I am unable to secure my Geoserver installation and grant read and/or write access to different roles. On the most basic level, I would like to have a VIEWER and an EDITOR role that I can apply to different workspaces. Along with this, I would like to control how each role accesses WFS -- readers should be able to view (getFeature) while editors should be able to edit in QGIS (transaction).
After a thorough read of the Geoserver manual, I still cannot get multi-user access to work as expected. All users, regardless of data access rules, cannot access WFS layers once the following rules are in place. Note that I am using a fresh install of Geoserver version 2.10.0 on an Ubuntu Server version 16.04 running Apache2 and Tomcat7. Steps taken: 1) Create workspace called "test" Create a Postgis store using admin credentials (just for testing, not production) 2) Publish a single layer. 3) Create two roles: EDITORS and VIEWER 3) Create two users: test_editor and test_viewer. Give test_editor the EDITORS role and test_viewer the VIEWER role. 4) Set up data security as follows: *.*.r * *.*.w * test.*.r VIEWER,EDITORS test.*.w EDITORS 5) Create the following service rules: *.* * wfs.* EDITORS Launch QGIS 2.16.3 and add the WFS 1.0.0 service capabilities (e.g. http://myserverip:8080/geoserver/ows?service=wfs&version=1.0.0&request=GetCapabilities) AND the test_viewer or test_editor login credentials. Results: With the test_editor credentials, the expected result would be the ability to edit and save the layer, and with the test_viewer credentials the user should be able to simply view the WFS layers in QGIS without the ability to edit. However, trying to get capabilities causes a popup error in QGIS: "Unexpected end of file". QGIS error log reads: Download of capabilities failed: Error downloading http://myserverip:8080/geoserver/ows?version=1.0.0&&SERVICE=WFS&REQUEST=GetCapabilities&VERSION=1.0.0 - server replied: Forbidden Geoserver log reads: 2016-11-17 13:59:22,480 WARN [wicket.Localizer] - Tried to retrieve a localized string for a component that has not yet been added to the page. This can sometimes lead to an invalid or no localized resource returned. Make sure you are not calling Component#getString() inside your Component's constructor. Offending component: [XMLUserGroupServicePanel [Component id = dummy]] 2016-11-17 14:04:10,769 INFO [geoserver.wfs] - Request: getServiceInfo 2016-11-17 14:07:25,217 INFO [geoserver.wfs] - Request: getServiceInfo 2016-11-17 14:08:39,836 INFO [geoserver.wfs] - Request: getServiceInfo BUT... and this is where it gets weird, the credentials work perfectly for WMS. No creds, no access to WMS layers in "test" workspace. Apply creds, and authorized users have access to layers. So, there is something wrong with WFS(-T). Some further things to note: - All default Geoserver settings are in place (except for those changes in the above steps) - WFS Service level is set to Transactional - Local settings are not being used for the "test" workspace. Global settings are used, which are set to default. - Apache, Tomcat7 and Ubuntu Server have not been reconfigured. All default settings are in place. Questions: 1) Why are the security settings not working as expected for WFS layers but work fine for WMS? 2) Further, it is this a Geoserver-, QGIS-, Apache-, Tomcat 7-, or Linux-related issue? I suspect that there are some Linux permission issues or something else under the hood preventing Geoserver from working as it should. Many thanks! Cliff
------------------------------------------------------------------------------
_______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
