[Geoserver-users] [Geoserver-devel] security features of geoserver?

Matt,

Adding simple security to Geoserver would not be too difficult. The
read/insert/update/delete functionality is all in one spot, so you
could just add a check there.

Basically, the simpliest solution would be something like this:

1. Have a set of security groups. Each user can be in multiple groups.
For example you could have "Group A" (read-only), "Group B"
(read-and-insert), "Group C" (read-and-delete group), etc... Dont
forget to have an "anonymous" (not-logged-in) user.

2. a configuration system for the above so the administrator can make
new users and passwords (ideally user-maintainable so users can change
their own passwords).

3. a security-access-to-group mapping. Each datastore you would map the
access (read, insert, update, delete, lock) to a user group. (Plus a
simple configuration system for the above)

4. add a security check to the datastore access; when a user tries to
update a feature, check to see if they are apart of the
allowed-to-update-for-this-datastore group. Throw a security exception
if they're not allowed to.

I havent looked at the JBOSS/JAAS stuff the italians did; its probably
much more detailed than above. I'd love to hear a bit more details
about what they did.

This functionality is very very important; I have idea about how to do a
simple configuration system to make this very easy. If you wanted this
functionality, I'd be more than happy to help anyone put it in.

dave
ps. The only major problem with the above is that many GIS systems do
not properly set user/password in requests, so they always appear as
the "not-logged-in-user". This is more difficult to deal with, but you
could add IP-address as well as user/password; but thats not very
secure.

----------------------------------------------------------
This mail sent through IMP: https://webmail.limegroup.com/