[Geoserver-users] GeoFence would be better if you could share layer details among more than one rule

GeoServer GeoServer User
1

Using geofence download that matches geoserver 2.7.2 right now…

I’m running into more and more situations where it becomes necessary for me to repeat the same layer details on multiple geofence rules. I can see that certain rule-strategies lead to that unnecessarily. And yet for some problems it seems essential. This is a setup/maintenance burden because I have an extensive set of visibility or read-only settings for layer attributes.

Here’s an example:

Assume LayerA that I want to provide access to GroupA. I can create an ALLOW rule for the layer that restricts access to just that group. On that rule I can specify all the layer details.

But recognize that I really need to provide unauthenticated access to DescribeFeatureType for this layer (that’s because (at least) GeoTools will send such a request while parsing XML. Otherwise you get a org.xml.sax.SAXException). That’s not much of a security hole I guess since you have to know the layer name to execute DescribeFeatureType, and you don’t get back any feature data from that.

So in addition to the ALLOW rule for LayerA that’s specific to GroupA, now I need another ALLOW rule that let’s any user execute DescribeFeatureType on the layer.

Since my layer wants to expose only certain attributes, I need to repeat (at least the NONE selections on attributes) in both rules for LayerA.

Other cases that are a bit more convoluted lead to a similar problem – repeated layer details.

Of course it’s essential that you be able to have distinct layer details too. But it seems like it would be good to be able to share rules.

I’m thinking that geotools could maybe let the user setup named layer-details settings. Then on a given rule you could enter the settings explicitly as now-provided, or you could simply select from your list of named layer details.

Are there better ways to solve this problem? Would this be a good feature for geofence to have?

Thanks – Walter Stovall

2

On Tue, Oct 6, 2015 at 2:10 PM, Walter Stovall <walter.stovall@anonymised.com>
wrote:

Are there better ways to solve this problem? Would this be a good feature
for geofence to have?

I don't see you mention the "LIMIT" rules, which are the way to apply
constraints to the
access, without either accept or deny the access yet.
Limit rule constraints get accumulated and are applied when a allow rule is
matched.

They are probably what you're looking for.

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

3

Thank you Andrea. I totally missed that somehow. Looks like exactly what I need…

···

On Tue, Oct 6, 2015 at 2:10 PM, Walter Stovall <walter.stovall@…7262…> wrote:

Are there better ways to solve this problem? Would this be a good feature for geofence to have?

I don’t see you mention the “LIMIT” rules, which are the way to apply constraints to the

access, without either accept or deny the access yet.

Limit rule constraints get accumulated and are applied when a allow rule is matched.

They are probably what you’re looking for.

Cheers

Andrea

==

GeoServer Professional Services from the experts! Visit

http://goo.gl/it488V for more information.

==

Ing. Andrea Aime

@geowolf

Technical Lead

GeoSolutions S.A.S.

Via Poggio alle Viti 1187

55054 Massarosa (LU)

Italy

phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

http://www.geo-solutions.it

http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

4

Actually I spoke too soon. In my use of geofence I don’t see how a LIMIT rule can limit feature attributes returned by WFS. The Editing Limits dialog gives me a way to define an Allowed Area. But it does not let me specify feature attributes to limit.

image001.png

···

From: Walter Stovall
Sent: Tuesday, October 06, 2015 9:40 AM
To: ‘Andrea Aime’
Cc: geoserver-users@lists.sourceforge.net
Subject: RE: [Geoserver-users] GeoFence would be better if you could share layer details among more than one rule

Thank you Andrea. I totally missed that somehow. Looks like exactly what I need…

From: andrea.aime@…84… [mailto:andrea.aime@…84…] On Behalf Of Andrea Aime
Sent: Tuesday, October 06, 2015 9:27 AM
To: Walter Stovall
Cc: geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] GeoFence would be better if you could share layer details among more than one rule

On Tue, Oct 6, 2015 at 2:10 PM, Walter Stovall <walter.stovall@…7262…> wrote:

Are there better ways to solve this problem? Would this be a good feature for geofence to have?

I don’t see you mention the “LIMIT” rules, which are the way to apply constraints to the

access, without either accept or deny the access yet.

Limit rule constraints get accumulated and are applied when a allow rule is matched.

They are probably what you’re looking for.

Cheers

Andrea

==

GeoServer Professional Services from the experts! Visit

http://goo.gl/it488V for more information.

==

Ing. Andrea Aime

@geowolf

Technical Lead

GeoSolutions S.A.S.

Via Poggio alle Viti 1187

55054 Massarosa (LU)

Italy

phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

http://www.geo-solutions.it

http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.