Hi Chris,
I work for Dorset county council and we are currently using the AUTHKEY plugin which is available under the community plugins. This is great from an OpenLayers point of view. With regard to the QGIS users, I setup a separate role specifically assigned to the username and password which we are using in QGIS.
Remember, as far as I'm aware, QGIS still stores the password in plain text in the project files so at present I felt it best to just have one account for all our QGIS users but I'm aware the role idea is perhaps not so great if you have hundreds of users.
Andrea, in terms of the monitoring plugin, can it log the user being used for each request?
I only wondered as the user session is maintained in the background and I'm not sure it is currently included in the outputs.
I still have not had time to fully review the monitoring plugin but I have been using the audit log functionality and I have decided that the files it creates are what I'm after. These can be customised using the FreeMarker templates and I can then write something my end to summarise the data.
This raises three questions:
1) Can you add the logged in user to the audit role?
2) Could you just have the audit role? (i.e. no other monitoring plugin options just audit role files)
3) If you can do point 1, would this help Chris solve his issues if he was using a specific user account for QGIS?
Cheers,
Paul
------------------------------
Message: 2
Date: Mon, 1 Aug 2016 08:02:01 +0000
From: Chris Buckmaster <chris.buckmaster@anonymised.com>
Subject: Re: [Geoserver-users] Geosever security - WFS / WMS services
and Openlayers
To: Andrea Aime <andrea.aime@anonymised.com>
Cc: "geoserver-users@lists.sourceforge.net"
<geoserver-users@lists.sourceforge.net>
Message-ID:
<0AE8EAB40C6D4D439CC65CF2257093A0805AABA9@anonymised.com>
Content-Type: text/plain; charset="utf-8"
Thank you Andrea, I will investigate this.
From: andrea.aime@anonymised.com [mailto:andrea.aime@anonymised.com] On Behalf Of Andrea Aime
Sent: 29 July 2016 16:38
To: Chris Buckmaster
Cc: geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] Geosever security - WFS / WMS services and Openlayers
Hi Chris,
openlayers and the desktop clients are making pretty much the same OGC requests, so I don't believe you can tell them apart using the built-in authorization mechanism.
But the mechanism is pluggable, so you could write your own that checks the incoming requests for hints... hard to find a solid solution, but some ideas off the top of my head (warning, only thought about it a split minute):
* Desktop clients _may_ setup the "user agent" HTTP header in a way that can be recognized, or you
could just whitelist the user agents of most browsers (mind, you might end up blocking uncommon browsers in the process, and possibly the ones in incognito mode too)
* If the openlayers based client is written by you, you could add an extra vendor parameter to the GetMap requests, it's normally
hard/impossible to make common desktop clients to do the same.
Both approaches are weak against someone resourceful writing his own client and spoofing the right params/user agent values by examining your web client of course.
Cheers
Andrea
On Fri, Jul 29, 2016 at 5:06 PM, Chris Buckmaster <chris.buckmaster@anonymised.com...<mailto:chris.buckmaster@anonymised.com>> wrote:
Hi
I am running Geoserver version 2.5 and have an Openlayers 3 web map application which accesses some WMS and WFS services from the Geoserver instance.
At the moment I haven?t configured any authentication so it is running the default settings.
What I would like is to allow this to continue so my Openlayers application has full access to all of the layers on Geoserver, but for anyone accessing my WMS / WFS (i.e through QGIS), I would like to include a username / password or restrict the layers visible through these services.
I have had a quick look the manual trying to understand how this works but cannot seem to grasp it ? I know there are authentication settings within the web interface, but would these not be for the whole of Geoserver? How am I able to allow access to my Openlayers application, but also restrict access to the WFS / WMS services for desktop users wanting to view my services?
Thanks, Chris
------------------------------------------------------------------------------
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@anonymised.comrge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
--
GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo ? consentito esclusivamente al destinatario del messaggio, per le finalit? indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalit? diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.
-------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
------------------------------------------------------------------------------
------------------------------
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
End of Geoserver-users Digest, Vol 123, Issue 1
***********************************************
"This e-mail is intended for the named addressee(s) only and may contain information about individuals or other sensitive information and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this email in error, kindly disregard the content of the message and notify the sender immediately. Please be aware that all email may be subject to recording and/or monitoring in accordance with relevant legislation."
