Hi list,

We send a WMS GetMap-request (through OpenLayers) to geoserver for a set of layers. The number of comma-seperated values in the layers parameter ranges from 1 to 30.

Some of our users are only allowed to see the objects of a certain geographic area like a city or a state. To implement this requirement, we currently add a cql_filter to the request and so for each layer (in the layers parameter) we add something like “WITHIN(the_geom, wktOfArea)”. This wktOfArea can get quite big and is thus repeated for every layer (resulting in a very big request). It works, but it’s slow.

Are there any alternatives to implement this requirement? What’s considered tob e the best approach? I noticed the querylayer module (cross layer filtering) and because the cities and states are defined in a seperate geoserver layer, I assume this could be a (good) alternative…

Kind regards,

Roel De Nijs

Senior Java Developer

On Tue, Feb 10, 2015 at 1:29 PM, Roel De Nijs <roel.denijs@anonymised.com>
wrote:

Hi list,

We send a WMS GetMap-request (through OpenLayers) to geoserver for a set
of layers. The number of comma-seperated values in the layers parameter
ranges from 1 to 30.

Some of our users are only allowed to see the objects of a certain
geographic area like a city or a state. To implement this requirement, we
currently add a cql_filter to the request and so for each layer (in the
layers parameter) we add something like “WITHIN(the_geom, wktOfArea)”. This
wktOfArea can get quite big and is thus repeated for every layer (resulting
in a very big request). It works, but it’s slow.

Are there any alternatives to implement this requirement? What’s
considered tob e the best approach? I noticed the querylayer module (cross
layer filtering) and because the cities and states are defined in a
seperate geoserver layer, I assume this could be a (good) alternative...

The best match for your requirement is probably using GeoFence, among the
many security features, it can limit
the area by user, and it does so by integrating with GeoServer so that the
geometry is sent directly into the database
query, so think of it as a more efficient way to pass your cql filter.

Cross layer filtering is indeed another option that could work, if you do
all the security at a frontend application level,
instead of inside GeoServer.

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

Hi Roel,

I would consider using something like Mapproxy in front of Geoserver. See http://mapproxy.org/docs/1.7.0/auth.html#authentication-authorization-middleware

Regards,
Julian
________________________________________
Fra: Roel De Nijs [roel.denijs@anonymised.com]
Sendt: 10. februar 2015 13:29
Til: geoserver-users@lists.sourceforge.net
Emne: [Geoserver-users] Limiting GetMap request using a Geometry

Hi list,

We send a WMS GetMap-request (through OpenLayers) to geoserver for a set of layers. The number of comma-seperated values in the layers parameter ranges from 1 to 30.

Some of our users are only allowed to see the objects of a certain geographic area like a city or a state. To implement this requirement, we currently add a cql_filter to the request and so for each layer (in the layers parameter) we add something like “WITHIN(the_geom, wktOfArea)”. This wktOfArea can get quite big and is thus repeated for every layer (resulting in a very big request). It works, but it’s slow.

Are there any alternatives to implement this requirement? What’s considered tob e the best approach? I noticed the querylayer module (cross layer filtering) and because the cities and states are defined in a seperate geoserver layer, I assume this could be a (good) alternative...

Kind regards,
Roel De Nijs
Senior Java Developer

[http://www.aquafin.be/images/content/banners/82.jpg\]<http://www.congrespubliekeruimte.be>
________________________________

Volg Aquafin op Facebook<https://www.facebook.com/AquafinNV&gt; | Twitter<https://twitter.com/aquafinnv&gt; | YouTube<http://www.youtube.com/channel/UCk_4P5BJ-MtEEDCkCsR_KqQ?feature=mhee&gt; | LinkedIN<http://www.linkedin.com/company/aquafin/products&gt;

Disclaimer: zie www.aquafin.be<http://www.aquafin.be> P Denk aan het milieu. Druk deze mail niet onnodig af.

What is the data source for the layers? Is it a database? If so, would SQL Views offer a solution?

I thought I answered this one several months ago but I can’t find the answer anywhere so it was probably in my dreams

We tried the cross layer filtering, but that was definitely not an improvement. It was in fact even (much) slower than with the CQL_FILTER alternative. And because we currently have some strict deadlines introducing a new framework and/or application (like MapProxy or GeoFence) is not really an option.

We use a database (MS SQL Server 2008 R2) as data source for all the layers. In the first version of our application we used views, but we replaced them with tables because it improved the performance significantly. I don’t think views offer a solution in this case, because the geographic area can be different for every user. So we either need a view on the database for every possible geographic area (which is of course not really scalable) or else use the SQL views feature of geoserver and define for every layer also a sql view. I don’t like the idea of having to duplicate all layers (approximately 40) for this purpose. And based on our previous experiences with views, I wonder if the performance will improve.

