Re: [Geoserver-users] Access to GeoServer Security Layers in front-end

2020-06-23 Thread Fernando Quadro 
Thanks Vitor,

I will pass this example to the development team

Best regards,

Fernando Quadro
http://www.fernandoquadro.com.br
https://www.linkedin.com/in/fernandoquadro/


Em sáb., 20 de jun. de 2020 às 09:24, Vitor Fonseca 
escreveu:

>
> yes a proxy would work.
> I currently have a web app using a proxy (ol4jsfproxy)
>
> It's a little bit old but here's an example
>
> http://osgeo-org.1560.x6.nabble.com/Load-GeoServer-WMS-secured-layers-with-OpenLayers-td3919938.html
>
> Fernando Quadro  escreveu no dia sexta, 19/06/2020
> à(s) 21:20:
>
>> Hi Jody,
>>
>> The application today is written in PHP and uses to authenticate only the
>> session, does not use OAuth.
>>
>> I am thinking of creating a proxy (in PHP) and using it in the
>> PROXY_BASE_URL property, to filter the requests before reaching GeoServer,
>> and validating the authentication through token.
>>
>> Best regards,
>>
>> Fernando Quadro
>> http://www.fernandoquadro.com.br
>> https://www.linkedin.com/in/fernandoquadro/
>>
>>
>> Em qui., 18 de jun. de 2020 às 18:45, Jody Garnett <
>> jody.garn...@gmail.com> escreveu:
>>
>>> What have you tried so far Fernando, did you try oauth? I assume with
>>> google since you already had google maps in play...
>>> --
>>> Jody Garnett
>>>
>>>
>>> On Wed, 17 Jun 2020 at 14:35, Fernando Quadro 
>>> wrote:
>>>
 Hi ALL,

 I created some security settings on GeoServer, and also some users,
 with certain access restrictions.

 However, I would not like to have to enter the login and password when
 calling the request to GeoServer (on the front end), for security reasons,
 considering that the layers are private.

 Does anyone have any tips to give, how to do, in addition to the
 options below? I'm using the Google Maps Javascript API on the front end.

 -
 https://docs.geoserver.org/stable/en/user/extensions/authkey/index.html
 - https://docs.geoserver.org/stable/en/user/community/oauth2/index.html

 Best regards,

 Fernando Quadro
 http://www.fernandoquadro.com.br
 https://www.linkedin.com/in/fernandoquadro/
 ___
 Geoserver-users mailing list

 Please make sure you read the following two resources before posting to
 this list:
 - Earning your support instead of buying it, but Ian Turton:
 http://www.ianturton.com/talks/foss4g.html#/
 - The GeoServer user list posting guidelines:
 http://geoserver.org/comm/userlist-guidelines.html

 If you want to request a feature or an improvement, also see this:
 https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


 Geoserver-users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/geoserver-users

>>> ___
>> Geoserver-users mailing list
>>
>> Please make sure you read the following two resources before posting to
>> this list:
>> - Earning your support instead of buying it, but Ian Turton:
>> http://www.ianturton.com/talks/foss4g.html#/
>> - The GeoServer user list posting guidelines:
>> http://geoserver.org/comm/userlist-guidelines.html
>>
>> If you want to request a feature or an improvement, also see this:
>> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
>>
>>
>> Geoserver-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>>
>
>
> --
>
> www.vfonsecaz.pt
>
>
___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] Restricting WFS-T to certain Transactions -> SOLVED

2020-06-23 Thread Andrea Aime 
Hi,
thanks for sharing! :-D

Cheers
Andrea


On Tue, Jun 23, 2020 at 10:07 AM  wrote:

