Cameron Shorter ha scritto:
What level of authorization has been implemented?
What do you mean by level? At the moment in the acegi branch we
do have basic authentication and form based authentication.
Other means can be added, like certificates, digest
authentication and the like.
I assume I can set user roles against a WFS installation.
Yeah, authentication is role based
Can I set read/write restrictions on a layer?
Not at the moment. The security in the acegi
prototype branch is based on two files, user.properties
and service.properties:
user.properties: (user=password,role1,...,roleN)
admin=geoserver,ROLE_ADMINISTRATOR
wfst=wfst,ROLE_WFS_READ,ROLE_WFS_WRITE
wfs=wfs,ROLE_WFS_READ
service.properties: (service[.method]=role1,...,roleN)
wfs.GetFeature=ROLE_WFS_READ
wfs.Transaction=ROLE_WFS_WRITE
You get to do something if you have one of the roles
listed in the service.properties, so for the moment
we can distinguish read and write (method is optional,
so you can lock a service without listing all its
methods).
Yet, it would not be difficult to add a third file,
data.properties, and have a list of
namespace[.featuretype][.read/write]=role1,...,roleN
that do list roles that can do a certain action
on the data.
I think I would like to add some query based file
too, so that you can specify that certain roles
can access only a certain subset of the data.
Something like:
namespace[.featuretype].role1.roleN=p1,...,pN,cql_filter
where p1,...,pN are properties, and cql_filter is
a filter expressed in CQL syntax (just because it's
more compact and expressive than the OGC Filter one).
How do I manage the roles. Is there a web page or similar I can use to manage users and their roles?
No, and I won't make one until we switch to Wicket. I had my big
enough share of curses with Struts. At the moment you can configure
the prototype with a set of plain text property files (with
passwords in clear text, encrypting them will require an UI
that can deal with the files first).
Hope this helps
Cheers
Andrea