Hi list.
I'm considering the use of Geoserver for a multi-user application we
are developing, based on OpenLayers+Geoserver+PostGIS.
We need to manage a secured access both to WFS and WFS-T services,
defining the read/write grants per user per data. What's the best way
to realize it with Geoserver?
The scenario is the following:
1 - an authenticated user can create a data layer through a web
wizard. The layer will be from now on available as a Geoserver
editable layer. Only that user can edit him.
2 - the user can allow other users to edit it.
3 - the user can allow other users to view it.
4 - the superadmin can always view and edit every layer.
As we are going to use OL for the client interface, we were
considering accessing Geoserver through an authentication proxy, but
we hope there's something more ready-to-use, and we are wondering what
is the state of development of the Goeserver built-in security like
"GSIP 16 - Security subsystem" from Andrea Aime [1]
Hints?
Thanks,
Giovanni
[1] http://geoserver.org/display/GEOS/GSIP+16+-+Security+subsystem
Hi Giovanni,
I have had similar like needs and was just about to ask the following question from the list.
Is it possible to share one DATA_DIR with more than one Geoserver instances and to keep the security setting by instance basis? By doing that, you could have more than one access to your data with separate permissions. I know this framework sounds a little quick and dirty solution, but I haven't been able to come up with any better though.
- mika -
G. Allegri kirjoitti:
Hi list.
I'm considering the use of Geoserver for a multi-user application we
are developing, based on OpenLayers+Geoserver+PostGIS.
We need to manage a secured access both to WFS and WFS-T services,
defining the read/write grants per user per data. What's the best way
to realize it with Geoserver?
The scenario is the following:
1 - an authenticated user can create a data layer through a web
wizard. The layer will be from now on available as a Geoserver
editable layer. Only that user can edit him.
2 - the user can allow other users to edit it.
3 - the user can allow other users to view it.
4 - the superadmin can always view and edit every layer.
As we are going to use OL for the client interface, we were
considering accessing Geoserver through an authentication proxy, but
we hope there's something more ready-to-use, and we are wondering what
is the state of development of the Goeserver built-in security like
"GSIP 16 - Security subsystem" from Andrea Aime [1]
Hints?
Thanks,
Giovanni
[1] http://geoserver.org/display/GEOS/GSIP+16+-+Security+subsystem
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
There should be a one-to-one relationship between GeoServer instances and DATA_DIR's, although I believe multiple GeoServer instances can safely use the same postgis table as long as they are not modifying it.
As for the security proposal you mentioned, improvements to that feature will be included in GeoServer 1.7.0 when it is released; they are described at http://geoserver.org/display/GEOS/GSIP+19+-+Per+layer+security . As I understand your requirements, this should provide for your needs quite well. GeoServer provides no means of configuring users and restrictions through the web, but it will automatically detect changes to the configuration files, so it should be relatively easy to set up a simple script to allow users to change restrictions.
Keep in mind, though, that GeoServer does not currently support any type of 'partial' administrator; that is, there is no facility for allowing users to add data without allowing them to use all parts of the administration interface. There are a couple of community modules that are working on ways to add layers through simple HTTP requests, but neither is maintained against the 1.7.x branch at this time.
Hope this helps,
-David Winslow
Lehtonen, Mika wrote:
Hi Giovanni,
I have had similar like needs and was just about to ask the following question from the list.
Is it possible to share one DATA_DIR with more than one Geoserver instances and to keep the security setting by instance basis? By doing that, you could have more than one access to your data with separate permissions. I know this framework sounds a little quick and dirty solution, but I haven't been able to come up with any better though.
- mika -
G. Allegri kirjoitti:
Hi list.
I'm considering the use of Geoserver for a multi-user application we
are developing, based on OpenLayers+Geoserver+PostGIS.
We need to manage a secured access both to WFS and WFS-T services,
defining the read/write grants per user per data. What's the best way
to realize it with Geoserver?
The scenario is the following:
1 - an authenticated user can create a data layer through a web
wizard. The layer will be from now on available as a Geoserver
editable layer. Only that user can edit him.
2 - the user can allow other users to edit it.
3 - the user can allow other users to view it.
4 - the superadmin can always view and edit every layer.
As we are going to use OL for the client interface, we were
considering accessing Geoserver through an authentication proxy, but
we hope there's something more ready-to-use, and we are wondering what
is the state of development of the Goeserver built-in security like
"GSIP 16 - Security subsystem" from Andrea Aime [1]
Hints?
