Hello, how are you?

I’m trying to restrict the access to the REST API by I’m unsure what is the best way.

I don’t want to have use a master password, I’d rather if each user had their own authentication. The problem is that I don’t want to use GeoServer’s users, I want to use my application’s users. I would like to use the credentials stored in my database table, and even restrict PUT/POST operations to users who do not have the Admin role . I tried creating a JDBC Authentication Provider, but it doesn’t seem to do what I intend for it to do.

What is the best way to secure the application without using a master password?

Thanks,

Cosme Benito

On Thu, Nov 6, 2014 at 12:55 PM, Cosme Benito <cosme.benito@anonymised.com>
wrote:

Hello, how are you?

I’m trying to restrict the access to the REST API by I’m unsure what is
the best way.

The REST API uses the authentication system like anything else, and
requires a user to be an administrator to allow access.
As far as I know, this is not configurable. It used to be configurable on a
path by path basis, but as far as I know the "workspace specific
service" work broke that in such a way that getting back that functionality
might be complicated (unfortunately that patch
was very large and we did not notice, we realized only months later).

Christian/Justin might now more

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

I am still able to create REST path rules, and they seem to work fine.

I want to create a web application to use the REST API to, for instance, check the entire layer list, get a layer’s GeoJSON or SLD. GeoServer may contain sensitive information that I don’t want everyone to be able to query. Having a “master password” or a single user for the application just doesn’t feel right, anyone could figure out the credentials… Is there no way for GeoServer to authenticate through an external database?

Thanks,

Cosme

From: andrea.aime@anonymised.com [mailto:andrea.aime@anonymised.com] On Behalf Of Andrea Aime
Sent: quinta-feira, 6 de Novembro de 2014 12:59
To: Cosme Benito
Cc: GeoServer Mailing List List; Christian Mueller; Justin Deoliveira
Subject: Re: [Geoserver-users] GeoServer REST API Authentication

On Thu, Nov 6, 2014 at 12:55 PM, Cosme Benito <cosme.benito@anonymised.com> wrote:

Hello, how are you?

I’m trying to restrict the access to the REST API by I’m unsure what is the best way.

The REST API uses the authentication system like anything else, and requires a user to be an administrator to allow access.

As far as I know, this is not configurable. It used to be configurable on a path by path basis, but as far as I know the "workspace specific

service" work broke that in such a way that getting back that functionality might be complicated (unfortunately that patch

was very large and we did not notice, we realized only months later).

Christian/Justin might now more

Cheers

Andrea

–

==

GeoServer Professional Services from the experts! Visit

http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf

Technical Lead

GeoSolutions S.A.S.

Via Poggio alle Viti 1187

55054 Massarosa (LU)

Italy

phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

http://www.geo-solutions.it

http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

On Thu, Nov 6, 2014 at 2:51 PM, Cosme Benito <cosme.benito@anonymised.com>
wrote:

I am still able to create REST path rules, and they seem to work fine.

Do they? This is new to me, I know we had to modify our training material
around 2.4.x because
path rules were not working anymore.
Which version are you using?

I want to create a web application to use the REST API to, for instance,
check the entire layer list, get a layer’s GeoJSON or SLD. GeoServer may
contain sensitive information that I don’t want everyone to be able to
query. Having a “master password” or a single user for the application just
doesn’t feel right, anyone could figure out the credentials… Is there no
way for GeoServer to authenticate through an external database?

Yes, recent versions of GeoServer can use different authentication sources,
including a database,
but that's for all services, not specific to REST. Not sure one can have
different users sources
for different authoentication filter chains, Christian should know the
details better.
http://docs.geoserver.org/stable/en/user/security/usergrouprole/usergroupservices.html

Cheers
Andrea
--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

Hi Benito,

I may have mislead you with the wrong terminology: I’m using filter chains to allow unauthorized access to GET operations on some GeoServer resources (Security-Authentication-Filter Chains). This seems to work perfectly on GeoServer 2.6.0.

I think I tried the User Group Services before but was causing a massive crash. Most likely because I’m using SQLite, probably it isn’t supported. I’ll try to do it on PostGIS and get back to you.

