[Geoserver-users] GeoServer 2.2.4 layer security

GeoServer GeoServer User
1

Hello,

I am trying to set up layer security in GeoServer 2.2.4, but am encountering some problems.

I want to set access for 15 external (Internet) users on 30 different layers, where user A is to

have access to layer A1 and A2, user B to access to layer B1 an B2 etc. They should not be able to see each

other’s layers, nor should the general public see any of them. In addition there are

a number of layers that are to be freely accessible to everybody, and a couple that are hidden to all except Admin.

All the layers are in the same workspace and the same store.

For the time being I am using default role service, basic authentication, and have set up a separate

role for each user.

My layers.properties looks like this:

#Fri Apr 05 14:45:16 CEST 2013

..r=*

..w=ADMIN,GROUP_ADMIN

mode=MIXED

FMVA_Natur.sensartA_fl.r=ARolle,GROUP_ADMIN

FMVA_Natur.sensartB_flt.r=BRolle,GROUP_ADMIN

FMVA_Natur.sikretlag.r=ADMIN,GROUP_ADMIN

What happens is that everything looks perfect when I test using QGIS, both from my Intranet and the

Internet - user A sees layer A and not B, and vice versa. But testing in Gaia 3, ArcGIS or requesting Capabilities in my

Firefox browser, the layers are either open to all these users, or invisible to everybody. The same thing

happens when one of my external users tests for me (with a proprietary, Norwegian map program). Both

A and B can see either both layers, or none.

But logging in these users in the GeoServer Admin interface, they cannot even access Layer Preview for their own

layers, because access is denied for a couple of others (if I understand the log file right).

Have I done something basically wrong in GeoServer? I have experimented a bit, but finally followed the

procedure described in Iacovella/Youngbloods “Geoserver beginner’s Guide”. (Set up users, groups, roles,

and data rules) But I wonder whether I should use different stores or workspaces for the different users?

Or is it possible that these user programs formulate requests (or authentication strings) in different ways, and that

GeoServer cannot interpret them, so that requests from Gaia 3 or ArcGis come across as anonymous? If so, is

there anything I can do about it in GeoServer? I don’t know how to find out what the requests really look like.

It is difficult to see what is wrong when different tools give different results, so I would really appreciate it if

somebody has any suggestions.

Best regards,

Lene Halling

2

You are using catalog mode MIXED. AFAIK in this mode all layers are included in the GetCapibilities answer.

Did you try catalog mode HIDE ?

Cheers
Christian

···

2013/4/9 Halling, Lene <fmvalha@anonymised.com>

Hello,

I am trying to set up layer security in GeoServer 2.2.4, but am encountering some problems.

I want to set access for 15 external (Internet) users on 30 different layers, where user A is to

have access to layer A1 and A2, user B to access to layer B1 an B2 etc. They should not be able to see each

other’s layers, nor should the general public see any of them. In addition there are

a number of layers that are to be freely accessible to everybody, and a couple that are hidden to all except Admin.

All the layers are in the same workspace and the same store.

For the time being I am using default role service, basic authentication, and have set up a separate

role for each user.

My layers.properties looks like this:

#Fri Apr 05 14:45:16 CEST 2013

..r=*

..w=ADMIN,GROUP_ADMIN

mode=MIXED

FMVA_Natur.sensartA_fl.r=ARolle,GROUP_ADMIN

FMVA_Natur.sensartB_flt.r=BRolle,GROUP_ADMIN

FMVA_Natur.sikretlag.r=ADMIN,GROUP_ADMIN

What happens is that everything looks perfect when I test using QGIS, both from my Intranet and the

Internet - user A sees layer A and not B, and vice versa. But testing in Gaia 3, ArcGIS or requesting Capabilities in my

Firefox browser, the layers are either open to all these users, or invisible to everybody. The same thing

happens when one of my external users tests for me (with a proprietary, Norwegian map program). Both

A and B can see either both layers, or none.

But logging in these users in the GeoServer Admin interface, they cannot even access Layer Preview for their own

layers, because access is denied for a couple of others (if I understand the log file right).

Have I done something basically wrong in GeoServer? I have experimented a bit, but finally followed the

procedure described in Iacovella/Youngbloods “Geoserver beginner’s Guide”. (Set up users, groups, roles,

and data rules) But I wonder whether I should use different stores or workspaces for the different users?

Or is it possible that these user programs formulate requests (or authentication strings) in different ways, and that

GeoServer cannot interpret them, so that requests from Gaia 3 or ArcGis come across as anonymous? If so, is

there anything I can do about it in GeoServer? I don’t know how to find out what the requests really look like.

It is difficult to see what is wrong when different tools give different results, so I would really appreciate it if

somebody has any suggestions.

Best regards,

Lene Halling

Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter

Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH