Dear All
I have a query regarding the security of GeoServer and its implementation of
WFS.
1. Is there a way of configuring a WFS within GeoServer so that a user is
able to use the non-transactional requests but not the transactional
requests? (i.e. to prevent malicious deleting of all the features).
2. Is there a way of giving different 'security levels' to different people
so that a particular user group would have access to transactional requests
but general users not?
Thank you very much for your time.
Kind Regards
John
Manchester, UK
John Roberts ha scritto:
Dear All
I have a query regarding the security of GeoServer and its implementation of
WFS.
1. Is there a way of configuring a WFS within GeoServer so that a user is
able to use the non-transactional requests but not the transactional
requests? (i.e. to prevent malicious deleting of all the features).
In GeoServer 1.5.3 the only thing you can do is to disable WFS-T completely. Go to the WFS configuration panel and select the service
level to.... basic if I remember properly.
2. Is there a way of giving different 'security levels' to different people
so that a particular user group would have access to transactional requests
but general users not?
In GeoServer 1.6.0 (available as a beta) you can lock down service calls by associating them to one or more roles, and then specify what a user
can do by associating roles to him. It's a very simple RBAC.
At the time of writing we don't have any means to lock down data thought, just the service calls: if a user can do WFS Transaction, then he can do it on all available data.
We want to extend the security configuration to data as well, but it's
not clear how, and when this will be implemented.
Oh, more info about the configuration here:
http://docs.codehaus.org/display/GEOSDEV/Geoserver+security+implementation,+initial+version
Cheers
Andrea