Hello again group,
I just noticed something about GeoServer security that is a little troubling.
Essentially, there is no way to hide the layer metadata for secure layers, and use them in Google Earth at the same time.
The metadata shows up whenever you request the layer list from GeoServer, for example in the Demo page, or if you are using a WFS/WMS consumer and ask to add a WFS or WMS layer. While you will see the secure layers in the list, you cannot actually access them without a password.
So, say we have a layer called “Top Secret Data”. You would see it in the Demo page or in AutoCad Map for example, but not be able to access it without the password.
Now, there is a way to hide the secure layers from an un-logged-in user, using the mode=HIDE but then it is not possible to use the layer in Google Earth because the login popup doesn’t show up.
Question 1) Does anyone know how to get Google Earth to log into a server if the login popup doesn’t show up?
Question 2) Would it be possible to add another security mode that is like HIDE, but allows the login popup to show? (probably not, because you would already have done it!)
I don’t know if this is that important, because the data is still secure. The issue would be that some people might be intrigued by a layer named “Top Secret Data” and try to hack in. I guess you could call the layer something less interesting like “Really Boring Data” instead of “Top Secret Data”…
Roger
I don’t think there is a way to get Google Earth to log in to a server if the pop-up doesn’t show up. I don’t believe google earth supports a variety of authentication methods, I think it’s just http basic and maybe digest.
With some code I’m pretty sure it’d be possible to add a security mode like HIDE but that allows the pop-up to show up. It just wasn’t a use case when developing the initial security stuff. But there are more directions the security could go. Patches are accepted, or there is commercial support to fund someone to code the improvements you want if you spec out exactly what you need.
best regards,
Chris
On Wed, Apr 22, 2009 at 6:35 AM, Roger Bedell <sylvanascent@anonymised.com> wrote:
Hello again group,
I just noticed something about GeoServer security that is a little troubling.
Essentially, there is no way to hide the layer metadata for secure layers, and use them in Google Earth at the same time.
The metadata shows up whenever you request the layer list from GeoServer, for example in the Demo page, or if you are using a WFS/WMS consumer and ask to add a WFS or WMS layer. While you will see the secure layers in the list, you cannot actually access them without a password.
So, say we have a layer called “Top Secret Data”. You would see it in the Demo page or in AutoCad Map for example, but not be able to access it without the password.
Now, there is a way to hide the secure layers from an un-logged-in user, using the mode=HIDE but then it is not possible to use the layer in Google Earth because the login popup doesn’t show up.
Question 1) Does anyone know how to get Google Earth to log into a server if the login popup doesn’t show up?
Question 2) Would it be possible to add another security mode that is like HIDE, but allows the login popup to show? (probably not, because you would already have done it!)
I don’t know if this is that important, because the data is still secure. The issue would be that some people might be intrigued by a layer named “Top Secret Data” and try to hack in. I guess you could call the layer something less interesting like “Really Boring Data” instead of “Top Secret Data”…
Roger
Stay on top of everything new and different, both inside and
around Java ™ technology - register by April 22, and save
$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
300 plus technical and hands-on sessions. Register today.
Use priority code J9JMT32. http://p.sf.net/sfu/p
Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users