with. It would then filter out any entries that don't match.

Does that sound right? Is there some easier way to do that?

Nope, that's about right.
There has been some thoughts of exposing the ResourceAccessManager in the
script community modules,
so that one can write a custom access manager in jython, javascript, groovy
and the like,
but it has not materialized yet

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------