Re: [Geoserver-users] Geosever security - WFS / WMS services and Openlayers
Hi Andrea, Thanks, that is very informative. I believe Chris is going to look into the AUTHKEY plugin so that or the CAS / LDAP authentication so I should think that will give him what he needs anyway? I think remoteUser is always blank in our log files but I'll investigate it as a later date. Cheers, Paul From: andrea.a...@gmail.com [mailto:andrea.a...@gmail.com] On Behalf Of Andrea Aime Sent: 01 August 2016 18:48 To: Paul Wittle Cc: geoserver-users@lists.sourceforge.net Subject: Re: [Geoserver-users] Geosever security - WFS / WMS services and Openlayers On Mon, Aug 1, 2016 at 10:39 AM, Paul Wittle mailto:p.wit...@dorsetcc.gov.uk>> wrote: Andrea, in terms of the monitoring plugin, can it log the user being used for each request? As far as I know, it should be reported by the remoteUser property: http://docs.geoserver.org/stable/en/user/extensions/monitoring/audit.html#customizing-log-contents I only wondered as the user session is maintained in the background and I'm not sure it is currently included in the outputs. Session creation is controlled at the security subsystem level, normally session creation for the users is not maintained to make horizontal clusters easier to setup (otherwise you have to setup http session sharing among the containers) I still have not had time to fully review the monitoring plugin but I have been using the audit log functionality and I have decided that the files it creates are what I'm after. These can be customised using the FreeMarker templates and I can then write something my end to summarise the data. This raises three questions: 1) Can you add the logged in user to the audit role? Read above 2) Could you just have the audit role? (i.e. no other monitoring plugin options just audit role files) The template can be made with just one property, yes 3) If you can do point 1, would this help Chris solve his issues if he was using a specific user account for QGIS? I don't see how? :-) I thought he wanted to restrict access, auditing just logs out information about the requests, after the request is served. Cheers Andrea -- == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it AVVERTENZE AI SENSI DEL D.Lgs. 196/2003 Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003. The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc. --- "This e-mail is intended for the named addressee(s) only and may contain information about individuals or other sensitive information and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this email in error, kindly disregard the content of the message and notify the sender immediately. Please be aware that all email may be subject to recording and/or monitoring in accordance with relevant legislation." -- __
Re: [Geoserver-users] Geosever security - WFS / WMS services and Openlayers
On Mon, Aug 1, 2016 at 10:39 AM, Paul Wittle wrote: > Andrea, in terms of the monitoring plugin, can it log the user being used > for each request? > As far as I know, it should be reported by the remoteUser property: http://docs.geoserver.org/stable/en/user/extensions/monitoring/audit.html#customizing-log-contents > > I only wondered as the user session is maintained in the background and > I'm not sure it is currently included in the outputs. > Session creation is controlled at the security subsystem level, normally session creation for the users is not maintained to make horizontal clusters easier to setup (otherwise you have to setup http session sharing among the containers) > > I still have not had time to fully review the monitoring plugin but I have > been using the audit log functionality and I have decided that the files it > creates are what I'm after. These can be customised using the FreeMarker > templates and I can then write something my end to summarise the data. > > This raises three questions: > 1) Can you add the logged in user to the audit role? > Read above > 2) Could you just have the audit role? (i.e. no other > monitoring plugin options just audit role files) > The template can be made with just one property, yes > 3) If you can do point 1, would this help Chris solve his > issues if he was using a specific user account for QGIS? > I don't see how? :-) I thought he wanted to restrict access, auditing just logs out information about the requests, after the request is served. Cheers Andrea -- == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003* Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003. The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc. --- -- ___ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