> Thanks to Stefan Overkamp who obviously read the article about Custom SQL
> session start/stop scripts
> 
> I found the solution.
>
>
>
> The solution comprises four components/steps (I work with
> PostgreSQL/PostGIS):
>
>
>
>1. In datastore configuration define a custom SQL SESSION START script
>like “SELECT set_config('geoserver_user', '${GSUSER,geoserver}', FALSE)”.
>As STOP script usesomething like “SELECT set_config(' geoserver_user
>', '', FALSE)”
>à This is the most important part an ensures that on DB side you can
>retrieve the geoserver user who starts the WFS-T transaction.
>2. On DB side you now need to retrieve the user. This can be done in a
>trigger function that is fired on TRIGGER BEFORE UPDATE OR INSERT OR
>DELETE . In
>the function you can retrieve the user with “DECLARE geoserveruser
>VARCHAR(64) := current_setting('geoserver_user', TRUE);”
>3. The tricky part for me still is to get the roles for the user and
>check the permissions.
>   1. If you have an SQL based authentication provider you are lucky
>   and can check the permissions in the DB (There apparently is no env
>   variable yet in geoserver to pass the ROLE instead the user).
>   2. (The other solution could be not to use the user directly but
>   instead use two datastores. Pass a “allow_deletion=true” to the DB for 
> one
>   datastore and allow_deletion=false in the other datastore. Then publish 
> the
>   same table in both datastores, for example as “my_layer_rwd” and
>   “my_layer_rw”. Then the users with delete permission can use the first
>   layer and the other have to use the second layer. Data security
>   sessions/GeoFence could be used to restrict access to the services to
>   certain security roles.
>   3. By looking at the documentation I guess it would also be
>   possible to access the LDAP via a DATALINK
>    and retrieve the
>   roles/permissions from the LDAP from within the trigger function
>4. In the Trigger function return NULL and/or “RAISE EXCEPTION
>'deletion not allowed for this user’;” if no deletion is allowed.
>(Didn’t test this part yet)
>
>
>
> Nice about this solution in general is that you can also use the geoserver
> user to update the target table and set a value for a “modified by” column
> for example.
>
>
>
> Hope this also helps others.
>
>
>
> Regards,
>
>
>
> Michael
>
>
>
>
>
> *Von:* overk...@posteo.de 
> *Gesendet:* Donnerstag, 18. Juni 2020 17:13
> *An:* Härtel, Michael ;
> Geoserver-users@lists.sourceforge.net
> *Betreff:* AW:AW:[Geoserver-users] Restricting WFS-T to certain
> Transactions
>
>
>
> Beispiel:
> Als startup und close-up folgendes eintragen:
>
> SELECT set_config('myapp.user', '${GSUSER,geoserver}', FALSE)
> SELECT set_config('myapp.user', '', FALSE)
>
> Testweiser UPDATE-Trigger:
>
> CREATE OR REPLACE FUNCTION geodaten.update_lastchangeby_func()
> RETURNS trigger AS
> $BODY$
> BEGIN
> NEW.lastchangeby = current_setting('myapp.user', TRUE);
> RETURN NEW;
> END;$BODY$
> LANGUAGE plpgsql VOLATILE
> COST 100;
> ALTER FUNCTION geodaten.update_lastchangeby_func() OWNER TO geoadmin;
>
> CREATE TRIGGER test_trigger
> BEFORE UPDATE ON geodaten.gemeinde
> FOR EACH ROW EXECUTE PROCEDURE geodaten.update_lastchangeby_func();
>
>
>
>
>
> Von meinem Huawei-Mobiltelefon gesendet
>
>
>
>  Originalnachricht 
> Betreff: AW: AW:[Geoserver-users] Restricting WFS-T to certain Transactions
> Von: michael-haer...@telekom.de
> An: overk...@posteo.de,Geoserver-users@lists.sourceforge.net
> Cc:
>
>
> Hello Stefan,
>
>
>
> I already thought about triggers but then dismissed this approach because
> I don’t see a way to pass the geoserver user/role (user who starts the WFS
> transaction) to the database.
>
> As I understand it the geoserver uses the jdbc connection that is used to
> define the datastore and that user then executes the SQL statements. I
> wouldn’t  know how to let the DB know who triggered the XML request to the
> WFS-T service which would be necessary to map geoserver users to DB roles
> or set a parameter in the DB.
>
>
>
> Regards,
>
>
>
> Michael
>
> *Von:* overk...@posteo.de 
> *Gesendet:* Donnerstag, 18. Juni 2020 12:26
> *An:* Härtel, Michael ;
> Geoserver-users@lists.sourceforge.net
> *Betreff:* AW:[Geoserver-users] Restricting WFS-T to certain Transactions
>
>
>
> Hi,
>
> if you have a postgis datastore as datasource, you could add an update
> trigger. Geoserver allows setting a session startup sql on the datasource
> to set a variable. Then the trigger function could use this to prevent the
> delete action for some users.
>
> Beste Grüße
>
> Stefan
>
>
>
>
> Von meinem

