[Geoserver-devel] Some amendments to the per layer security proposal

Hi,
so we gathered some feedback on how the per layer
security was implemented and some changes are needed.
They do not change the contents of the proposal, but
the way it is implemented, in particular, the proposal
was not complete on

The current approach (let's call it HIDE) assumes the
user authenticated himself before doing any
business with the server, and the server in turn
lets her see only the layers that
she's authorized to see, and pretends layers that
she can only access read only to really be read only.
That is, capabilities don't list the layers that you
can't access to, direct access returns a service exception
stating the layer is not there, direct write on a layer
where you have no write access states the layer is not
writable. No where the server says you should authenticate
of change your authentication to perform the operation
that failed.
This works fine from a security point of view, you cannot
even infer the layers are there, but has quite some issues
with standard clients such as uDig, or Google Earth,
since they do not allow you to authenticate preventively
and assess your authentication went fine. They are made
to react to a 401, only then they will present an
authentication dialog.

So for those clients a different approach is needed,
one where the capabilities do contain all the layers,
and where you get a 401 when you try to use a layer
you don't have clearance for. Let's call this approach
CHALLENGE.

Unfortunately none of the above suits the needs of
the organisation sponsoring the "per layer security"
work. They need a half in between, which I'll call
MIXED, in which the capabilities do contain only
what you're supposed to see with the current authentication
(if any), but direct access to a layer (one that was
not in the capabilities) triggers a 401 and makes the
client (in their case, OL or Google Eearth) ask for
an authentication.
In this case they don't want the world to see the
list of layers actually available, but they do want
people with direct link be able to use them from
GE in a way that makes GE trigger an authentication
request.

So it seems that for various reasons I'll have to
implement all three behaviour. HIDE is already there,
CHALLENGE is needed for capabilities driven clients
to work, MIXED is what the sponsoring organisation needs.
Of course the code to handle the three options is
becoming quite a bit hairy but... I'm not seeing
any escape route.

I'm going to commit the changes as soon as I'm done
for you to look at, and I'm open to suggestions
and of course reviews.

Cheers
Andrea

Andrea Aime ha scritto:

Hi,
so we gathered some feedback on how the per layer
security was implemented and some changes are needed.
They do not change the contents of the proposal, but
the way it is implemented, in particular, the proposal
was not complete on

was not complete on the way the server is supposed
to react to a user attemping to access a layer that
is not among the ones she can access.

(sorry for missing this part)

Cheers
Andrea

Andrea, thought I'd chime in from MassGIS on what we're looking for in
security.

We are currently serving 602 layers. 99% of them are public, meaning full
access.
We would not want any need for authentication to see or use these layers.
We want users to be able to use these layers in as many clients as possible
(ArcMap, uDig, OpenLayers, Google maps, etc).

There are a few layers for which we hide certain fields, this already can be
done.

There are a few layers for which we limit WFS features, this already can be
done. (make the user work with one feature at a time).

There are a few layers which I haven't loaded into GeoServer yet because I
would like only certain users to access them. I don't think we care if
people know that they exist (see them in a GetCapabilities) (although if
they didn't, that would be a plus), but the key is that only authorized
users can do WMS/WFS with these layers. Maybe we fall in the MIXED category
then.

There are few layers that are editable and we'd like to set up authorization
so that only certain users can edit these layers.

--
View this message in context: http://www.nabble.com/Some-amendments-to-the-per-layer-security-proposal-tp18321497p18363936.html
Sent from the GeoServer - Dev mailing list archive at Nabble.com.

aleda_freeman ha scritto:

Andrea, thought I'd chime in from MassGIS on what we're looking for in
security.

Nice, thank you for tyour feedback :slight_smile:

We are currently serving 602 layers. 99% of them are public, meaning full
access.
We would not want any need for authentication to see or use these layers.

Ok, this is covered.

We want users to be able to use these layers in as many clients as possible
(ArcMap, uDig, OpenLayers, Google maps, etc).

Besides ArcMap that we cannot test because we don't own any license, the
others should be working.

There are a few layers for which we hide certain fields, this already can be
done.

How did you do that, creating views in the database?

There are a few layers for which we limit WFS features, this already can be
done. (make the user work with one feature at a time).

And this one, how did you do it? Is it just setting a maxFeatures limit or is that a filter?

There are a few layers which I haven't loaded into GeoServer yet because I
would like only certain users to access them. I don't think we care if
people know that they exist (see them in a GetCapabilities) (although if
they didn't, that would be a plus), but the key is that only authorized
users can do WMS/WFS with these layers. Maybe we fall in the MIXED category
then.

Since you don't care strongly if people see they are there, CHALLENGE or
MIXED should both work for you.

There are few layers that are editable and we'd like to set up authorization
so that only certain users can edit these layers.

Per layer security will suit that need as well. The only significant limitation as of now is that we're not switching to HTTPS when authentication is needed, so the username/password travel over then
net in hashed format and can be sniffed and decrypted easily.

However, I'm not sure how many web containers do support HTTPS
out of the box (without config) and how many existing users with
proxies I'm going to bust if I enable that, so I'll need some time
to think about to best handle this.

Cheers
Andrea

Sorry for the delay in replying..

We hide certain fields by just unchecking them in the GeoServer layer
interface... this takes them out of schema.xml and it's as if they don't
exist. The fields are not returned in GetFeatureInfo, WFS, or shapefile
download.

To limit the number of features returned in WFS, we use maxFeatures in
info.xml - this limits all WFS queries and the number of features in
shapefile downloads too.

--
View this message in context: http://www.nabble.com/Some-amendments-to-the-per-layer-security-proposal-tp18321497p18699271.html
Sent from the GeoServer - Dev mailing list archive at Nabble.com.