Thanks,
Giovanni
[1] http://geoserver.org/display/GEOS/GSIP+16+-+Security+subsystem
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
There should be a one-to-one relationship between GeoServer instances
and DATA_DIR's, although I believe multiple GeoServer instances can
safely use the same postgis table as long as they are not modifying it.
As for the security proposal you mentioned, improvements to that feature
will be included in GeoServer 1.7.0 when it is released; they are
described at
http://geoserver.org/display/GEOS/GSIP+19+-+Per+layer+security . As I
understand your requirements, this should provide for your needs quite
well. GeoServer provides no means of configuring users and restrictions
through the web, but it will automatically detect changes to the
configuration files, so it should be relatively easy to set up a simple
script to allow users to change restrictions.
Keep in mind, though, that GeoServer does not currently support any type
of 'partial' administrator; that is, there is no facility for allowing
users to add data without allowing them to use all parts of the
administration interface. There are a couple of community modules that
are working on ways to add layers through simple HTTP requests, but
neither is maintained against the 1.7.x branch at this time.
Hope this helps,
-David Winslow
Lehtonen, Mika wrote:
Hi Giovanni,
I have had similar like needs and was just about to ask the following question from the list.
Is it possible to share one DATA_DIR with more than one Geoserver instances and to keep the security setting by instance basis? By doing that, you could have more than one access to your data with separate permissions. I know this framework sounds a little quick and dirty solution, but I haven't been able to come up with any better though.
- mika -
G. Allegri kirjoitti:
Hi list.
I'm considering the use of Geoserver for a multi-user application we
are developing, based on OpenLayers+Geoserver+PostGIS.
We need to manage a secured access both to WFS and WFS-T services,
defining the read/write grants per user per data. What's the best way
to realize it with Geoserver?
The scenario is the following:
1 - an authenticated user can create a data layer through a web
wizard. The layer will be from now on available as a Geoserver
editable layer. Only that user can edit him.
2 - the user can allow other users to edit it.
3 - the user can allow other users to view it.
4 - the superadmin can always view and edit every layer.
As we are going to use OL for the client interface, we were
considering accessing Geoserver through an authentication proxy, but
we hope there's something more ready-to-use, and we are wondering what
is the state of development of the Goeserver built-in security like
"GSIP 16 - Security subsystem" from Andrea Aime [1]
Hints?
Thanks,
Giovanni
[1] http://geoserver.org/display/GEOS/GSIP+16+-+Security+subsystem
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
That sounds good. Are these features included in the 1.7.0-RC2
release? And, is it stable enough to be employed in a productive
environment? I need to use these functionalities, and I have to start
the deployment of the application as soon as possible, waiting for the
stable 1.7 to come out...
2008/9/1 David Winslow <dwinslow@anonymised.com>:
There should be a one-to-one relationship between GeoServer instances and
DATA_DIR's, although I believe multiple GeoServer instances can safely use
the same postgis table as long as they are not modifying it.
As for the security proposal you mentioned, improvements to that feature
will be included in GeoServer 1.7.0 when it is released; they are described
at http://geoserver.org/display/GEOS/GSIP+19+-+Per+layer+security . As I
understand your requirements, this should provide for your needs quite well.
GeoServer provides no means of configuring users and restrictions through
the web, but it will automatically detect changes to the configuration
files, so it should be relatively easy to set up a simple script to allow
users to change restrictions.
Keep in mind, though, that GeoServer does not currently support any type of
'partial' administrator; that is, there is no facility for allowing users to
add data without allowing them to use all parts of the administration
interface. There are a couple of community modules that are working on ways
to add layers through simple HTTP requests, but neither is maintained
against the 1.7.x branch at this time.
Hope this helps,
-David Winslow
Lehtonen, Mika wrote:
Hi Giovanni,
I have had similar like needs and was just about to ask the following
question from the list.
Is it possible to share one DATA_DIR with more than one Geoserver
instances and to keep the security setting by instance basis? By doing that,
you could have more than one access to your data with separate permissions.
I know this framework sounds a little quick and dirty solution, but I
haven't been able to come up with any better though.
- mika -
G. Allegri kirjoitti:
Hi list.
I'm considering the use of Geoserver for a multi-user application we
are developing, based on OpenLayers+Geoserver+PostGIS.
We need to manage a secured access both to WFS and WFS-T services,
defining the read/write grants per user per data. What's the best way
to realize it with Geoserver?
