Re: [Geoserver-users] Securing access to OWS. Possible through oAuth 2?

Thu, 12 Jan 2017 07:40:25 -0800 

If you already have a valid bearer "access_token", you can just attach it
to GeoServer url. He will hit the outh2 filter (which must be configured of
course) in order to validate it through an endpoint which must translate
the access_token into a JSON containing several info like the expiration
and validity and the associated username.

You need to implement some classes in order to build your own oauth2 filter
and if not exists, you will need to implement also such "token info"
endpoint on the backend.

For GeoServer you can get as an example this module which implements the
classes to be able to authenticate against github oauth2 service provider.

https://github.com/geoserver/geoserver/tree/master/src/community/security/oauth2-github


About your second question, the outh2 filter allows you to associate anyone
of the "UserGroupService" or "RoleService" available on GeoServer.

There are some of them available around. Those services basically allow you
associate a "role" to a "username". Again, if you have a custom service for
that you might need to implement your custom "RoleService".

For GeoNode we implemented a simple REST API with DJango that allows you to
get the user roles via REST, and used this service

https://github.com/geoserver/geoserver/blob/master/src/community/authkey/src/main/java/org/geoserver/security/GeoServerRestRoleService.java

to parse them.

You can find the full setup guide with explanation on how to they interact
and how to configure them here:

1. http://docs.geoserver.org/latest/en/user/community/oauth2/index.html

2.
http://docs.geonode.org/en/latest/tutorials/admin/geoserver_geonode_security/index.html#setup-of-the-geonode-rest-role-service

The second link also shows how GeoFence Plugin has been integrated on
GeoNode. Such plugin allows you to have much more granular access rules for
the GeoServer resources.










Best Regards,
Alessio Fabiani.

==
GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information.
==

Ing. Alessio Fabiani
@alfa7691
Founder/Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
Italy
phone: +39 0584 962313
fax:     +39 0584 1660272
mob:   +39 331 6233686

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.



The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility  for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

---------------------------------------------------------------------

On Thu, Jan 12, 2017 at 4:22 PM, Max Stephan <m...@maxstephan.com> wrote:

> Hi Alessio,
>
> in our setup the user authenticates in the Web Application which is
> managed through 'passport'. He receives an oAuth2 token when authentication
> was successful.
>
> We would like to use that same token for Geoserver as well. In order to do
> that I assume we would have to verify that authenticity of that token
> somehow. Is that what you mean by creating a small custom extension? Is
> there a guide as to which steps need to be taken for this?
>
> Lastly, how would I assign certain permissions for example layer level
> restrictions for a user authenticated through oAuth2?
>
>
> Kind regards,
>
> Max
> ------------------------------
> *Von:* alessio.fabi...@gmail.com <alessio.fabi...@gmail.com> im Auftrag
> von Alessio Fabiani <alessio.fabi...@geo-solutions.it>
> *Gesendet:* Donnerstag, 12. Januar 2017 13:56:17
> *An:* Max Stephan
> *Cc:* geoserver-users@lists.sourceforge.net
> *Betreff:* Re: [Geoserver-users] Securing access to OWS. Possible through
> oAuth 2?
>
> Hi Max,
> oauth2 can allow you to do this since in the end it relies on generated
> access_tokens which are more or less similar to the fixed keys of the
> authkey module.
>
> The difference is that setting up the oauth2 is much more complex, but it
> also gives you more security and reliability (as an instance the
> access_tokens are generated and are associated to expiring sessions instead
> of being permanent as for the authkey module).
> The problem is that actually you need an oauth2 service provider of
> course. If you want to implement your custom oauth2 service provider, then
> you might need to create also a small custom extension of the GeoServer
> plugin.
>
>
> Best Regards,
> Alessio Fabiani.
>
> ==
> GeoServer Professional Services from the experts!
> Visit http://goo.gl/it488V for more information.
> ==
>
> Ing. Alessio Fabiani
> @alfa7691
> Founder/Technical Lead
>
> GeoSolutions S.A.S.
> Via di Montramito 3/A
> 55054  Massarosa (LU)
> Italy
> phone: +39 0584 962313 <0584%20962313>
> fax:     +39 0584 1660272 <0584%20166%200272>
> mob:   +39 331 6233686 <331%20623%203686>
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
> -------------------------------------------------------
>
> *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>
> Le informazioni contenute in questo messaggio di posta elettronica e/o
> nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
> loro utilizzo è consentito esclusivamente al destinatario del messaggio,
> per le finalità indicate nel messaggio stesso. Qualora riceviate questo
> messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
> darcene notizia via e-mail e di procedere alla distruzione del messaggio
> stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
> divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
> utilizzarlo per finalità diverse, costituisce comportamento contrario ai
> principi dettati dal D.Lgs. 196/2003.
>
>
>
> The information in this message and/or attachments, is intended solely for
> the attention and use of the named addressee(s) and may be confidential or
> proprietary in nature or covered by the provisions of privacy act
> (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
> Code).Any use not in accord with its purpose, any disclosure, reproduction,
> copying, distribution, or either dissemination, either whole or partial, is
> strictly forbidden except previous formal approval of the named
> addressee(s). If you are not the intended recipient, please contact
> immediately the sender by telephone, fax or e-mail and delete the
> information in this message that has been received in error. The sender
> does not give any warranty or accept liability as the content, accuracy or
> completeness of sent messages and accepts no responsibility  for changes
> made after they were sent or for other risks which arise as a result of
> e-mail transmission, viruses, etc.
>
> ---------------------------------------------------------------------
>
> On Thu, Jan 12, 2017 at 2:02 PM, Max Stephan <m...@maxstephan.com> wrote:
>
>> Hi,
>>
>> we need to secure resources within our Geoserver on a layer or service
>> level. Is it possible to achieve this using the oAuth2 community module? If
>> yes, how would I go about doing this?
>>
>>
>> I want to do this in an automated way, i.e. I wouldn't want the user to
>> first sign in to Geoserver to then be able to use the respective services
>> or layers in the web application.
>>
>> If oAuth2 is not possible what other ways exist to achieve this?
>>
>>
>> I see the Key authentication module for example (
>> http://docs.geoserver.org/stable/en/user/community/authkey/index.html)
>> but not sure if that would provide the right level of security.
>>
>>
>> Kind regards and thanks in advance,
>>
>> Max Stephan
>> Key authentication module — GeoServer 2.10.x User Manual
>> <http://docs.geoserver.org/stable/en/user/community/authkey/index.html>
>> docs.geoserver.org
>> Key authentication module¶ The authkey module for GeoServer allows for a
>> very simple authentication protocol designed for OGC clients that cannot
>> handle any kind of ...
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today. http://sdm.link/xeonphi
>> _______________________________________________
>> Geoserver-users mailing list
>> Geoserver-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>>
>>
>

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Reply via email to