[Geoserver-users] How to force fixed position of lines and gaps pattern in SLD/YLSD with stroke-dasharray or stroke-graphic

2020-06-23 Thread 4harry4444 
Hi Everyone,

I'm trying to display a map of road signs in Geoserver from an
Oracle/PostGis system/database.
If the beginning of the line (look at P-1E) on which we draw the pattern
with stroke-dasharray/stroke-graphic is visible on the screen, the pattern
is drawn correctly. If, however, the beginning of the line no longer fits
in the drawing window, the pattern is shifted, which is unacceptable for
road signs. Maybe some of You know how to force a fixed position of the
line and gaps pattern with stroke-dasharray/stroke-graphic in YSLD/SLD or a
different fix for it?
[image: image.png]
[image: image.png]
[image: image.png]

Issue reported also by me some time ago at:
https://gis.stackexchange.com/questions/358886/how-to-force-fixed-position-of-lines-and-gaps-pattern-in-sld-ylsd-with-stroke-da


Best Regards
Daniel
___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

[Geoserver-users] Restricting WFS-T to certain Transactions -> SOLVED

2020-06-23 Thread Michael-Haertel 
Thanks to Stefan Overkamp who obviously read the article about Custom SQL 
session start/stop 
scripts
 I found the solution.

The solution comprises four components/steps (I work with PostgreSQL/PostGIS):


  1.  In datastore configuration define a custom SQL SESSION START script like 
“SELECT set_config('geoserver_user', '${GSUSER,geoserver}', FALSE)”. As STOP 
script usesomething like “SELECT set_config(' geoserver_user ', '', FALSE)”
--> This is the most important part an ensures that on DB side you can retrieve 
the geoserver user who starts the WFS-T transaction.
  2.  On DB side you now need to retrieve the user. This can be done in a 
trigger function that is fired on TRIGGER BEFORE UPDATE OR INSERT OR 
DELETE. In the 
function you can retrieve the user with “DECLARE geoserveruser VARCHAR(64) := 
current_setting('geoserver_user', TRUE);”
  3.  The tricky part for me still is to get the roles for the user and check 
the permissions.
 *   If you have an SQL based authentication provider you are lucky and can 
check the permissions in the DB (There apparently is no env variable yet in 
geoserver to pass the ROLE instead the user).
 *   (The other solution could be not to use the user directly but instead 
use two datastores. Pass a “allow_deletion=true” to the DB for one datastore 
and allow_deletion=false in the other datastore. Then publish the same table in 
both datastores, for example as “my_layer_rwd” and “my_layer_rw”. Then the 
users with delete permission can use the first layer and the other have to use 
the second layer. Data security sessions/GeoFence could be used to restrict 
access to the services to certain security roles.
 *   By looking at the documentation I guess it would also be possible to 
access the LDAP via a DATALINK and 
retrieve the roles/permissions from the LDAP from within the trigger function
  4.  In the Trigger function return NULL and/or “RAISE EXCEPTION 'deletion not 
allowed for this user’;” if no deletion is allowed.
(Didn’t test this part yet)

Nice about this solution in general is that you can also use the geoserver user 
to update the target table and set a value for a “modified by” column for 
example.

Hope this also helps others.

Regards,

Michael


Von: overk...@posteo.de 
Gesendet: Donnerstag, 18. Juni 2020 17:13
An: Härtel, Michael ; 
Geoserver-users@lists.sourceforge.net
Betreff: AW:AW:[Geoserver-users] Restricting WFS-T to certain Transactions

Beispiel:
Als startup und close-up folgendes eintragen:

SELECT set_config('myapp.user', '${GSUSER,geoserver}', FALSE)
SELECT set_config('myapp.user', '', FALSE)

Testweiser UPDATE-Trigger:

