Hi everybody First I’m sorry for my english. I have wms service on geoserver.(like www.mydomain.com/myworkspace/wms) I’m accessing to wms service from my openlayers application. But users view source code application and wms address on browser. they are accessing wms service any client.(qgis,esri and openlayers) How can i block? Thank You
View this message in context: Geoserver wms security
Sent from the GeoServer - User mailing list archive at Nabble.com.
Hi,
I don’t think you can (but may be wrong!). You can put a password onto it, but that’ll be in plaintext in OpenLayers and all requests; anyone with firebug will always be able to read the requests.
If you’re really paranoid you can probably require a specific HTTP referrer (that’d be done on the web server side), but a determined user can easily spoof that. Beyond that i suspect it is impossible.
Although why would you want to? Surely use of the data is a good thing!
Jonathan
On 22 August 2013 22:11, iyilmam <ilkeryilmam@anonymised.com> wrote:
Hi everybody First I’m sorry for my english. I have wms service on geoserver.(like www.mydomain.com/myworkspace/wms) I’m accessing to wms service from my openlayers application. But users view source code application and wms address on browser. they are accessing wms service any client.(qgis,esri and openlayers) How can i block? Thank You
View this message in context: Geoserver wms security
Sent from the GeoServer - User mailing list archive at Nabble.com.
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
This transmission is intended for the named addressee(s) only and may contain sensitive or protectively marked material up to RESTRICTED and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. All email traffic sent to or from us, including without limitation all GCSX traffic, may be subject to recording and/or monitoring in accordance with relevant legislation.
I've thought about this (to protect WFS services which would allow a user far greater access to your data). You have the geoserver in protected space. In your public space, you have a your password-protected web application. Your "WMS" service points to this application with a dummy name. The application (a proxy) decodes the request and passes it to geoserver, then echoes the response back to the caller. There isnt anyway for the client to determine the machine address of the geoserver without hacking your web server. Come to think of it, I have a SOLR server set up this way - it filters SOLR search requests before handing them to SOLR while the server itself is not externally accessible. Unfortunately, I am not clear on how IT set this up as far as firewall setting etc but the proxy was pretty simple.
Notice: This email and any attachments are confidential.
If received in error please destroy and immediately notify us.
Do not copy or disclose the contents.
But surely in that scenario, anyone can still spoof the traffic to the WMS using a web-browser or whatever they wanted to? We have a reverse proxy on our system - anyone can make requests to it to get our data and it diligently forwards them onto the GeoServer.
I think it’s impossible to stop accessing of the WMS unless some sort of wrapper is created around the OpenLayers application that encodes everything, and there’s a decoding script on the server. To stop a stand-alone WMS it wouldn’t even need to be good encoding. But even that wouldn’t stop someone dedicated - they could just look at the OpenLayers wrapper and reverse engineer it.
Jonathan
On 25 August 2013 22:52, Phil Scadden <p.scadden@anonymised.com> wrote:
I’ve thought about this (to protect WFS services which would allow a
user far greater access to your data). You have the geoserver in
protected space. In your public space, you have a your
password-protected web application. Your “WMS” service points to this
application with a dummy name. The application (a proxy) decodes the
request and passes it to geoserver, then echoes the response back to the
caller. There isnt anyway for the client to determine the machine
address of the geoserver without hacking your web server. Come to think
of it, I have a SOLR server set up this way - it filters SOLR search
requests before handing them to SOLR while the server itself is not
externally accessible. Unfortunately, I am not clear on how IT set this
up as far as firewall setting etc but the proxy was pretty simple.Notice: This email and any attachments are confidential.
If received in error please destroy and immediately notify us.
Do not copy or disclose the contents.
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
This transmission is intended for the named addressee(s) only and may contain sensitive or protectively marked material up to RESTRICTED and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. All email traffic sent to or from us, including without limitation all GCSX traffic, may be subject to recording and/or monitoring in accordance with relevant legislation.
But surely in that scenario, anyone can still spoof the traffic to the WMS using a web-browser or whatever they wanted to? We have a reverse proxy on our system - anyone can make requests to it to get our data and it diligently forwards them onto the GeoServer.
The application requires a login, (the proxy is protected resource), so would need to also spoof the sessionids of a logged in session. Doable I guess but at lot more work.
Notice: This email and any attachments are confidential.
If received in error please destroy and immediately notify us.
Do not copy or disclose the contents.