The scenario is the following:
1 - an authenticated user can create a data layer through a web
wizard. The layer will be from now on available as a Geoserver
editable layer. Only that user can edit him.
2 - the user can allow other users to edit it.
3 - the user can allow other users to view it.
4 - the superadmin can always view and edit every layer.
As we are going to use OL for the client interface, we were
considering accessing Geoserver through an authentication proxy, but
we hope there's something more ready-to-use, and we are wondering what
is the state of development of the Goeserver built-in security like
"GSIP 16 - Security subsystem" from Andrea Aime [1]
Hints?
Thanks,
Giovanni
[1] http://geoserver.org/display/GEOS/GSIP+16+-+Security+subsystem
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
As always, the best thing you can do to ensure that 1.7.0 is as stable for your needs as possible is to start using it and report any bugs that you find. The release candidates have been fixing tons of bugs, but a lot has changed in GeoServer since the last release.
1.7.0-RC2 does include the security features in question.
-David Winslow
G. Allegri wrote
That sounds good. Are these features included in the 1.7.0-RC2
release? And, is it stable enough to be employed in a productive
environment? I need to use these functionalities, and I have to start
the deployment of the application as soon as possible, waiting for the
stable 1.7 to come out...
2008/9/1 David Winslow <dwinslow@anonymised.com>:
There should be a one-to-one relationship between GeoServer instances and
DATA_DIR's, although I believe multiple GeoServer instances can safely use
the same postgis table as long as they are not modifying it.
As for the security proposal you mentioned, improvements to that feature
will be included in GeoServer 1.7.0 when it is released; they are described
at http://geoserver.org/display/GEOS/GSIP+19+-+Per+layer+security . As I
understand your requirements, this should provide for your needs quite well.
GeoServer provides no means of configuring users and restrictions through
the web, but it will automatically detect changes to the configuration
files, so it should be relatively easy to set up a simple script to allow
users to change restrictions.
Keep in mind, though, that GeoServer does not currently support any type of
'partial' administrator; that is, there is no facility for allowing users to
add data without allowing them to use all parts of the administration
interface. There are a couple of community modules that are working on ways
to add layers through simple HTTP requests, but neither is maintained
against the 1.7.x branch at this time.
Hope this helps,
-David Winslow
Lehtonen, Mika wrote:
Hi Giovanni,
I have had similar like needs and was just about to ask the following
question from the list.
Is it possible to share one DATA_DIR with more than one Geoserver
instances and to keep the security setting by instance basis? By doing that,
you could have more than one access to your data with separate permissions.
I know this framework sounds a little quick and dirty solution, but I
haven't been able to come up with any better though.
- mika -
G. Allegri kirjoitti:
Hi list.
I'm considering the use of Geoserver for a multi-user application we
are developing, based on OpenLayers+Geoserver+PostGIS.
We need to manage a secured access both to WFS and WFS-T services,
defining the read/write grants per user per data. What's the best way
to realize it with Geoserver?
The scenario is the following:
1 - an authenticated user can create a data layer through a web
wizard. The layer will be from now on available as a Geoserver
editable layer. Only that user can edit him.
2 - the user can allow other users to edit it.
3 - the user can allow other users to view it.
4 - the superadmin can always view and edit every layer.
As we are going to use OL for the client interface, we were
considering accessing Geoserver through an authentication proxy, but
we hope there's something more ready-to-use, and we are wondering what
is the state of development of the Goeserver built-in security like
"GSIP 16 - Security subsystem" from Andrea Aime [1]
Hints?
Thanks,
Giovanni
[1] http://geoserver.org/display/GEOS/GSIP+16+-+Security+subsystem
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the
world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
G. Allegri ha scritto:
That sounds good. Are these features included in the 1.7.0-RC2
release?
Yes, they are.
> And, is it stable enough to be employed in a productive
environment?
It should be, but in practice, the only way to know is to test
it out and let us know of any bug you may find.
I need to use these functionalities, and I have to start
the deployment of the application as soon as possible, waiting for the
stable 1.7 to come out...
Stable 1.7 will be out soon, if you find any regression that affects
you now, it may be fixed in time for 1.7.0, otherwise you'll have
to wait for 1.7.1 (I guess it will be released shortly after foss4g,
but mind, I'm just guessing).
Cheers
Andrea
Ok,
nice to hear.
