Hi Ronald Hoek
Thank you very much for this great tutorial and explanation. I applied the
security settings exactly as you told me.
*Action 1: Disabling Data Download (WMS/WFS)*
*Security* --> *Services*
Service access rules list --> click under *Rule path* in *.*
Service = *
Method = *
*Roles*
*Uncheck the check box*
Grant access to any role
*Selected Roles* => GROUP_ADMIN
ADMIN
*SAVE*
*NOTE*: *This action is enough to achieve my goal: get the Basic HTTP
Authentication for data access (wms/wfs)*
*Action 2: Enabling Data Download (WFS) to a Specific Authenticated User*
*Security --> Users, Groups, Roles*
Tab = *Roles*
+ Add new role
Name: *ROLE_WFS*
Parent role:
*SAVE*
*Security* --> *Services*
*Service access rules list *
+ Add new rule
Service = wfs
Method = *
*Roles*
*Uncheck the check box*
Grant access to any role
*Selected Roles* => *ROLE_WFS*
*SAVE*
*Security --> Users, Groups, Roles*
*Users, Groups, and Roles*
*+* Add new user
User name: amazonas_river
Password: Braz!l
Confirm password: Braz!l
*Selected Roles* => *ROLE_WFS*
*SAVE*
*Action 3: Enabling Data Download (WFS) to ALL Authenticated Users*
*Security* --> *Services*
*Service access rules list *
+ Add new rule
Service = wfs
Method = *
*Roles*
*Uncheck the check box*
Grant access to any role
*Selected Roles* =>* ROLE_AUTHENTICATED*
*SAVE*
I appreciated your time and help. Thank you very much.
Best Regards
Julierme
2018-05-03 9:32 GMT-03:00 Ronald Hoek - ComponentAgro B.V. <
ronald.h...@componentagro.nl>:
> Hi Julierme,
>
>
>
> - It is being very difficult for me to understand how to set a
> http-basic authentication for an specific user <julierme> and disable the
> wms download (raster) and wfs download (vector) for anonymous users
>
>
>
> With protecting resources, I al starts with making sure you don’t have
> anounymous access your data.
>
> This directly implies that all users need to authenticate before they can
> use the data/services.
>
>
>
> Out of the box, GeoServer allows everybody to use all services (read-only)
> and modification of data (using the UI/webservices) is only possible for
> the ADMIN user.
>
>
>
> Having said these two things, you need to start protecting the
> data/services:
>
>
>
> Looking at your needs, I think it’s best to protect the access to your
> GeoServer based on the webservices
>
> - Starting with a clean
> - Go to ‘Security’ – ‘Services’
> - Modify (not delete) the rule ‘*.*’
> - Remove the check ‘All roles’
> - Add the ‘available’ role ‘GROUP_ADMIN’ and/or ‘ADMIN’ to the
> selected roles
> - At this point only the ADMIN user(s) can access the services
> - Now test to see if you need to authenticate for a request
> (in my case the browser did)
> - Now add a new role
> - Select service ‘wfs’ en method ‘*’
> - Do not check the ‘all roles’ check
> - Now you can two multiple things, depending on your security
> wishes
> - Add the role ‘ROLE_AUTHENTICATED’ to the selected role, so
> any user that logs in, can use the WFS service
> - Create a new role ‘WFS’ en add the role to the selected
> roles
> - Now create the user(s) which need to access the services
> - Is you added the role ‘ROLE_AUTHENTICATED’, then your done
> - If you’ve created a new rolw (WFS) then you need to add the
> role to these new users
> - Alternatively you can als create an usergroup and add users
> to that group and asssing the role to the group, but this al
> depends on how
> complex your security requirements are.
> - But I think you should only use what’s needed at this time
> and review your needs while time goes by.. 😉
>
>
>
> - 1 - Not allow download of wms (geotiff) and neither download of wfs
> (shapefile, csv, etc) for anonymous users;
>
> I tried disabling Anonymous authentication <anonymous> from all filters
> and I ended up crashing geoserver.
>
> - 5 - Looking at the default filter in Filter Chains, basic and
> anonymous are selected
> I removed anonymous from selected and anonymous users still
> downloading data (wfs (vector)/wms(raster))
>
> I would not mess with the filters for now, as this will require some very
> good understanding of what the do, without breaking things (I’ve only read
> about this, as I’m also a newbie and therefor never tried this).
>
>
>
> - keeping view with openlayers
>
>
>
> Is this required for the user or only when your logged in as admin?
>
> If so, my method of securing data will work, as the default service roles
> allow ADMIN to do anything.
