Absolutely. We use PG to control authentication across our entire system. This includes authenticated WMS calls to geoServer. It's critical for us.
On Wed., Mar. 3, 2021, 11:01 a.m. Andrea Aime, <andrea.a...@geo-solutions.it> wrote: > Each of those source file has an author tag, they all say: > > @author christian > > About a reason to do so, database centric security can be a reason. A > system where the access restrictions are enforced > at the relational database level. In that case, you want to authenticate > using database users, and then use impersonation > to connect to the database as that user, while fetching data: > > https://docs.geoserver.org/latest/en/user/data/database/sqlsession.html#data-sqlsession > > Cheers > Andrea > > > On Wed, Mar 3, 2021 at 6:52 PM Ian Turton <ijtur...@gmail.com> wrote: > >> So who did write it? I'm still trying to come up with a reason to let my >> database users log into geoserver. >> >> Ian >> >> On Wed, 3 Mar 2021, 17:39 Andrea Aime, <andrea.a...@geo-solutions.it> >> wrote: >> >>> Quoting from stack overflow: "After much head scratching and asking the >>> guys who wrote this stuff on the users mailing list" >>> >>> Hell no, I had nothing to do with those modules! :-D >>> >>> Cheers >>> Andrea >>> >>> On Wed, Mar 3, 2021 at 6:35 PM Ian Turton <ijtur...@gmail.com> wrote: >>> >>>> Thanks to everyone for their help on this I have finally got my head >>>> around it and have added an answer to the gis.stackoverflow question I >>>> linked to earlier (https://gis.stackexchange.com/a/388940/79) - If I >>>> get some time over the weekend I'll see if I can try to make the >>>> documentation clearer. >>>> >>>> Ian >>>> >>>> On Wed, 3 Mar 2021 at 15:03, Andrea Aime <andrea.a...@geo-solutions.it> >>>> wrote: >>>> >>>>> Hi Ian, >>>>> the role handling is a third class: >>>>> >>>>> [image: image.png] >>>>> >>>>> 1: authentication via database users (tries to connect to the database >>>>> using the username/password provided in the request) >>>>> 2: authentication via table contents (looks up a user with the same >>>>> name provided in the request, and verifies the password) >>>>> 3: adds role to a given user, after it has been authenticated >>>>> >>>>> Cheers >>>>> Andrea >>>>> >>>>> On Wed, Mar 3, 2021 at 3:50 PM Ian Turton <ijtur...@gmail.com> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Wed, 3 Mar 2021 at 13:33, Andrea Aime < >>>>>> andrea.a...@geo-solutions.it> wrote: >>>>>> >>>>>>> Hi Ian, >>>>>>> there are both functionalities, they are separate classes and are >>>>>>> configured in a different way: >>>>>>> >>>>>>> >>>>>>> - Authenticating using the database own users: >>>>>>> >>>>>>> https://docs.geoserver.geo-solutions.it/edu/en/security/jdbc_authentication.html >>>>>>> - Storing credentials in the database, use the table contents >>>>>>> for authentication: >>>>>>> >>>>>>> https://docs.geoserver.geo-solutions.it/edu/en/security/jdbcusergroup_services.html >>>>>>> >>>>>>> >>>>>> I think (and I may be wrong) that this one only assigns a role to a >>>>>> postgres user (that is why you can set the password field to empty) - if >>>>>> it was intended to work that way I can try to find some time to debug it >>>>>> (when I finish this course). >>>>>> >>>>>> >>>>>> Back when we wrote the training material they were both working, not >>>>>>> sure about the present. >>>>>>> >>>>>> >>>>>> I'm pretty sure it used to work (when I wrote my training notes too) >>>>>> but it's been a while since I had a trainee choose the JDBC path instead >>>>>> of >>>>>> the LDAP path through the course (we have a lot of windows users) so I >>>>>> can't recall for sure (and if I used ian as my test user then it would >>>>>> have >>>>>> worked as I have a DB login). >>>>>> >>>>>> >>>>>>> Just a note, one has to be very careful when using the auth >>>>>>> subsystem, many options, lots of complexity. I know I curse every time >>>>>>> :-D >>>>>>> >>>>>> >>>>>> Oh, yes that is for sure! >>>>>> >>>>>> Ian >>>>>> >>>>>> >>>>>> >>>>>>> Cheers >>>>>>> Andrea >>>>>>> >>>>>>> On Wed, Mar 3, 2021 at 12:42 PM Ian Turton <ijtur...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> >>>>>>>> Just to check before I break out the debugger: >>>>>>>> >>>>>>>> When you use JDBC Authentication can it allow any user you create >>>>>>>> in GeoServer (which get written in then tables) login in or does it >>>>>>>> only >>>>>>>> allow the user used for the postgis connection (or other postgis >>>>>>>> users) to >>>>>>>> log in? >>>>>>>> >>>>>>>> It seems like this is a bug, but I may just be missing something >>>>>>>> (and I think I'm not the only one >>>>>>>> https://gis.stackexchange.com/questions/274834/geoserver-jdbc-user-group-services-problem >>>>>>>> ) >>>>>>>> >>>>>>>> I'd be interested if any one is successfully using JDBC >>>>>>>> authentication in the wild? >>>>>>>> >>>>>>>> Cheers >>>>>>>> >>>>>>>> Ian >>>>>>>> >>>>>>>> -- >>>>>>>> Ian Turton >>>>>>>> _______________________________________________ >>>>>>>> Geoserver-users mailing list >>>>>>>> >>>>>>>> Please make sure you read the following two resources before >>>>>>>> posting to this list: >>>>>>>> - Earning your support instead of buying it, but Ian Turton: >>>>>>>> http://www.ianturton.com/talks/foss4g.html#/ >>>>>>>> - The GeoServer user list posting guidelines: >>>>>>>> http://geoserver.org/comm/userlist-guidelines.html >>>>>>>> >>>>>>>> If you want to request a feature or an improvement, also see this: >>>>>>>> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >>>>>>>> >>>>>>>> >>>>>>>> Geoserver-users@lists.sourceforge.net >>>>>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-users >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> Regards, Andrea Aime >>>>>>> >>>>>>> == GeoServer