Hi Andrea,
Thanks very much for this amount of detail! I'll try re-configuring the
service security and GeoFence and report back if I find a solution.
Best,
Todd
On Thu, Jun 28, 2018 at 6:23 AM, Andrea Aime <[email protected]>
wrote:
> Hi Todd,
> I believe that is just not possible with the current code, at least
> concentrating on the data security.
>
> In GeoServer we have two interfaces that can access data, FeatureSource,
> read only,
> and FeatureSore, read/write, this influenced also the implementation of
> the security subsystem, which has no notion of write only
> (if you cannot read it, then you cannot access it).
>
> Give how the WFS-T works, I don't think it's doable either, WFS-T
> internally does not just do writes, it also does reads to inform
> various plugins listening of what is being changed, and those plugins will
> likely made more types of reads (e.g., compute the
> bbox of the layer after the update, for example).
>
> There might be a way to handle it via service + data though, e.g., disable
> via service security any operation that a user
> might make that reads the data, e.g., GetFeature, GetMap, GetFeatureInfo,
> WPS Execute, and so on.
> Not sure if this will work for you though, as the two layers are
> independent.
>
> GeoFence is a security community plugin that provides the ability to mix
> security and data access in the same rule, but
> mind, it's not an officially supported extension.
>
> Cheers
> Andrea
>
>
> On Wed, Jun 27, 2018 at 10:39 PM, Todd Jacobus <[email protected]> wrote:
>
>> Hi all,
>>
>> Maybe this is an unusual thing to do, but I'd like to make a wfs-t data
>> store layer write only. In other words, I need anonymous transaction
>> requests to be able to push data to a PostGIS database table but, because
>> users are pushing sensitive information (contact, etc) as attributes to
>> geometry, I need to also restrict read access to only admin. I feel like
>> I've configured this correctly in the data security settings. Here's the
>> contents of the layers.properties file. "aoi_features" is the layer I'm
>> trying to restrict access to.
>>
>> aoi.aoi_features.w=*
>> aoi.sample_data_metadata.r=*
>> aoi.aoi_features.r=GROUP_ADMIN,ADMIN
>> *.*.w=GROUP_ADMIN,ADMIN
>> mode=HIDE
>>
>> However, when configured this way, write access is disabled for anonymous
>> requests and I see "feature type 'aoi_features' is not available" in the
>> error logs (see below for full trace). I'm pretty sure I read in the
>> documentation (I can't find the link at the moment, sorry) that write
>> permissions do not imply read permissions and each can be set
>> individually. My questions:
>>
>> 1. Is setting write-only permissions possible by configuring the data
>> security settings, or am I missing something about how GeoServer handles
>> data security?
>>
>> 2. Is there another configuration that makes a layer "not available" when
>> security is configured this way?
>>
>> 3. Is there a better way to configure write-only security settings on a
>> layer?
>>
>> Thanks very much for everyone's support.
>>
>> Best,
>> Todd
>>
>>
>> org.geoserver.wfs.WFSTransactionException: Feature type 'aoi_features'
>> is not available:
>> at org.geoserver.wfs.Transaction.execute(Transaction.java:221)
>> at org.geoserver.wfs.Transaction.transaction(Transaction.java:109)
>> at org.geoserver.wfs.DefaultWebFeatureService.transaction(Defau
>> ltWebFeatureService.java:172)
>> at sun.reflect.GeneratedMethodAccessor1446.invoke(Unknown Source)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:497)
>> at org.springframework.aop.support.AopUtils.invokeJoinpointUsin
>> gReflection(AopUtils.java:333)
>> at org.springframework.aop.framework.ReflectiveMethodInvocation
>> .invokeJoinpoint(ReflectiveMethodInvocation.java:190)
>> at org.springframework.aop.framework.ReflectiveMethodInvocation
>> .proceed(ReflectiveMethodInvocation.java:157)
>> at org.geoserver.ows.util.RequestObjectLogger.invoke(RequestObj
>> ectLogger.java:55)
>> at org.springframework.aop.framework.ReflectiveMethodInvocation
>> .proceed(ReflectiveMethodInvocation.java:179)
>> at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(
>> JdkDynamicAopProxy.java:213)
>> at com.sun.proxy.$Proxy242.transaction(Unknown Source)
>> at sun.reflect.GeneratedMethodAccessor1445.invoke(Unknown Source)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>> at java.lang.reflect.Method.invoke(Method.java:497)
>> at org.geoserver.ows.Dispatcher.execute(Dispatcher.java:867)
>> at org.geoserver.ows.Dispatcher.handleRequestInternal(Dispatche
>> r.java:270)
>> at org.springframework.web.servlet.mvc.AbstractController.handl
>> eRequest(AbstractController.java:174)
>> at org.springframework.web.servlet.mvc.SimpleControllerHandlerA
>> dapter.handle(SimpleControllerHandlerAdapter.java:50)
>> at org.springframework.web.servlet.DispatcherServlet.doDispatch