So currently we have decided to stick to our initial approach of adding a CQL_FILTER parameter to the request. And try to improve the performance of these requests. Not sure how this can be achieved, but it’s currently being discussed in this topic http://osgeo-org.1560.x6.nabble.com/GetMap-request-with-CQL-FILTER-too-slow-td5226626.html

Kind regards,

Roel De Nijs

Senior Java Developer

Verzonden: dinsdag 10 februari 2015 19:08

Hi

No matter how hard I try to read, I do not understand Geoserver’s security system. Especially the role/group is totally ununderstandable for me.

The simpe job would be to create a group of basic users and some users into it. But then the role service is confusing. As I understand, I should add a role to that user’s group, right? But then the only derivative roles are ADMIN and GROUP_ADMIN, but I don’t want such type of roles. Just basic user role, but there is not such? So, how to go on? Geoserver version 2.6.4.

Oiva Hakala, Natural Resources Institute Finland

Hi Oiva

If you use the standard XML services you do not have to think about ADMIN and GROUP_ADMIN.

Simply add your role and associate the role with your user group. Then you have to use this role to protect
the resources.

Do not forget to restart GeoServer after your changes.

Cheers
Christian

On Thu, Oct 1, 2015 at 8:31 AM, Hakala Oiva (Luke) <oiva.hakala@anonymised.com>
wrote:

The simpe job would be to create a group of basic users and some users
into it. But then the role service is confusing. As I understand, I
should add a role to that user's group, right? But then the only derivative
roles are ADMIN and GROUP_ADMIN, but I don't want such type of roles. Just
basic user role, but there is not such? So, how to go on? Geoserver version
2.6.4.

I normally just create the roles that make sense for the kind of security I
need (e..g, WFS_USER, RESTRICTED_WRITER), associate them
with users, and then work in the authorization subsystem to apply the
access rules based on the roles.

I too find the group concept overkill and confusing, so I just end up
ignoring them... but probably it's because I did not have to manage
very complicated setup so far (lots of users yes, but relatively few roles)

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

On Thu, Oct 1, 2015 at 9:26 AM, Christian Mueller <
christian.mueller@anonymised.com> wrote:

Hi Oiva

If you use the standard XML services you do not have to think about ADMIN
and GROUP_ADMIN.

Simply add your role and associate the role with your user group. Then you
have to use this role to protect
the resources.

Do not forget to restart GeoServer after your changes.

Restart? Why is that?

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

Hi

About the restart. The security subsystem caches the the roles of a user (and the roles derived from group membership) for performance reasons. This holds true for stateless authentication (e. g. Basic Authentication) and for session cookies (interactive login). Otherwise we would pay a high performance penalty for each request. Look at the J2EE architecture, (web.xml as an example). If you change the security settings in the web.xml file you have to restart the container.

About the group concept. I think it is not the best idea to assign rules to users directly. IMHO a good practice is to assign roles to user groups and configure group membership for individual users. Again, this is not my concept, it is a J2EE concept.

To be fair I have to say that the user documentation is lacking a lot of information and I understand the confusion.

Cheers
Christian

On Thu, Oct 1, 2015 at 11:26 AM, Christian Mueller <
christian.mueller@anonymised.com> wrote:

Hi

About the restart. The security subsystem caches the the roles of a user
(and the roles derived from group membership) for performance reasons. This
holds true for stateless authentication (e. g. Basic Authentication) and
for session cookies (interactive login). Otherwise we would pay a high
performance penalty for each request. Look at the J2EE architecture,
(web.xml as an example). If you change the security settings in the web.xml
file you have to restart the container.

I understand the need for performance reasons, but don't we have a way to
either drop the caches, or to quickly check if the user roles got modified?
For example, in GeoFence we have a cache of the authorization results for
performance reasons, but the cache is short lived and there is a REST call
that can be used to drop it immediately.
Having roles cached until the user logs out (I do hope a logout clears the
cache, right?) seems like a security liability.

About the group concept. I think it is not the best idea to assign rules
to users directly. IMHO a good practice is to assign roles to user groups
and configure group membership for individual users.

I see where you're going with this, it implies a uniformity of roles for
the users in the group, and the notion that when a change is made, it's
made for all users in the group.
Makes sense.

Again, this is not my concept, it is a J2EE concept.

Erk, J2EE has been wrong in some many ways over the last 15 years that I
normally associate it with "slow to build, slow to run, outdated in design".
I'd certainly would never defend an idea by associating it with J2EE

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------