Hello.
I would like to know if its possible to somehow set which features a certain
user can see?

Example:
Lets say we have a featureType ... workspace:A with 1000 features.
When using a WFS request to get this featureType, 600 features are only seen
by user X and other 400 features by user Y, and the user Z can see all 1000
features.

Is this possible with any module, extension, ...?

Thanks for any help.

Regards
Matic

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/WFS-WMS-per-feature-security-tp5143498.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

Hi,

We had to do a similar thing restricting features by user. We implemented a CQL filter that matched something from the user to a property of the feature.

Implement a class that extends FunctionExpressionImpl that applies the CQL filter. Then implement a callback function that can be used during the feature setup process implementing implements DispatcherCallback.

We use our DispatcherCallback class to check for the existence of a defined CQL and create an AND filter from the predefined and our security CQL filters. If we don't have a predefined, we set the request setCQLFilter(ourSecurityFilter).

Chris Snider
Senior Software Engineer
Intelligent Software Solutions, Inc.

-----Original Message-----
From: Feniks [mailto:svab.matic@anonymised.com]
Sent: Monday, June 02, 2014 3:04 AM
To: geoserver-users@lists.sourceforge.net
Subject: [Geoserver-users] WFS,WMS per feature security

Hello.
I would like to know if its possible to somehow set which features a certain user can see?

Example:
Lets say we have a featureType ... workspace:A with 1000 features.
When using a WFS request to get this featureType, 600 features are only seen by user X and other 400 features by user Y, and the user Z can see all 1000 features.

Is this possible with any module, extension, ...?

Thanks for any help.

Regards
Matic

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/WFS-WMS-per-feature-security-tp5143498.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

In addition to Chris’s response you will also find third party security plugins that implement creative security restrictions of this nature. One I am aware of with a web page link is GeoFence: https://github.com/geosolutions-it/geofence

Thanks for the info Chris, will take a look at it. I hope I can count on any
further tips if I shall need any.

Jody, already took a look at GeoFence, though I couldn't get it to work, no
mather what I tried ... maybe know for a good guide how to use it? The
existing ones seem to be a bit ... well ... not much detailed ...

Regards
Matic

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/WFS-WMS-per-feature-security-tp5143498p5143636.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

Matic:

On Tue, Jun 3, 2014 at 8:04 AM, Feniks <svab.matic@anonymised.com> wrote:

Thanks for the info Chris, will take a look at it. I hope I can count on
any
further tips if I shall need any.

Jody, already took a look at GeoFence, though I couldn't get it to work, no
mather what I tried ... maybe know for a good guide how to use it? The
existing ones seem to be a bit ... well ... not much detailed ...

GeoFence has its own user mailng list, you can ask there for directions,
see at the bottom of this page:
https://github.com/geosolutions-it/geofence

Cheers
Andrea

--

Meet us at GEO Business 2014! in London! Visit http://goo.gl/fES3aK
for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Jody and geowolf thanks for the info ... at least I got some stuff I can try
to work with now.

Regards
Matic

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/WFS-WMS-per-feature-security-tp5143498p5143646.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

Chris,
I managed to implement DispatcherCallback which checks for the CQL and
changes it ...

Now one question, by which feature property did you filter, did you have a
special property for that? I see a problem if there is a column in the DB
which is only for this filtering, meaning it's going to be visible in the
WFS request but we don't want for that feature property to be visible in the
WFS response, so is it possible to somehow hide it?

Thanks
Matic

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/WFS-WMS-per-feature-security-tp5143498p5144206.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

Hi,

Our process modifies the Postgres/PostGIS tables with new columns that we use for security filtering. In our case, it is acceptable for the filter values to be visible to users.

One method I am aware of is to modify the request params adding in the PropertyName=Comma,Delimited,FieldNames. You would probably have to check for a propertyname list and remove your filter columns if it exists. Or, create a completely new param listing the acceptable columns and adding it to the request.

You can also create a post filter with SPRING and add it to the outbound filter chain removing the column when it is JSON or GML based output. Possibly the CSV output. The shapefile result type would be more problematic to remove the filtering columns from the feature type, but is still doable.

Maybe one of the core developers know of a way to restrict the columns in the result set in a more elegant manner.

One example I found from the client side restricting the values.

https://wiki.state.ma.us/confluence/display/massgis/GeoServer+-+WFS+-+Filter+-+Get+Subset+of+Attribute+Values+for+a+Feature+-+Complex+Filter+2

Chris Snider
Senior Software Engineer
Intelligent Software Solutions, Inc.

-----Original Message-----
From: Feniks [mailto:svab.matic@anonymised.com]
Sent: Thursday, June 05, 2014 6:10 AM
To: geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] WFS,WMS per feature security

Chris,
I managed to implement DispatcherCallback which checks for the CQL and changes it ...

Now one question, by which feature property did you filter, did you have a special property for that? I see a problem if there is a column in the DB which is only for this filtering, meaning it's going to be visible in the WFS request but we don't want for that feature property to be visible in the WFS response, so is it possible to somehow hide it?

Thanks
Matic

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/WFS-WMS-per-feature-security-tp5143498p5144206.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

On Thu, Jun 5, 2014 at 3:56 PM, Chris Snider <chris.snider@anonymised.com>
wrote:

Hi,

Our process modifies the Postgres/PostGIS tables with new columns that we
use for security filtering. In our case, it is acceptable for the filter
values to be visible to users.

One method I am aware of is to modify the request params adding in the
PropertyName=Comma,Delimited,FieldNames. You would probably have to check
for a propertyname list and remove your filter columns if it exists. Or,
create a completely new param listing the acceptable columns and adding it
to the request.

You can also create a post filter with SPRING and add it to the outbound
filter chain removing the column when it is JSON or GML based output.
Possibly the CSV output. The shapefile result type would be more
problematic to remove the filtering columns from the feature type, but is
still doable.

Maybe one of the core developers know of a way to restrict the columns in
the result set in a more elegant manner.

Do what GeoFence does, implement your own custom ResourceAccessManager

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Thanks for the replies, will take a look at them and hopefully something will
work the way I need it.

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/WFS-WMS-per-feature-security-tp5143498p5144339.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

Hey,
I came across SQL views where you can also set parameters. I almost got the
results I need, well by almost I mean, I was able to modify parameters when
using GET, though I didn't find a way for POST ... yet ...

After some searching I found that parameters are not possible with POST or
at least what it said in some old forum topics. Did this prehaps get changed
with any GS update or if there is any other way to set parameters in POST?

Regards,
Matic

--
View this message in context: http://osgeo-org.1560.x6.nabble.com/WFS-WMS-per-feature-security-tp5143498p5144945.html
Sent from the GeoServer - User mailing list archive at Nabble.com.

On Tue, Jun 10, 2014 at 9:02 AM, Feniks <svab.matic@anonymised.com> wrote:

Hey,
I came across SQL views where you can also set parameters. I almost got the
results I need, well by almost I mean, I was able to modify parameters when
using GET, though I didn't find a way for POST ... yet ...

After some searching I found that parameters are not possible with POST or
at least what it said in some old forum topics. Did this prehaps get
changed
with any GS update or if there is any other way to set parameters in POST?

To the best of my knowledge, that is still not possible, althought I
believe it may
be not too hard to implement if we go for a mixed approach where the view
params
stay in the URL, and somewhat harder if we go for extending the XML instead
(as we'd have to modify 3 wfs schemas with custom, non standard compliant
extensions, and possibly 3 parsers too)

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------