I was still wondering, as I have already "replaced" Geoserver's security module with a container level (actually virtual host level) security (JNDIRealm in Tomcat), that have you got any idea how difficult it would be to "connect" the Acegi into LDAP-directory and fetch all the needed authentication information from there? I read from the Acegi manual that it should work just fine with LDAP, but I have to admit that this all is going too much above my head. And as I don't know the Acegi and how it's implemented into Geoserver, I have no idea whether my suggestion would be even possible.
Have anyone tried to use e.g. OpenLDAP with Geoserver?
- mika -
David Winslow kirjoitti:
There should be a one-to-one relationship between GeoServer instances
and DATA_DIR's, although I believe multiple GeoServer instances can
safely use the same postgis table as long as they are not modifying it.
As for the security proposal you mentioned, improvements to that feature
will be included in GeoServer 1.7.0 when it is released; they are
described at
http://geoserver.org/display/GEOS/GSIP+19+-+Per+layer+security . As I
understand your requirements, this should provide for your needs quite
well. GeoServer provides no means of configuring users and restrictions
through the web, but it will automatically detect changes to the
configuration files, so it should be relatively easy to set up a simple
script to allow users to change restrictions.
Keep in mind, though, that GeoServer does not currently support any type
of 'partial' administrator; that is, there is no facility for allowing
users to add data without allowing them to use all parts of the
administration interface. There are a couple of community modules that
are working on ways to add layers through simple HTTP requests, but
neither is maintained against the 1.7.x branch at this time.
Hope this helps,
-David Winslow
Lehtonen, Mika wrote:
Hi Giovanni,
I have had similar like needs and was just about to ask the following question from the list.
Is it possible to share one DATA_DIR with more than one Geoserver instances and to keep the security setting by instance basis? By doing that, you could have more than one access to your data with separate permissions. I know this framework sounds a little quick and dirty solution, but I haven't been able to come up with any better though.
- mika -
G. Allegri kirjoitti:
Hi list.
I'm considering the use of Geoserver for a multi-user application we
are developing, based on OpenLayers+Geoserver+PostGIS.
We need to manage a secured access both to WFS and WFS-T services,
defining the read/write grants per user per data. What's the best way
to realize it with Geoserver?
The scenario is the following:
1 - an authenticated user can create a data layer through a web
wizard. The layer will be from now on available as a Geoserver
editable layer. Only that user can edit him.
2 - the user can allow other users to edit it.
3 - the user can allow other users to view it.
4 - the superadmin can always view and edit every layer.
As we are going to use OL for the client interface, we were
considering accessing Geoserver through an authentication proxy, but
we hope there's something more ready-to-use, and we are wondering what
is the state of development of the Goeserver built-in security like
"GSIP 16 - Security subsystem" from Andrea Aime [1]
Hints?
Thanks,
Giovanni
[1] http://geoserver.org/display/GEOS/GSIP+16+-+Security+subsystem
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
Lehtonen, Mika ha scritto:
Ok,
nice to hear.
I was still wondering, as I have already "replaced" Geoserver's security module with a container level (actually virtual host level) security (JNDIRealm in Tomcat), that have you got any idea how difficult it would be to "connect" the Acegi into LDAP-directory and fetch all the needed authentication information from there?
Hum, we should create an extension point for user provided authentication modules, and then setup a ldap based one as a module I guess. The pluggability is captured here, seems to have been tentatively scheduled for 1.7.1:
http://jira.codehaus.org/browse/GEOS-1579
I read from the Acegi manual that it should work just fine with LDAP, but I have to admit that this all is going too much above my head. And as I don't know the Acegi and how it's implemented into Geoserver, I have no idea whether my suggestion would be even possible.
Have anyone tried to use e.g. OpenLDAP with Geoserver?
Not me, so far I've only needed what the internal GeoServer authenticator already provides, but it would be good to be able and
use an external LDAP indeed. I just have no experience on it, so
I have no idea how difficult that would be... given that Acegi already
provides an integration with LDAP of some kind, I guess the hardest
thing would be to install an LDAP server and learn to use it...
Generally speaking, GeoServer just needs something providing it authentication username/password tokens, and giving back a list
of roles for each user.
Interested in coding up a LDAP integration? If so I can try to
help by providing you an extension point to code against.
Cheers
Andrea
Yep,
I am interested in getting LDAP work with Geoserver. So anything helping my journey is most welcome.
Please, look at the:
http://www.acegisecurity.org/guide/springsecurity.html#ldap
- mika -
Andrea Aime kirjoitti:
Lehtonen, Mika ha scritto:
Ok,
nice to hear.
