[Geoserver-users] Geosever security - WFS / WMS services and Openlayers

GeoServer GeoServer User
1

Hi

I am running Geoserver version 2.5 and have an Openlayers 3 web map application which accesses some WMS and WFS services from the Geoserver instance.

At the moment I haven’t configured any authentication so it is running the default settings.

What I would like is to allow this to continue so my Openlayers application has full access to all of the layers on Geoserver, but for anyone accessing my WMS / WFS (i.e through QGIS), I would like to include a username / password or restrict the layers visible through these services.

I have had a quick look the manual trying to understand how this works but cannot seem to grasp it – I know there are authentication settings within the web interface, but would these not be for the whole of Geoserver? How am I able to allow access to my Openlayers application, but also restrict access to the WFS / WMS services for desktop users wanting to view my services?

Thanks, Chris

2

Hi Chris,
openlayers and the desktop clients are making pretty much the same OGC requests, so I don’t believe
you can tell them apart using the built-in authorization mechanism.

But the mechanism is pluggable, so you could write your own that checks the incoming requests for
hints… hard to find a solid solution, but some ideas off the top of my head (warning, only thought about it a split minute):

  • Desktop clients may setup the “user agent” HTTP header in a way that can be recognized, or you
    could just whitelist the user agents of most browsers (mind, you might end up blocking uncommon browsers in the process, and possibly the ones in incognito mode too)
  • If the openlayers based client is written by you, you could add an extra vendor parameter to the GetMap requests, it’s normally
    hard/impossible to make common desktop clients to do the same.

Both approaches are weak against someone resourceful writing his own client and spoofing the right
params/user agent values by examining your web client of course.

Cheers
Andrea

···

On Fri, Jul 29, 2016 at 5:06 PM, Chris Buckmaster <chris.buckmaster@…7473…> wrote:

Hi

I am running Geoserver version 2.5 and have an Openlayers 3 web map application which accesses some WMS and WFS services from the Geoserver instance.

At the moment I haven’t configured any authentication so it is running the default settings.

What I would like is to allow this to continue so my Openlayers application has full access to all of the layers on Geoserver, but for anyone accessing my WMS / WFS (i.e through QGIS), I would like to include a username / password or restrict the layers visible through these services.

I have had a quick look the manual trying to understand how this works but cannot seem to grasp it – I know there are authentication settings within the web interface, but would these not be for the whole of Geoserver? How am I able to allow access to my Openlayers application, but also restrict access to the WFS / WMS services for desktop users wanting to view my services?

Thanks, Chris

Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313

fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.

3

Thank you Andrea, I will investigate this.

···

Hi Chris,

openlayers and the desktop clients are making pretty much the same OGC requests, so I don’t believe

you can tell them apart using the built-in authorization mechanism.

But the mechanism is pluggable, so you could write your own that checks the incoming requests for

hints… hard to find a solid solution, but some ideas off the top of my head (warning, only thought about it a split minute):

  • Desktop clients may setup the “user agent” HTTP header in a way that can be recognized, or you

could just whitelist the user agents of most browsers (mind, you might end up blocking uncommon browsers in the process, and possibly the ones in incognito mode too)

  • If the openlayers based client is written by you, you could add an extra vendor parameter to the GetMap requests, it’s normally

hard/impossible to make common desktop clients to do the same.

Both approaches are weak against someone resourceful writing his own client and spoofing the right

params/user agent values by examining your web client of course.

Cheers

Andrea

On Fri, Jul 29, 2016 at 5:06 PM, Chris Buckmaster <chris.buckmaster@…7473…> wrote:

Hi

I am running Geoserver version 2.5 and have an Openlayers 3 web map application which accesses some WMS and WFS services from the Geoserver instance.

At the moment I haven’t configured any authentication so it is running the default settings.

What I would like is to allow this to continue so my Openlayers application has full access to all of the layers on Geoserver, but for anyone accessing my WMS / WFS (i.e through QGIS), I would like to include a username / password or restrict the layers visible through these services.

I have had a quick look the manual trying to understand how this works but cannot seem to grasp it – I know there are authentication settings within the web interface, but would these not be for the whole of Geoserver? How am I able to allow access to my Openlayers application, but also restrict access to the WFS / WMS services for desktop users wanting to view my services?

Thanks, Chris

Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

==

GeoServer Professional Services from the experts! Visit

http://goo.gl/it488V for more information.

==

Ing. Andrea Aime

@geowolf

Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)

phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

http://www.geo-solutions.it

http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.