Re: [Geoserver-users] Geosever security - WFS / WMS services and Openlayers
Hi Paul That sounds interesting, I will have a look at the module you mentioned. Chris -Original Message- From: Paul Wittle [mailto:p.wit...@dorsetcc.gov.uk] Sent: 01 August 2016 09:39 To: geoserver-users@lists.sourceforge.net Subject: Re: [Geoserver-users] Geosever security - WFS / WMS services and Openlayers Hi Chris, I work for Dorset county council and we are currently using the AUTHKEY plugin which is available under the community plugins. This is great from an OpenLayers point of view. With regard to the QGIS users, I setup a separate role specifically assigned to the username and password which we are using in QGIS. Remember, as far as I'm aware, QGIS still stores the password in plain text in the project files so at present I felt it best to just have one account for all our QGIS users but I'm aware the role idea is perhaps not so great if you have hundreds of users. Andrea, in terms of the monitoring plugin, can it log the user being used for each request? I only wondered as the user session is maintained in the background and I'm not sure it is currently included in the outputs. I still have not had time to fully review the monitoring plugin but I have been using the audit log functionality and I have decided that the files it creates are what I'm after. These can be customised using the FreeMarker templates and I can then write something my end to summarise the data. This raises three questions: 1) Can you add the logged in user to the audit role? 2) Could you just have the audit role? (i.e. no other monitoring plugin options just audit role files) 3) If you can do point 1, would this help Chris solve his issues if he was using a specific user account for QGIS? Cheers, Paul -- Message: 2 Date: Mon, 1 Aug 2016 08:02:01 + From: Chris Buckmaster Subject: Re: [Geoserver-users] Geosever security - WFS / WMS services and Openlayers To: Andrea Aime Cc: "geoserver-users@lists.sourceforge.net" Message-ID: <0ae8eab40c6d4d439cc65cf2257093a0805aa...@rbcex01.civicoffices.runnymede.gov.uk> Content-Type: text/plain; charset="utf-8" Thank you Andrea, I will investigate this. From: andrea.a...@gmail.com [mailto:andrea.a...@gmail.com] On Behalf Of Andrea Aime Sent: 29 July 2016 16:38 To: Chris Buckmaster Cc: geoserver-users@lists.sourceforge.net Subject: Re: [Geoserver-users] Geosever security - WFS / WMS services and Openlayers Hi Chris, openlayers and the desktop clients are making pretty much the same OGC requests, so I don't believe you can tell them apart using the built-in authorization mechanism. But the mechanism is pluggable, so you could write your own that checks the incoming requests for hints... hard to find a solid solution, but some ideas off the top of my head (warning, only thought about it a split minute): * Desktop clients _may_ setup the "user agent" HTTP header in a way that can be recognized, or you could just whitelist the user agents of most browsers (mind, you might end up blocking uncommon browsers in the process, and possibly the ones in incognito mode too) * If the openlayers based client is written by you, you could add an extra vendor parameter to the GetMap requests, it's normally hard/impossible to make common desktop clients to do the same. Both approaches are weak against someone resourceful writing his own client and spoofing the right params/user agent values by examining your web client of course. Cheers Andrea On Fri, Jul 29, 2016 at 5:06 PM, Chris Buckmaster mailto:chris.buckmas...@runnymede.gov.uk>> wrote: Hi I am running Geoserver version 2.5 and have an Openlayers 3 web map application which accesses some WMS and WFS services from the Geoserver instance. At the moment I haven?t configured any authentication so it is running the default settings. What I would like is to allow this to continue so my Openlayers application has full access to all of the layers on Geoserver, but for anyone accessing my WMS / WFS (i.e through QGIS), I would like to include a username / password or restrict the layers visible through these services. I have had a quick look the manual trying to understand how this works but cannot seem to grasp it ? I know there are authentication settings within the web interface, but would these not be for the whole of Geoserver? How am I able to allow access to my Openlayers application, but also restrict access to the WFS / WMS services for desktop users wanting to view my services? Thanks, Chris -- ___ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/geoserver-users -- == Geo