>> (DispatcherServlet.java:963)
>> at org.springframework.web.servlet.DispatcherServlet.doService(
>> DispatcherServlet.java:897)
>> at org.springframework.web.servlet.FrameworkServlet.processRequ
>> est(FrameworkServlet.java:970)
>> at org.springframework.web.servlet.FrameworkServlet.doPost(
>> FrameworkServlet.java:872)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)
>> at org.springframework.web.servlet.FrameworkServlet.service(
>> FrameworkServlet.java:846)
>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:291)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:206)
>> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:239)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:206)
>> at org.apache.catalina.filters.CorsFilter.handleSimpleCORS(Cors
>> Filter.java:301)
>> at org.apache.catalina.filters.CorsFilter.doFilter(CorsFilter.java:169)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:239)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:206)
>> at org.geoserver.filters.ThreadLocalsCleanupFilter.doFilter(Thr
>> eadLocalsCleanupFilter.java:28)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:239)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:206)
>> at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(
>> SpringDelegatingFilter.java:75)
>> at org.geoserver.monitor.MonitorFilter.doFilter(MonitorFilter.java:144)
>> at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(
>> SpringDelegatingFilter.java:71)
>> at org.springframework.orm.hibernate3.support.OpenSessionInView
>> Filter.doFilterInternal(OpenSessionInViewFilter.java:231)
>> at org.springframework.web.filter.OncePerRequestFilter.doFilter
>> (OncePerRequestFilter.java:107)
>> at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(
>> SpringDelegatingFilter.java:71)
>> at org.geoserver.wms.animate.AnimatorFilter.doFilter(AnimatorFi
>> lter.java:71)
>> at org.geoserver.filters.SpringDelegatingFilter$Chain.doFilter(
>> SpringDelegatingFilter.java:71)
>> at org.geoserver.filters.SpringDelegatingFilter.doFilter(Spring
>> DelegatingFilter.java:46)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:239)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:206)
>> at org.geoserver.platform.AdvancedDispatchFilter.doFilter(Advan
>> cedDispatchFilter.java:50)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:239)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:206)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:316)
>> at org.geoserver.security.filter.GeoServerCompositeFilter$Neste
>> dFilterChain.doFilter(GeoServerCompositeFilter.java:69)
>> at org.springframework.security.web.access.intercept.FilterSecu
>> rityInterceptor.invoke(FilterSecurityInterceptor.java:126)
>> at org.springframework.security.web.access.intercept.FilterSecu
>> rityInterceptor.doFilter(FilterSecurityInterceptor.java:90)
>> at org.geoserver.security.filter.GeoServerCompositeFilter$Neste
>> dFilterChain.doFilter(GeoServerCompositeFilter.java:73)
>> at org.geoserver.security.filter.GeoServerCompositeFilter.doFil
>> ter(GeoServerCompositeFilter.java:92)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:330)
>> at org.geoserver.security.filter.GeoServerCompositeFilter$Neste
>> dFilterChain.doFilter(GeoServerCompositeFilter.java:69)
>> at org.springframework.security.web.access.ExceptionTranslation
>> Filter.doFilter(ExceptionTranslationFilter.java:114)
>> at org.geoserver.security.filter.GeoServerCompositeFilter$Neste
>> dFilterChain.doFilter(GeoServerCompositeFilter.java:73)
>> at org.geoserver.security.filter.GeoServerCompositeFilter.doFil
>> ter(GeoServerCompositeFilter.java:92)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:330)
>> at org.geoserver.security.filter.GeoServerAnonymousAuthenticati
>> onFilter.doFilter(GeoServerAnonymousAuthenticationFilter.java:54)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:330)
>> at org.geoserver.security.filter.GeoServerCompositeFilter$Neste
>> dFilterChain.doFilter(GeoServerCompositeFilter.java:69)
>> at org.springframework.security.web.context.SecurityContextPers
>> istenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
>> at org.geoserver.security.filter.GeoServerSecurityContextPersis
>> tenceFilter$1.doFilter(GeoServerSecurityContextPersistenceFilter.java:53)
>> at org.geoserver.security.filter.GeoServerCompositeFilter$Neste
>> dFilterChain.doFilter(GeoServerCompositeFilter.java:73)
>> at org.geoserver.security.filter.GeoServerCompositeFilter.doFil
>> ter(GeoServerCompositeFilter.java:92)
>> at org.springframework.security.web.FilterChainProxy$VirtualFil
>> terChain.doFilter(FilterChainProxy.java:330)
>> at org.springframework.security.web.FilterChainProxy.doFilterIn
>> ternal(FilterChainProxy.java:213)
>> at org.springframework.security.web.FilterChainProxy.doFilter(F
>> ilterChainProxy.java:176)
>> at org.geoserver.security.GeoServerSecurityFilterChainProxy.