Professional Services from the experts! Visit >>>>>>> http://goo.gl/it488V for more information. == Ing. Andrea Aime >>>>>>> @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 >>>>>>> Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 >>>>>>> 8844549 http://www.geo-solutions.it >>>>>>> http://twitter.com/geosolutions_it >>>>>>> ------------------------------------------------------- *Con >>>>>>> riferimento alla normativa sul trattamento dei dati personali (Reg. UE >>>>>>> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si >>>>>>> precisa che ogni circostanza inerente alla presente email (il suo >>>>>>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è >>>>>>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il >>>>>>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra >>>>>>> operazione è illecita. Le sarei comunque grato se potesse darmene >>>>>>> notizia. >>>>>>> This email is intended only for the person or entity to which it is >>>>>>> addressed and may contain information that is privileged, confidential >>>>>>> or >>>>>>> otherwise protected from disclosure. We remind that - as provided by >>>>>>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of >>>>>>> this >>>>>>> e-mail or the information herein by anyone other than the intended >>>>>>> recipient is prohibited. If you have received this email by mistake, >>>>>>> please >>>>>>> notify us immediately by telephone or e-mail.* >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ian Turton >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> Regards, Andrea Aime >>>>> >>>>> == GeoServer Professional Services from the experts! Visit >>>>> http://goo.gl/it488V for more information. == Ing. Andrea Aime >>>>> @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 >>>>> Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 >>>>> 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it >>>>> ------------------------------------------------------- *Con >>>>> riferimento alla normativa sul trattamento dei dati personali (Reg. UE >>>>> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si >>>>> precisa che ogni circostanza inerente alla presente email (il suo >>>>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è >>>>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il >>>>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra >>>>> operazione è illecita. Le sarei comunque grato se potesse darmene notizia. >>>>> This email is intended only for the person or entity to which it is >>>>> addressed and may contain information that is privileged, confidential or >>>>> otherwise protected from disclosure. We remind that - as provided by >>>>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of >>>>> this >>>>> e-mail or the information herein by anyone other than the intended >>>>> recipient is prohibited. If you have received this email by mistake, >>>>> please >>>>> notify us immediately by telephone or e-mail.* >>>>> >>>> >>>> >>>> -- >>>> Ian Turton >>>> >>> >>> >>> -- >>> >>> Regards, Andrea Aime >>> >>> == GeoServer Professional Services from the experts! Visit >>> http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf >>> Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa >>> (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 >>> http://www.geo-solutions.it http://twitter.com/geosolutions_it >>> ------------------------------------------------------- *Con >>> riferimento alla normativa sul trattamento dei dati personali (Reg. UE >>> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si >>> precisa che ogni circostanza inerente alla presente email (il suo >>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è >>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il >>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra >>> operazione è illecita. Le sarei comunque grato se potesse darmene notizia. >>> This email is intended only for the person or entity to which it is >>> addressed and may contain information that is privileged, confidential or >>> otherwise protected from disclosure. We remind that - as provided by >>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this >>> e-mail or the information herein by anyone other than the intended >>> recipient is prohibited. If you have received this email by mistake, please >>> notify us immediately by telephone or e-mail.* >>> >> > > -- > > Regards, Andrea Aime > > == GeoServer Professional Services from the experts! Visit > http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf > Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa > (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 > http://www.geo-solutions.it http://twitter.com/geosolutions_it > ------------------------------------------------------- *Con riferimento > alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - > Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni > circostanza inerente alla presente email (il suo contenuto, gli eventuali > allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i > destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per > errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le > sarei comunque grato se potesse darmene notizia. This email is intended > only for the person or entity to which it is addressed and may contain > information that is privileged, confidential or otherwise protected from > disclosure. We remind that - as provided by European Regulation 2016/679 > “GDPR” - copying, dissemination or use of this e-mail or the information > herein by anyone other than the intended recipient is prohibited. If you > have received this email by mistake, please notify us immediately by > telephone or e-mail.* > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users