Re: [Geoserver-users] Geosever security - WFS / WMS services and Openlayers
Hi Chris, I work for Dorset county council and we are currently using the AUTHKEY plugin which is available under the community plugins. This is great from an OpenLayers point of view. With regard to the QGIS users, I setup a separate role specifically assigned to the username and password which we are using in QGIS. Remember, as far as I'm aware, QGIS still stores the password in plain text in the project files so at present I felt it best to just have one account for all our QGIS users but I'm aware the role idea is perhaps not so great if you have hundreds of users. Andrea, in terms of the monitoring plugin, can it log the user being used for each request? I only wondered as the user session is maintained in the background and I'm not sure it is currently included in the outputs. I still have not had time to fully review the monitoring plugin but I have been using the audit log functionality and I have decided that the files it creates are what I'm after. These can be customised using the FreeMarker templates and I can then write something my end to summarise the data. This raises three questions: 1) Can you add the logged in user to the audit role? 2) Could you just have the audit role? (i.e. no other monitoring plugin options just audit role files) 3) If you can do point 1, would this help Chris solve his issues if he was using a specific user account for QGIS? Cheers, Paul -- Message: 2 Date: Mon, 1 Aug 2016 08:02:01 + From: Chris Buckmaster Subject: Re: [Geoserver-users] Geosever security - WFS / WMS services and Openlayers To: Andrea Aime Cc: "geoserver-users@lists.sourceforge.net" Message-ID: <0ae8eab40c6d4d439cc65cf2257093a0805aa...@rbcex01.civicoffices.runnymede.gov.uk> Content-Type: text/plain; charset="utf-8" Thank you Andrea, I will investigate this. From: andrea.a...@gmail.com [mailto:andrea.a...@gmail.com] On Behalf Of Andrea Aime Sent: 29 July 2016 16:38 To: Chris Buckmaster Cc: geoserver-users@lists.sourceforge.net Subject: Re: [Geoserver-users] Geosever security - WFS / WMS services and Openlayers Hi Chris, openlayers and the desktop clients are making pretty much the same OGC requests, so I don't believe you can tell them apart using the built-in authorization mechanism. But the mechanism is pluggable, so you could write your own that checks the incoming requests for hints... hard to find a solid solution, but some ideas off the top of my head (warning, only thought about it a split minute): * Desktop clients _may_ setup the "user agent" HTTP header in a way that can be recognized, or you could just whitelist the user agents of most browsers (mind, you might end up blocking uncommon browsers in the process, and possibly the ones in incognito mode too) * If the openlayers based client is written by you, you could add an extra vendor parameter to the GetMap requests, it's normally hard/impossible to make common desktop clients to do the same. Both approaches are weak against someone resourceful writing his own client and spoofing the right params/user agent values by examining your web client of course. Cheers Andrea On Fri, Jul 29, 2016 at 5:06 PM, Chris Buckmaster mailto:chris.buckmas...@runnymede.gov.uk>> wrote: Hi I am running Geoserver version 2.5 and have an Openlayers 3 web map application which accesses some WMS and WFS services from the Geoserver instance. At the moment I haven?t configured any authentication so it is running the default settings. What I would like is to allow this to continue so my Openlayers application has full access to all of the layers on Geoserver, but for anyone accessing my WMS / WFS (i.e through QGIS), I would like to include a username / password or restrict the layers visible through these services. I have had a quick look the manual trying to understand how this works but cannot seem to grasp it ? I know there are authentication settings within the web interface, but would these not be for the whole of Geoserver? How am I able to allow access to my Openlayers application, but also restrict access to the WFS / WMS services for desktop users wanting to view my services? Thanks, Chris -- ___ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/geoserver-users -- == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.