I was still wondering, as I have already "replaced" Geoserver's security module with a container level (actually virtual host level) security (JNDIRealm in Tomcat), that have you got any idea how difficult it would be to "connect" the Acegi into LDAP-directory and fetch all the needed authentication information from there?
Hum, we should create an extension point for user provided authentication modules, and then setup a ldap based one as a module I guess. The pluggability is captured here, seems to have been tentatively scheduled for 1.7.1:
http://jira.codehaus.org/browse/GEOS-1579
I read from the Acegi manual that it should work just fine with LDAP, but I have to admit that this all is going too much above my head. And as I don't know the Acegi and how it's implemented into Geoserver, I have no idea whether my suggestion would be even possible.
Have anyone tried to use e.g. OpenLDAP with Geoserver?
Not me, so far I've only needed what the internal GeoServer authenticator already provides, but it would be good to be able and
use an external LDAP indeed. I just have no experience on it, so
I have no idea how difficult that would be... given that Acegi already
provides an integration with LDAP of some kind, I guess the hardest
thing would be to install an LDAP server and learn to use it...
Generally speaking, GeoServer just needs something providing it authentication username/password tokens, and giving back a list
of roles for each user.
Interested in coding up a LDAP integration? If so I can try to
help by providing you an extension point to code against.
Cheers
Andrea
Lehtonen, Mika ha scritto:
Yep,
I am interested in getting LDAP work with Geoserver. So anything helping my journey is most welcome.
Please, look at the:
http://www.acegisecurity.org/guide/springsecurity.html#ldap
Well, this will require java programming, so the first thing would
be to setup a java dev enviroment and understand the wrinkles
of the build system (maven). Then you can create a community module
providing LDAP support and find some way to configure it as well
(probably a property file somewhere in the data directory).
I also have to wait for the 1.7.0 release in order to work on the
extension point you'll need, cannot change the API on the 1.7.x
branch right now.
The GeoServer developer guide (http://geoserver.org/display/GEOSDOC/Developers+Guide) should help
you get you started. It assumes you're already a proficient java
developer.
If you're not, you can look around and find someone that implements
this for you, there are companies providing support and custom
development for GeoServer: http://geoserver.org/display/GEOS/Commercial+Support
Cheers
Andrea
Ok,
thanks. I'll keep waiting.
- mika -
Andrea Aime kirjoitti:
Lehtonen, Mika ha scritto:
Yep,
I am interested in getting LDAP work with Geoserver. So anything helping my journey is most welcome.
Please, look at the:
http://www.acegisecurity.org/guide/springsecurity.html#ldap
Well, this will require java programming, so the first thing would
be to setup a java dev enviroment and understand the wrinkles
of the build system (maven). Then you can create a community module
providing LDAP support and find some way to configure it as well
(probably a property file somewhere in the data directory).
I also have to wait for the 1.7.0 release in order to work on the
extension point you'll need, cannot change the API on the 1.7.x
branch right now.
The GeoServer developer guide (http://geoserver.org/display/GEOSDOC/Developers+Guide) should help
you get you started. It assumes you're already a proficient java
developer.
If you're not, you can look around and find someone that implements
this for you, there are companies providing support and custom
development for GeoServer: http://geoserver.org/display/GEOS/Commercial+Support
Cheers
Andrea
I've tried to use the layers.security file inside 1.7.0-RC1.
I've commented the two lines:
*.*.r=*
*.*.w=*
Expecting no one being enable to see it.
I tried also setting
topp.tasmania_roads.r=ROLE_ADMINISTRATOR
thining that now *only* the administrator could *only* read that
single layer. Insteas eveyone could do everything on every layer.
What am I missing?
Is there way to set a "not" rule? I want only the users belonging to a
certain rule to be able to edit a certain layer.
If this hasn't been yet implemented, I will switch to some other
solution. In this case do you have hints?
Thanks,
Giovanni
2008/9/1 Andrea Aime <aaime@anonymised.com>:
G. Allegri ha scritto:
That sounds good. Are these features included in the 1.7.0-RC2
release?
Yes, they are.
And, is it stable enough to be employed in a productive
environment?
It should be, but in practice, the only way to know is to test
it out and let us know of any bug you may find.
I need to use these functionalities, and I have to start
the deployment of the application as soon as possible, waiting for the
stable 1.7 to come out...
Stable 1.7 will be out soon, if you find any regression that affects
you now, it may be fixed in time for 1.7.0, otherwise you'll have
to wait for 1.7.1 (I guess it will be released shortly after foss4g,
but mind, I'm just guessing).
