On Mon, Mar 11, 2013 at 8:50 PM, Guan Wang <gw...@glc.org> wrote:
> ** ** **
>
> Hi,****
>
> ** **
>
> Andrea, could you please elaborate a bit on “it requires a way to express
> a security rule that involves at the same time layer and service”?
>
The rule needed in this case is "hide layer x if the service accessing it
is WFS", so, "a rule that involves at the same time layer and service".
The built-in security subsystem can only make assertions such as "make the
wfs accessible only to users with a certain role" (but for all the layers),
or "make this layer accessible read only to users with a certain role" (but
for all the services), you cannot express a rule that needs to
involve both layer and service.
This is not a "built-in" limitation, the security framework can do much
more, and both GeoShield and GeoFence leverage that
to apply more complex rules, such the ones that are discussed here, it's
just that the upper level built in GeoServer (GUI, rule
storage) are old and can do only so much.
About using proxies... I've made my opinion on the subject clear in the PDF
document, which was written from a theoretical
standpoint, but when GeoShield moved from being a proxy to integrating
directly in the GeoServer security framework
they had quite a speedup (the single OGC request became between 2 and 7
times faster, with the secured request
still being between 2 and 4 times faster than a GeoServer without any
security plugin applied... if you use the simple built-in
rules instead, there is basically no slowdown whatsoever).
Cheers
Andrea
--
==
Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.
==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
------------------------------------------------------------------------------
Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester
Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the
endpoint security space. For insight on selecting the right partner to
tackle endpoint security challenges, access the full report.
http://p.sf.net/sfu/symantec-dev2dev
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
