[Geoserver-users] Separating the contents

GeoServer GeoServer User
1

Hi all,

I was just wondering what is the right policy to separate the contents in GeoServer. I am running it on top of TomCat 6 and would like to keep the contents separately so that each one has its own security policy; authetication, permissions and so on. So should I deploy own GeoServer .war for every content and define permissions on virtual host level in TomCat? It's not about extreme security but on the other hand I am not keen on associating with the lawyers either.

If you have any ideas how to manage the contents, please share it with me but keep it simple. I am not enough clever to understand the jargon. Just trying to utilize this wonderful package.

Thanks in advance!
Cheers,
mika

BTW: I will be using OpenLDAP with Tomcat, I guess...

2

Lehtonen, Mika ha scritto:

Hi all,

I was just wondering what is the right policy to separate the contents in GeoServer. I am running it on top of TomCat 6 and would like to keep the contents separately so that each one has its own security policy; authetication, permissions and so on. So should I deploy own GeoServer .war for every content and define permissions on virtual host level in TomCat? It's not about extreme security but on the other hand I am not keen on associating with the lawyers either.

If you have any ideas how to manage the contents, please share it with me but keep it simple.

I'm not sure if I understand your request, by contents you mean the
data to be published?

GeoServer at the moment does not have any native data oriented security
policy, that is, you can say a certain service is secured (for example,
you can say only certain users can access the WFS Transaction call)
but you cannot say that a certain dataset is accessible only to
certain kind of users.

If you're looking for data security and your setup does not require
many different roles, you can probably deploy geoserver multiple
times (give the war a different name each time), load in each
geoserver only the data a certain ROLE can use or manipulate, and
then secure that instance with service level security. You
can do that using GeoSever native security subsystem:
http://docs.codehaus.org/display/GEOSDOC/5+Security+subsystem
or you can try using Tomcat's one, which is path based, and thus
less powerful (you can say, for example, that access to
geoserver:8080/geoserver/wfs? is rescricted to a certain kind of
users, but not that a certain kind of user can do WFS GetFeature
and other can do WFS Transaction, because the request method
is not included in the url for POST requests).

Hope this helps
Cheers
Andrea

3

Thanks Andrea,

yeah, I really meant different datasets with different user access, like you understood from my request. I am not particulary interested in making everything so secret and closed, but I still have to respect the copyrights etc. My application is much of a kind that those who have rights to some material, have full rights. So focus is not so much on the service level than it is in the data level. Users won't anyway get transaction possibility, they can just look and dowload the data.

I think the GeoServer's native security would be enough if I do like you said and deploy own GeoServer for every separate dataset. Have you got any idea of the performance difference between one GeoServer and for example ten GeoServers holding the same data separately?

Cheers,
mika

Andrea Aime kirjoitti:

Lehtonen, Mika ha scritto:

Hi all,

I was just wondering what is the right policy to separate the contents in GeoServer. I am running it on top of TomCat 6 and would like to keep the contents separately so that each one has its own security policy; authetication, permissions and so on. So should I deploy own GeoServer .war for every content and define permissions on virtual host level in TomCat? It's not about extreme security but on the other hand I am not keen on associating with the lawyers either.

If you have any ideas how to manage the contents, please share it with me but keep it simple.

I'm not sure if I understand your request, by contents you mean the
data to be published?

GeoServer at the moment does not have any native data oriented security
policy, that is, you can say a certain service is secured (for example,
you can say only certain users can access the WFS Transaction call)
but you cannot say that a certain dataset is accessible only to
certain kind of users.

If you're looking for data security and your setup does not require
many different roles, you can probably deploy geoserver multiple
times (give the war a different name each time), load in each
geoserver only the data a certain ROLE can use or manipulate, and
then secure that instance with service level security. You
can do that using GeoSever native security subsystem:
http://docs.codehaus.org/display/GEOSDOC/5+Security+subsystem
or you can try using Tomcat's one, which is path based, and thus
less powerful (you can say, for example, that access to
geoserver:8080/geoserver/wfs? is rescricted to a certain kind of
users, but not that a certain kind of user can do WFS GetFeature
and other can do WFS Transaction, because the request method
is not included in the url for POST requests).

Hope this helps
Cheers
Andrea

--
Sähköpostiosoitteeni on vaihtunut. Uusi osoite on mika@anonymised.com
Vanhaan osoitteeseen tulevat postit kääntyvät uuteen 25.4. asti.

My e-mail address has been changed. New address is mika@anonymised.com
Mails arriving in the old address will be forwarded to the new one till 25th April.

Mika Lehtonen
XML-Scanning Littoinen Ky
Lankakatu 2 E 13, 20660 Littoinen
mika@anonymised.com
mbl +358 (0)44 2908259