From: andrea.aime@anonymised.com [mailto:andrea.aime@anonymised.com] On Behalf Of Andrea Aime
Sent: quinta-feira, 6 de Novembro de 2014 13:56
To: Cosme Benito
Cc: GeoServer Mailing List List; Christian Mueller; Justin Deoliveira
Subject: Re: [Geoserver-users] GeoServer REST API Authentication

On Thu, Nov 6, 2014 at 2:51 PM, Cosme Benito <cosme.benito@anonymised.com> wrote:

I am still able to create REST path rules, and they seem to work fine.

Do they? This is new to me, I know we had to modify our training material around 2.4.x because

path rules were not working anymore.

Which version are you using?

I want to create a web application to use the REST API to, for instance, check the entire layer list, get a layer’s GeoJSON or SLD. GeoServer may contain sensitive information that I don’t want everyone to be able to query. Having a “master password” or a single user for the application just doesn’t feel right, anyone could figure out the credentials… Is there no way for GeoServer to authenticate through an external database?

Yes, recent versions of GeoServer can use different authentication sources, including a database,

but that’s for all services, not specific to REST. Not sure one can have different users sources

for different authoentication filter chains, Christian should know the details better.

http://docs.geoserver.org/stable/en/user/security/usergrouprole/usergroupservices.html

Cheers

Andrea

–

==

GeoServer Professional Services from the experts! Visit

http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf

Technical Lead

GeoSolutions S.A.S.

Via Poggio alle Viti 1187

55054 Massarosa (LU)

Italy

phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

http://www.geo-solutions.it

http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

Hi Mauro,

Yes you are correct, I made that exact mistake and realized soon after that the Authentication did not work as I thought it would J

I just tried the UserGroupService with a PostGIS database and it seems to work great. I didn’t actually try using the REST API but the users I create in the database seem to be immediately available on GeoServer. However when trying with a SQLite database it simply crashes L

java.lang.RuntimeException: java.io.IOException: org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (SQLite supports only TRANSACTION_SERIALIZABLE and TRANSACTION_READ_UNCOMMITTED.)

I don’t mind this being the only Authentication Provider in GeoServer, this is acceptable and perfectly fine. I already have User/Role tables and being able to configure them on XML files would be a pretty good solution for me, can you point me into the correct file(s)? I can’t seem to be able to find them.

Thanks a lot, you have already helped a ton!

Cosme Benito

From: maurobartolomeoli@anonymised.com [mailto:maurobartolomeoli@anonymised.com] On Behalf Of Mauro Bartolomeoli
Sent: quinta-feira, 6 de Novembro de 2014 14:20
To: Cosme Benito
Cc: GeoServer Mailing List List
Subject: Re: [Geoserver-users] GeoServer REST API Authentication

Hi Benito,

2014-11-06 12:55 GMT+01:00 Cosme Benito <cosme.benito@anonymised.com>:

I don’t want to have use a master password, I’d rather if each user had their own authentication. The problem is that I don’t want to use GeoServer’s users, I want to use my application’s users. I would like to use the credentials stored in my database table, and even restrict PUT/POST operations to users who do not have the Admin role . I tried creating a JDBC Authentication Provider, but it doesn’t seem to do what I intend for it to do.

A little bit of confusion here (but it’s not your fault). the JDBC Authentication Provider can be used to authenticate users against the database users, not against a set of users stored on database tables.

To use database tables for storing users and groups information you have to use a JDBC UserGroup Service.

You can configure it to use your own tables changing a couple of xml files with the SQL queries needed by GeoServer.

Then you can configure an Authentication Provider (the Username Password, the same used by the default auth provide is good) to use your new service as a storage.

The problem is: I don’t think you can actually choose which authentication providers are used by which chain, you can only do that for filters (so for example you can say that REST can only authenticate using Basic, but not which authentication provider to use, they will be all be used in sequence). Christian can correct me if I am wrong.

Mauro

–

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli

@mauro_bart

Senior Software Engineer

GeoSolutions S.A.S.

Via Poggio alle Viti 1187

55054 Massarosa (LU)

Italy

phone: +39 0584 962313

fax: +39 0584 1660272

http://www.geo-solutions.it

http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

Hi Benito,

usersddl.xml (1.53 KB)

usersdml.xml (4.56 KB)

Hi Mauro

Thanks for your answers to this thread, all your information is correct

Cheers
Christian