All,

I have GeoServer 2.4.0 installed along with the integrated GeoWebCache 1.5.0. As for Web Administration configuration,

· I have a Layer defined within a GeoTIFF Raster data source Store.

· For the Tile Cache Configuration associated with the Layer, I have “Create a cached layer for this layer” enabled and “Enable tile caching for this layer” enabled as well.

· For the Caching Defaults, I have “Enable WMTS Service” enabled.

Using my client application under development, when I issue, via my client UI, a KVP call to get the ServiceMetadata document, the document returns my layer and I’m able to subsequently receive the tiles successfully and have them rendered into my client application. Ok.

However, I’m now trying to test out basic username/password authentication when I request the tiles. In the Web Administration interface, I have (within the Security section) configured users and placed them into roles. In the Data sub-section within Security section, I’ve created a Data Access Rule and have applied it against my defined Layer including the appropriate role my users are represented in. For Data Security, I’ve applied all 3 types of Catalog Mode (Challenge, Mixed, and Hide). But with whatever configuration combinations I’ve tried, I cannot seem to have authentication applied/imposed by GeoServer/GeoWebCache when I access the layer data. The layer data is rendered and displayed without the apparent need for authentication. I’m expecting the request for tiles to fail without authentication.

Is there some configuration I’m perhaps missing or some configuration I may have applied incorrectly?

Looking for any leads, ideas, or suggestions anyone may have.

Thank you.

Ron

Ron Pawlowski

Principal Test Engineer

Overwatch

An Operating Unit of Textron Systems

Ph: 781.569.0232

Fx: 781.937.9877

rpawlowski@anonymised.com

www.overwatch.com

“WARNING: Documents that can be viewed, printed or retrieved from this E-Mail may contain technical data whose export is restricted by the Arms Export Control Act (Title 22, U.S.C., Sec 2751, et seq,) or the Export Administration Act of 1979, as amended, Title 50, U.S.C., App. 2401 et seq. and which may not be exported, released or disclosed to non-U.S. persons (i.e. persons who are not U.S. citizens or lawful permanent residents [“green card” holders]) inside or outside the United States, without first obtaining an export license. Violations of these export laws are subject to severe civil, criminal and administrative penalties.”

I’m afraid GWC doesn’t pay attention to GS layer security. The GWC layers are their own objects, aware of but distinct from the GeoServer layers. So applying the GS security model to those layers is just not a feature that GWC currently supports. One odd aspect is that layer security will be applied to attempts to get a new tile from the back end on a cache miss, but once an authorized user has looked at the tile, it will be cached and available for everyone.

You can secure GWC as a whole service the same way you can WMS or WFS though. So if you just have one group of users who can access everything, secure the GWC service. Otherwise, don’t enable caching for any layer which needs to be secure.

On Fri, Oct 25, 2013 at 7:53 PM, Kevin Smith <ksmith@anonymised.com>wrote:

I'm afraid GWC doesn't pay attention to GS layer security. The GWC layers
are their own objects, aware of but distinct from the GeoServer layers. So
applying the GS security model to those layers is just not a feature that
GWC currently supports. One odd aspect is that layer security will be
applied to attempts to get a new tile from the back end on a cache miss,
but once an authorized user has looked at the tile, it will be cached and
available for everyone.

You can secure GWC as a whole service the same way you can WMS or WFS
though. So if you just have one group of users who can access everything,
secure the GWC service. Otherwise, don't enable caching for any layer
which needs to be secure.

Actually, we have had this pull request open for a while that should
integrate data security
with GWC, see here:
https://github.com/geoserver/geoserver/pull/341

Kevin, wondering if you, or Gabriel, could have a look? I'm going to add
some comments myself

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------