[Geoserver-users] GeoServer w/ CAS & GeoFence

GeoServer GeoServer User
1

From the Advanced Security With GeoServer presentation at FOSS4G last month, it mentioned that Geofence’s authentication is optional. How is that achieved? I can’t find any documentations regarding that. It would be great if I can just use Geofence for authorization instead of both authentication and authorization.

Thanks!

Danny

···

From: Danny Cheng
Sent: Thursday, October 23, 2014 5:08 PM
To: geoserver-users@lists.sourceforge.net
Subject: GeoServer w/ CAS & GeoFence

Hi Everyone:

I am attempting to integrate GeoServer with CAS and GeoFence. I noticed that while on the surface I am logged in as the user I provided to CAS, but on GeoFence’s side, it thinks I am logged in as “admin” user. In addition, how does GeoServer determine if an authenticated CAS user is of ADMIN_ROLE or USER_ROLE? My CAS is setup with LDAP and configured to use authenticated search method. When I log into GeoServer with any user I defined in CAS, I’m always given the ADMIN_ROLE privilege.

To reproduce this, just install CAS and GeoFence plug-ins to GeoServer. Add an user to CAS and when you log into GeoServer’s WEB UI using CAS, you will notice that in GeoFence’s log it will always say “User not found admin”.

Thanks,
Danny

2

Hi Danny,
currently the authentication is not completely independent and pluggable as the GeoServer one, but you have a couple of options to customize it to specific needs:

  • if you store authentication credentials in an LDAP repository, you can enable Geofence to use the same repository for user/groups configuration instead of the internal database (currently LDAP is supported in read-only mode, so you cannot manage your users/groups directly from the Geofence UI if you use LDAP). Some documentation on enabling LDAP support can be found here: https://github.com/geosolutions-it/geofence/wiki/LDAP-module
  • you have the option to only use groups in GeoFence and match them with the GeoServer roles, so that you don’t need to specifically configure each user twice in GeoServer and GeoFence, but you only need to do that for groups; you can find some info on this functionality here: https://github.com/geosolutions-it/geofence/pull/78

In the future we would like to make GeoFence more pluggable for authentication purposes and possibly, let it use GeoServer authentication as an option, instead of implementing its own.

Do you need to support a particular authentication mechanism, or are you using the basic XML user/group service in GeoServer?

Thanks
Mauro Bartolomeoli

···

2014-10-28 1:42 GMT+01:00 Danny Cheng <dcheng@anonymised.com>:

From the Advanced Security With GeoServer presentation at FOSS4G last month, it mentioned that Geofence’s authentication is optional. How is that achieved? I can’t find any documentations regarding that. It would be great if I can just use Geofence for authorization instead of both authentication and authorization.

Thanks!

Danny

From: Danny Cheng
Sent: Thursday, October 23, 2014 5:08 PM
To: geoserver-users@lists.sourceforge.net
Subject: GeoServer w/ CAS & GeoFence

Hi Everyone:

I am attempting to integrate GeoServer with CAS and GeoFence. I noticed that while on the surface I am logged in as the user I provided to CAS, but on GeoFence’s side, it thinks I am logged in as “admin” user. In addition, how does GeoServer determine if an authenticated CAS user is of ADMIN_ROLE or USER_ROLE? My CAS is setup with LDAP and configured to use authenticated search method. When I log into GeoServer with any user I defined in CAS, I’m always given the ADMIN_ROLE privilege.

To reproduce this, just install CAS and GeoFence plug-ins to GeoServer. Add an user to CAS and when you log into GeoServer’s WEB UI using CAS, you will notice that in GeoFence’s log it will always say “User not found admin”.

Thanks,
Danny

Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

3

Hi Mauro,

I am currently using the basic XML user/group for prototyping purposes, but in the future I’ll be switching to either JDBC or LDAP. I’ll try the second option to only specify the user groups in Geofence, it sounds like it will suit my needs.

Does Geofence currently only accept basic HTTP authentication?

Thanks,
Danny

···

Hi Danny,

currently the authentication is not completely independent and pluggable as the GeoServer one, but you have a couple of options to customize it to specific needs:

  • if you store authentication credentials in an LDAP repository, you can enable Geofence to use the same repository for user/groups configuration instead of the internal database (currently LDAP is supported in read-only mode, so you cannot manage your users/groups directly from the Geofence UI if you use LDAP). Some documentation on enabling LDAP support can be found here: https://github.com/geosolutions-it/geofence/wiki/LDAP-module

  • you have the option to only use groups in GeoFence and match them with the GeoServer roles, so that you don’t need to specifically configure each user twice in GeoServer and GeoFence, but you only need to do that for groups; you can find some info on this functionality here: https://github.com/geosolutions-it/geofence/pull/78

In the future we would like to make GeoFence more pluggable for authentication purposes and possibly, let it use GeoServer authentication as an option, instead of implementing its own.

Do you need to support a particular authentication mechanism, or are you using the basic XML user/group service in GeoServer?

Thanks

Mauro Bartolomeoli

2014-10-28 1:42 GMT+01:00 Danny Cheng <dcheng@…3836…>:

From the Advanced Security With GeoServer presentation at FOSS4G last month, it mentioned that Geofence’s authentication is optional. How is that achieved? I can’t find any documentations regarding that. It would be great if I can just use Geofence for authorization instead of both authentication and authorization.

Thanks!

Danny

From: Danny Cheng
Sent: Thursday, October 23, 2014 5:08 PM
To: geoserver-users@lists.sourceforge.net
Subject: GeoServer w/ CAS & GeoFence

Hi Everyone:

I am attempting to integrate GeoServer with CAS and GeoFence. I noticed that while on the surface I am logged in as the user I provided to CAS, but on GeoFence’s side, it thinks I am logged in as “admin” user. In addition, how does GeoServer determine if an authenticated CAS user is of ADMIN_ROLE or USER_ROLE? My CAS is setup with LDAP and configured to use authenticated search method. When I log into GeoServer with any user I defined in CAS, I’m always given the ADMIN_ROLE privilege.

To reproduce this, just install CAS and GeoFence plug-ins to GeoServer. Add an user to CAS and when you log into GeoServer’s WEB UI using CAS, you will notice that in GeoFence’s log it will always say “User not found admin”.

Thanks,
Danny

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

4

Hi Danny,

···

2014-10-28 17:43 GMT+01:00 Danny Cheng <dcheng@anonymised.com>:

Hi Mauro,

I am currently using the basic XML user/group for prototyping purposes, but in the future I’ll be switching to either JDBC or LDAP. I’ll try the second option to only specify the user groups in Geofence, it sounds like it will suit my needs.

Does Geofence currently only accept basic HTTP authentication?

If you don’t enable the Geofence Authentication provider, the authentication phase is entirely delegated to the standard Geoserver chains - filters - providers mechanism, so you can use basic or any other of the available filters/providers for that (form, header, etc.). The only aspect Geofence is involved in “authentication” is matching the Geoserver user/group with its internal list (that currently can be stored in its internal database or fetched from an LDAP repository). So the real issue is that if you don’t use the Geofence Authentication Provider or LDAP, you have to synchronize Geoserver users/groups with Geofence ones “manually”.

Mauro

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Dott. Mauro Bartolomeoli
@mauro_bart
Senior Software Engineer

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.