Cheers
Andrea
G. Allegri ha scritto:
I've tried to use the layers.security file inside 1.7.0-RC1.
I've commented the two lines:
*.*.r=*
*.*.w=*
Expecting no one being enable to see it.
Nope, you get exactly the same behaviour, that's for backwards
compatibility: if you have an old data dir would you be happy
to have everything locked up in the 1.7.x series? 
I tried also setting
topp.tasmania_roads.r=ROLE_ADMINISTRATOR
thining that now *only* the administrator could *only* read that
single layer. Insteas eveyone could do everything on every layer.
What am I missing?
You need to do this:
*.*.r=ROLE_ADMINISTRATOR
*.*.w=ROLE_ADMINISTRATOR
now only admin can do anything.
If you want more examples look here:
http://geoserver.org/display/GEOSDOC/2.6+Security+subsystem
http://geoserver.org/display/GEOSDOC/Layer+level+security
Is there way to set a "not" rule? I want only the users belonging to a
certain rule to be able to edit a certain layer.
Then create users with a specific role and attach only that role
to the layer, something like:
namespace.layer.w=EDIT_ROLE
(or *.*.w=EDIT_ROLE if you want only those users to be able and edit
any layer).
Cheers
Andrea
Great.
If you can give another hint I would be grateful.
I have the following scenario:
a user gets a web form to login to the system.
he logins.
on the base of its credentials, some layers are listed in the
Openlayers interface.
some of them will be editable.
if he can edit them, ok, otherwise a "service denied" error should be
raised in the interface
There are at leat two points I need to understand.
1 . How can Basic Authentication be practically used with Geoserver
OWS. What calls I have to do, from my client (OL) to interact with the
authentication system?
2 . Is the GetCapabilites system linked with the authentication
system? I need to list the available layers (reading and writing) for
a specific user.
Thanks again.
2008/9/5 Andrea Aime <aaime@anonymised.com>:
G. Allegri ha scritto:
I've tried to use the layers.security file inside 1.7.0-RC1.
I've commented the two lines:
*.*.r=*
*.*.w=*
Expecting no one being enable to see it.
Nope, you get exactly the same behaviour, that's for backwards
compatibility: if you have an old data dir would you be happy
to have everything locked up in the 1.7.x series?
I tried also setting
topp.tasmania_roads.r=ROLE_ADMINISTRATOR
thining that now *only* the administrator could *only* read that
single layer. Insteas eveyone could do everything on every layer.
What am I missing?
You need to do this:
*.*.r=ROLE_ADMINISTRATOR
*.*.w=ROLE_ADMINISTRATOR
now only admin can do anything.
If you want more examples look here:
http://geoserver.org/display/GEOSDOC/2.6+Security+subsystem
http://geoserver.org/display/GEOSDOC/Layer+level+security
Is there way to set a "not" rule? I want only the users belonging to a
certain rule to be able to edit a certain layer.
Then create users with a specific role and attach only that role
to the layer, something like:
namespace.layer.w=EDIT_ROLE
(or *.*.w=EDIT_ROLE if you want only those users to be able and edit
any layer).
Cheers
Andrea
G. Allegri ha scritto:
Great.
If you can give another hint I would be grateful.
I have the following scenario:
a user gets a web form to login to the system.
he logins.
on the base of its credentials, some layers are listed in the
Openlayers interface.
some of them will be editable.
if he can edit them, ok, otherwise a "service denied" error should be
raised in the interface
There are at leat two points I need to understand.
1 . How can Basic Authentication be practically used with Geoserver
OWS. What calls I have to do, from my client (OL) to interact with the
authentication system?
This is something only an OL developer can answer. So far we've
setup thing so that GeoServer challenges the browser with a 401,
this triggers the standard login dialog and from there on the
browser keeps the basic authentication headers set.
This is the "challenge" mode described here:
http://geoserver.org/display/GEOSDOC/Layer+level+security
2 . Is the GetCapabilites system linked with the authentication
system? I need to list the available layers (reading and writing) for
a specific user.
That is the "hide" mode of operation, which is the default. The trouble
is, to use it effectively you need to have your user login first, that
is, set the basic authentication headers in all your calls to the
server. How that is done with OL, I have no idea... a quick search
on internet seems to suggest it's not possible at all:
http://bytes.com/forum/thread148594.html
I've cc'ed Andreas, one of the OL developers, he surely knows more
than me on this topic.
Cheers
Andrea