Hi!!

I’d like to know if it’s possible to restrict a WPS process according to some role.

Example:

Process1 - ADMIN_ROLE
Process2 - USER_ROLE (or any other).

I know it’s possible to restrict a WPS method, but, is there a by process configuration?

Regards,

Rodrigo C. Antonialli

Rio Claro - SP - Brasil
LinkedIn: http://www.linkedin.com/in/rcaprofile
Contato: (19) 8136-2347
rcantonialli@anonymised.com
Skype: rc_antonialli

On Tue, Mar 19, 2013 at 8:22 PM, Rodrigo Antonialli
<rcantonialli@anonymised.com> wrote:

Hi!!

I'd like to know if it's possible to restrict a WPS process according to
some role.

Example:

Process1 - ADMIN_ROLE
Process2 - USER_ROLE (or any other).

I know it's possible to restrict a WPS method, but, is there a by process
configuration?

Not at the moment. It may not be too hard to extend the security in
that direction
though.
What makes things a bit more complicated is process chaining, one would
have to check more than just the top level process, and walk the whole chain
instead.

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for
more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

On 2013-03-19, at 12:53 PM, Andrea Aime wrote:

On Tue, Mar 19, 2013 at 8:22 PM, Rodrigo Antonialli
<rcantonialli@anonymised.com> wrote:

Hi!!

I'd like to know if it's possible to restrict a WPS process according to
some role.

Example:

Process1 - ADMIN_ROLE
Process2 - USER_ROLE (or any other).

I know it's possible to restrict a WPS method, but, is there a by process
configuration?

Not at the moment. It may not be too hard to extend the security in
that direction
though.
What makes things a bit more complicated is process chaining, one would
have to check more than just the top level process, and walk the whole chain
instead.

Is there currently any security applied to WPS processes by default in Geoserver?
e.g. processes that might need to download external data, for example, through a client-side communication?

Hi Andrea!

Thanks!

Is there a way to “ask” geoserver what user is logged in??

I mean, j_spring_secutiry_check returns a cookie with JSESSIONID, and everytime I send a request to geoserver, it checks this cookie. Is there a way to ask to whom this JSESSIONID belongs to?

We only need to know if a user has a certain role or not, to check his permission level or if he’s admin.

Cheers,

On Tue, Mar 19, 2013 at 9:10 PM, Tyler Mitchell
<tyler.mitchell@anonymised.com> wrote:

Is there currently any security applied to WPS processes by default in Geoserver?

None. You can only select which processes you can expose.

Before WPS enters core I would like to add some admin configurable
processing limits, such
as max execution time, max input size and the like.
I'm actually looking for funding to implement that.

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for
more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Hi Andrea,

I’m following the quickstart to create a geoserver development environment. Until now, I compiled only the WPS module to explore and change some PPIO.

With this environment set up, I’ll analise if I’m able to help and develop something.

Also, I need to check with my team if we will follow with that. Although it’s interesting for us, time isn’t exactly left over here.

If we can’t develop inside Geoserver, probably, we’ll just keep a session in the client application to keep user info.

Our ideia was to use only the session inside geoserver to control users, and make the application only to check this session and user roles.

(For now, the only idea we had was to request a getCapabilities and check for a specific protected namespace . If the namespace is there, the user is logged, otherwise, he is not. But we couldn’t find a way to check user roles.).

As soon as I check the development environment and talk to my team, I’ll let you know!

Cheers

On Wed, Mar 20, 2013 at 1:38 PM, Rodrigo Antonialli
<rcantonialli@anonymised.com> wrote:

Our ideia was to use only the session inside geoserver to control users, and
make the application only to check this session and user roles.

OGC services are stateless, GeoServer won't create a session even if
you authenticate
on OGC services (it will do so only in the GUI).

(For now, the only idea we had was to request a getCapabilities and check
for a specific protected namespace . If the namespace is there, the user is
logged, otherwise, he is not. But we couldn't find a way to check user
roles.).

If you are working inside GeoServer there are two extension points you can look
at in order to implement and declare as beans in the spring context:
* DispatcherCallback, in particular the operationDispatched method, get the
  first parameter from the operation, if it is a WPS Execute it will
be a ExecuteType
  that you can explore to decide whether to allow or deny the current request
* implement ProcessFilter (maybe just extend ProcessSelector) and
register it as a bean,
  and then decide which processes to allow in output based on the current user,
  which you can get by using
SecurityContextHolder.getSecurityContext().getAuthentication()
  (this is a standard Spring Security call)

Of course there is also the option of modifying directly the service
security, it's just that
after the security subsystem refactor I don't know where it is applied
now, Christian might
provide pointers on that.

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for
more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

The new security sub sytem is focused on authentication, not authorization. But

SecurityContextHolder.getSecurityContext().getAuthentication()

should work as expected.

Cheers
Chrstian

On Thu, Mar 21, 2013 at 10:00 AM, Christian Mueller
<christian.mueller@anonymised.com> wrote:

The new security sub sytem is focused on authentication, not authorization.

So nothing in the old service security subsytem was changed?

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for
more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

As far as I can remember, the only major change was how to calculate the roles you can assign to resources. This was necessary since

• it is possible to have multiple role services
• there are some new system roles like ROLE_AUTHENTICATED

The role/resource logic was not touched by me and I think this holds true for Justin too.

Christian