>> doFilter(GeoServerSecurityFilterChainProxy.java:152)
>> at org.springframework.web.filter.DelegatingFilterProxy.invokeD
>> elegate(DelegatingFilterProxy.java:346)
>> at org.springframework.web.filter.DelegatingFilterProxy.doFilte
>> r(DelegatingFilterProxy.java:262)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:239)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:206)
>> at org.geoserver.filters.LoggingFilter.doFilter(LoggingFilter.java:88)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:239)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:206)
>> at org.geoserver.filters.XFrameOptionsFilter.doFilter(XFrameOpt
>> ionsFilter.java:89)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:239)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:206)
>> at org.geoserver.filters.GZIPFilter.doFilter(GZIPFilter.java:42)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:239)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:206)
>> at org.geoserver.filters.SessionDebugFilter.doFilter(SessionDeb
>> ugFilter.java:48)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:239)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:206)
>> at org.geoserver.filters.FlushSafeFilter.doFilter(FlushSafeFilt
>> er.java:44)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:239)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:206)
>> at org.springframework.web.filter.CharacterEncodingFilter.doFil
>> terInternal(CharacterEncodingFilter.java:197)
>> at org.springframework.web.filter.OncePerRequestFilter.doFilter
>> (OncePerRequestFilter.java:107)
>> at org.apache.catalina.core.ApplicationFilterChain.internalDoFi
>> lter(ApplicationFilterChain.java:239)
>> at org.apache.catalina.core.ApplicationFilterChain.doFilter(App
>> licationFilterChain.java:206)
>> at org.apache.catalina.core.StandardWrapperValve.invoke(Standar
>> dWrapperValve.java:219)
>> at org.apache.catalina.core.StandardContextValve.invoke(Standar
>> dContextValve.java:106)
>> at org.apache.catalina.authenticator.AuthenticatorBase.invoke(A
>> uthenticatorBase.java:502)
>> at org.apache.catalina.core.StandardHostValve.invoke(StandardHo
>> stValve.java:142)
>> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorRepo
>> rtValve.java:79)
>> at org.apache.catalina.valves.AbstractAccessLogValve.invoke(Abs
>> tractAccessLogValve.java:617)
>> at org.apache.catalina.core.StandardEngineValve.invoke(Standard
>> EngineValve.java:88)
>> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAd
>> apter.java:518)
>> at org.apache.coyote.http11.AbstractHttp11Processor.process(Abs
>> tractHttp11Processor.java:1091)
>> at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler
>> .process(AbstractProtocol.java:668)
>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
>> (NioEndpoint.java:1521)
>> at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(
>> NioEndpoint.java:1478)
>> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool
>> Executor.java:1142)
>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo
>> lExecutor.java:617)
>> at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.
>> run(TaskThread.java:61)
>> at java.lang.Thread.run(Thread.java:745)
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Geoserver-users mailing list
>>
>> Please make sure you read the following two resources before posting to
>> this list:
>> - Earning your support instead of buying it, but Ian Turton:
>> http://www.ianturton.com/talks/foss4g.html#/
>> - The GeoServer user list posting guidelines:
>> http://geoserver.org/comm/userlist-guidelines.html
>>
>> If you want to request a feature or an improvement, also see this:
>> https://github.com/geoserver/geoserver/wiki/Successfully-req
>> uesting-and-integrating-new-features-and-improvements-in-GeoServer
>>
>>
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>>
>>
>
>
> --
>
> Regards, Andrea Aime == GeoServer Professional Services from the experts!
> Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime
> @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054
> Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339
> 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it
> ------------------------------------------------------- *Con riferimento
> alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 -
> Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni
> circostanza inerente alla presente email (il suo contenuto, gli eventuali
> allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i
> destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per
> errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le
> sarei comunque grato se potesse darmene notizia. This email is intended
> only for the person or entity to which it is addressed and may contain
> information that is privileged, confidential or otherwise protected from
> disclosure. We remind that - as provided by European Regulation 2016/679
> “GDPR” - copying, dissemination or use of this e-mail or the information
> herein by anyone other than the intended recipient is prohibited. If you
> have received this email by mistake, please notify us immediately by
> telephone or e-mail.*
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this
list:
- Earning your support instead of buying it, but Ian Turton:
http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines:
http://geoserver.org/comm/userlist-guidelines.html
If you want to request a feature or an improvement, also see this:
https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