Re: [Geoserver-users] Geosever security - WFS / WMS services and Openlayers
Thank you Andrea, I will investigate this. From: andrea.a...@gmail.com [mailto:andrea.a...@gmail.com] On Behalf Of Andrea Aime Sent: 29 July 2016 16:38 To: Chris Buckmaster Cc: geoserver-users@lists.sourceforge.net Subject: Re: [Geoserver-users] Geosever security - WFS / WMS services and Openlayers Hi Chris, openlayers and the desktop clients are making pretty much the same OGC requests, so I don't believe you can tell them apart using the built-in authorization mechanism. But the mechanism is pluggable, so you could write your own that checks the incoming requests for hints... hard to find a solid solution, but some ideas off the top of my head (warning, only thought about it a split minute): * Desktop clients _may_ setup the "user agent" HTTP header in a way that can be recognized, or you could just whitelist the user agents of most browsers (mind, you might end up blocking uncommon browsers in the process, and possibly the ones in incognito mode too) * If the openlayers based client is written by you, you could add an extra vendor parameter to the GetMap requests, it's normally hard/impossible to make common desktop clients to do the same. Both approaches are weak against someone resourceful writing his own client and spoofing the right params/user agent values by examining your web client of course. Cheers Andrea On Fri, Jul 29, 2016 at 5:06 PM, Chris Buckmaster mailto:chris.buckmas...@runnymede.gov.uk>> wrote: Hi I am running Geoserver version 2.5 and have an Openlayers 3 web map application which accesses some WMS and WFS services from the Geoserver instance. At the moment I haven’t configured any authentication so it is running the default settings. What I would like is to allow this to continue so my Openlayers application has full access to all of the layers on Geoserver, but for anyone accessing my WMS / WFS (i.e through QGIS), I would like to include a username / password or restrict the layers visible through these services. I have had a quick look the manual trying to understand how this works but cannot seem to grasp it – I know there are authentication settings within the web interface, but would these not be for the whole of Geoserver? How am I able to allow access to my Openlayers application, but also restrict access to the WFS / WMS services for desktop users wanting to view my services? Thanks, Chris -- ___ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/geoserver-users -- == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it AVVERTENZE AI SENSI DEL D.Lgs. 196/2003 Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003. The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc. --- -- ___ G
Re: [Geoserver-users] Geosever security - WFS / WMS services and Openlayers
Hi Chris, openlayers and the desktop clients are making pretty much the same OGC requests, so I don't believe you can tell them apart using the built-in authorization mechanism. But the mechanism is pluggable, so you could write your own that checks the incoming requests for hints... hard to find a solid solution, but some ideas off the top of my head (warning, only thought about it a split minute): * Desktop clients _may_ setup the "user agent" HTTP header in a way that can be recognized, or you could just whitelist the user agents of most browsers (mind, you might end up blocking uncommon browsers in the process, and possibly the ones in incognito mode too) * If the openlayers based client is written by you, you could add an extra vendor parameter to the GetMap requests, it's normally hard/impossible to make common desktop clients to do the same. Both approaches are weak against someone resourceful writing his own client and spoofing the right params/user agent values by examining your web client of course. Cheers Andrea On Fri, Jul 29, 2016 at 5:06 PM, Chris Buckmaster < chris.buckmas...@runnymede.gov.uk> wrote: > Hi > > > > I am running Geoserver version 2.5 and have an Openlayers 3 web map > application which accesses some WMS and WFS services from the Geoserver > instance. > > > > At the moment I haven’t configured any authentication so it is running the > default settings. > > > > What I would like is to allow this to continue so my Openlayers > application has full access to all of the layers on Geoserver, but for > anyone accessing my WMS / WFS (i.e through QGIS), I would like to include a > username / password or restrict the layers visible through these services. > > > > I have had a quick look the manual trying to understand how this works but > cannot seem to grasp it – I know there are authentication settings within > the web interface, but would these not be for the whole of Geoserver? How > am I able to allow access to my Openlayers application, but also restrict > access to the WFS / WMS services for desktop users wanting to view my > services? > > > > Thanks, Chris > > > -- > > ___ > Geoserver-users mailing list > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > > -- == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003* Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003. The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc. --- -- ___ Geoserver-users mailing list Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users