>
> If not, I’m not able to help anymore…
>
>
>
> - 2 - Allow download data (wms/raster) and (wfs/vector) only for a
> specific user as <julierme> only after his authentication passing through
> http-basic authentication request as showed in the picture attached to the
> previous e-mail.
>
> This might depend on how you request the data… But I think it should work
> as long a the request is a query (GET) URL (not sure if a post will work)….
>
> Regards,
>
> Ronald Hoek
>
> Application Developer
> ComponentAgroB.V.
> Oud-Beijerland - The Netherlands
>
> Website: http://www.componentagro.nl
>
> KvK: H24264020
>
>
>
> *Van:* Julierme Pinheiro <juliermeopensourcedevelo...@gmail.com>
> *Verzonden:* woensdag 2 mei 2018 20:01
> *Aan:* Ronald Hoek <ronald.h...@componentagro.nl>; Ian Turton <
> ijtur...@gmail.com>
> *CC:* GeoServer Mailing List List <geoserver-users@lists.sourceforge.net>
> *Onderwerp:* Re: [Geoserver-users] Geoserver WFS Authentication
>
>
>
> Hi Ronald Hoek,
>
> Thank you very much for your reply. That is right: I need that a
> htttp-basic authentication must be required by geoserver for a specific
> user named <julierme>.
>
> It is being very difficult for me to understand how to set a http-basic
> authentication for an specific user <julierme> and disable the wms download
> (raster) and wfs download (vector) for anonymous users. I tried the
> following:
>
> 1 - Not allow download of wms (geotiff) and neither download of wfs
> (shapefile, csv, etc) for anonymous users;
>
> I tried disabling Anonymous authentication <anonymous> from all filters
> and I ended up crashing geoserver.
>
> 2 - I created an user <julierme>
>
> 3 - I created a service role: wfs.*=ROLE_WFS
>
> 4 - I created a data role: topp.states.w=ROLE_Authentication
>
> 5 - Looking at the default filter in Filter Chains, basic and anonymous
> are selected
>
> I removed anonymous from selected and anonymous users still downloading
> data (wfs (vector)/wms(raster))
>
>
>
> So, I what I would like to do is to learn how:
>
> 1 - Disable download data wms (geotiff), but keeping view with openlayers
> and disable download data wfs (shapefile, csv, etc) for anonymous users
>
> 2 - Allow download data (wms/raster) and (wfs/vector) only for a specific
> user as <julierme> only after his authentication passing through http-basic
> authentication request as showed in the picture attached to the previous
> e-mail.
>
> There is the Basic HTTP Authentication among Authentication Filters but I
> do not know how to set it for a specific user in case of data download.
>
> I appreciated your time.
>
> Kind regards
>
> Julierme
>
>
>
>
>
>
>
>
>
> 2018-04-30 5:37 GMT-03:00 Ronald Hoek - ComponentAgro B.V. <
> ronald.h...@componentagro.nl>:
>
> Hi Julierme,
>
>
>
> I’m not sure what you are using to test/access the GeoServer (aka the
> dialog you showed in the screenshot), but I expect you just want some
> http-basic authentication.
>
>
>
> By default this is available in GeoServer (see ‘Security’ ->
> ‘Authentication’ -> ‘Authentication Filters’).
>
>
>
> To secure your data, then go the ‘Data’ part of the section ‘Security’
> section.
>
> There you can protect your data by linking adding the appropriated data
> rules.
>
>
>
> Info: http://docs.geoserver.org/latest/en/user/security/webadmin/
> data.html#security-webadmin-data
>
>
>
> Or protect your data based on the available services (as we did) by going
> to the ‘Service’ part op the ‘Security’ section.
>
>
>
> Info: http://docs.geoserver.org/latest/en/user/security/webadmin/
> services.html#security-webadmin-services
>
>
>
>
>
> NOTE!
>
> Don’t forget to remove the default rules, as these will allow everbody the
> use the data/services.
>
> But read the documentation carefully!
>
> Regards,
>
> Ronald Hoek
>
> Application Developer
>
>
>
> *Van:* Julierme Pinheiro <juliermeopensourcedevelo...@gmail.com>
> *Verzonden:* maandag 23 april 2018 17:37
> *Aan:* GeoServer Mailing List List <geoserver-users@lists.sourceforge.net>
> *Onderwerp:* [Geoserver-users] Geoserver WFS Authentication
>
>
>
> HI all,
>
> I have been hitting my head in a wall trying to figure out how I can
> create a web framework for Geoserver WFS Authentication as showed in
> attached.
>
> I tried to configure the Credentials From Request Headers Filters, but
> still no achieving my goal.
>
> So, I want to set up a user and password and only who has them can
> download raster (Geotiff) and vector data.
>
> Thank you for your time in advance.
>
> Julierme
>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