CREATE OR REPLACE FUNCTION geodaten.update_lastchangeby_func()
RETURNS trigger AS
$BODY$
BEGIN
NEW.lastchangeby = current_setting('myapp.user', TRUE);
RETURN NEW;
END;$BODY$
LANGUAGE plpgsql VOLATILE
COST 100;
ALTER FUNCTION geodaten.update_lastchangeby_func() OWNER TO geoadmin;

CREATE TRIGGER test_trigger
BEFORE UPDATE ON geodaten.gemeinde
FOR EACH ROW EXECUTE PROCEDURE geodaten.update_lastchangeby_func();





Von meinem Huawei-Mobiltelefon gesendet


 Originalnachricht 
Betreff: AW: AW:[Geoserver-users] Restricting WFS-T to certain Transactions
Von: michael-haer...@telekom.de
An: 
overk...@posteo.de,Geoserver-users@lists.sourceforge.net
Cc:


Hello Stefan,

I already thought about triggers but then dismissed this approach because I 
don’t see a way to pass the geoserver user/role (user who starts the WFS 
transaction) to the database.
As I understand it the geoserver uses the jdbc connection that is used to 
define the datastore and that user then executes the SQL statements. I wouldn’t 
 know how to let the DB know who triggered the XML request to the WFS-T service 
which would be necessary to map geoserver users to DB roles or set a parameter 
in the DB.

Regards,

Michael
Von: overk...@posteo.de 
mailto:overk...@posteo.de>>
Gesendet: Donnerstag, 18. Juni 2020 12:26
An: Härtel, Michael 
mailto:michael-haer...@telekom.de>>; 
Geoserver-users@lists.sourceforge.net
Betreff: AW:[Geoserver-users] Restricting WFS-T to certain Transactions

Hi,

if you have a postgis datastore as datasource, you could add an update trigger. 
Geoserver allows setting a session startup sql on the datasource to set a 
variable. Then the trigger function could use this to prevent the delete action 
for some users.

Beste Grüße

Stefan




Von meinem Huawei-Mobiltelefon gesendet


 Originalnachricht 
Betreff: [Geoserver-users] Restricting WFS-T to certain Transactions
Von: michael-haer...@telekom.de
An:

Re: [Geoserver-users] GeoServer 2.17.1 - Oracle 11.0.7 JDK - Strong cryptography available

2020-06-23 Thread Russ Hore 
As far as I know it is not an error but just information. So does not need 
solving.

Russ

Sent from my iPad

> On 22 Jun 2020, at 21:01, Diego Mendes Rodrigues  wrote:
> 
> 
> Friends,
> 
> I have a server with GeoServer 2.17.1 installed from Debian 9.
> 
> I use the Oracle 11.0.7 JDK.
> java version "11.0.7" 2020-04-14 LTS
> Java(TM) SE Runtime Environment 18.9 (build 11.0.7+8-LTS)
> Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.7+8-LTS, mixed mode)
> 
> When I log in to the administrative interface, I get the message 'Strong 
> cryptography available'.
> 
> How can I solve?
> What should you install or configure?
> 
> 
> 
> 
> Regads,
> Diego
> 
> ---
> 
> Caros,
> 
> Possuo um servidore com GeoServer 2.17.1 instalado de Debian 9.
> 
> Utilizo o JDK da Oracle 11.0.7.
> java version "11.0.7" 2020-04-14 LTS
> Java(TM) SE Runtime Environment 18.9 (build 11.0.7+8-LTS)
> Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.7+8-LTS, mixed mode)
> 
> Ao logar na interface administrativa, recebo a mensagem 'Strong cryptography 
> available'.
> 
> Como posso resolver? 
> O que deve instalar ou configurar?
> 
> Atenciosamente,
> Diego
> ___
> Geoserver-users mailing list
> 
> Please make sure you read the following two resources before posting to this 
> list:
> - Earning your support instead of buying it, but Ian Turton: 
> http://www.ianturton.com/talks/foss4g.html#/
> - The GeoServer user list posting guidelines: 
> http://geoserver.org/comm/userlist-guidelines.html
> 
> If you want to request a feature or an improvement, also see this: 
> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
> 
> 
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
___
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this 
list:
- Earning your support instead of buying it, but Ian Turton: 
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: 
http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: 
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users