Hi, I tested the solution https://gis.stackexchange.com/a/388940/79 mentioned here, it works perfectly fine as long as roles are Default when I tried to put roles in PG as well, it gives me HTTP error 500 for the users. What should I do? [image: Screenshot 2021-03-09 at 11.20.20 AM.png]
On Sat, Mar 6, 2021 at 4:20 AM Vera Green <vera.green...@gmail.com> wrote: > Absolutely. We use PG to control authentication across our entire system. > This includes authenticated WMS calls to geoServer. It's critical for us. > > On Wed., Mar. 3, 2021, 11:01 a.m. Andrea Aime, < > andrea.a...@geo-solutions.it> wrote: > >> Each of those source file has an author tag, they all say: >> >> @author christian >> >> About a reason to do so, database centric security can be a reason. A >> system where the access restrictions are enforced >> at the relational database level. In that case, you want to authenticate >> using database users, and then use impersonation >> to connect to the database as that user, while fetching data: >> >> https://docs.geoserver.org/latest/en/user/data/database/sqlsession.html#data-sqlsession >> >> Cheers >> Andrea >> >> >> On Wed, Mar 3, 2021 at 6:52 PM Ian Turton <ijtur...@gmail.com> wrote: >> >>> So who did write it? I'm still trying to come up with a reason to let my >>> database users log into geoserver. >>> >>> Ian >>> >>> On Wed, 3 Mar 2021, 17:39 Andrea Aime, <andrea.a...@geo-solutions.it> >>> wrote: >>> >>>> Quoting from stack overflow: "After much head scratching and asking the >>>> guys who wrote this stuff on the users mailing list" >>>> >>>> Hell no, I had nothing to do with those modules! :-D >>>> >>>> Cheers >>>> Andrea >>>> >>>> On Wed, Mar 3, 2021 at 6:35 PM Ian Turton <ijtur...@gmail.com> wrote: >>>> >>>>> Thanks to everyone for their help on this I have finally got my head >>>>> around it and have added an answer to the gis.stackoverflow question I >>>>> linked to earlier (https://gis.stackexchange.com/a/388940/79) - If I >>>>> get some time over the weekend I'll see if I can try to make the >>>>> documentation clearer. >>>>> >>>>> Ian >>>>> >>>>> On Wed, 3 Mar 2021 at 15:03, Andrea Aime <andrea.a...@geo-solutions.it> >>>>> wrote: >>>>> >>>>>> Hi Ian, >>>>>> the role handling is a third class: >>>>>> >>>>>> [image: image.png] >>>>>> >>>>>> 1: authentication via database users (tries to connect to the >>>>>> database using the username/password provided in the request) >>>>>> 2: authentication via table contents (looks up a user with the same >>>>>> name provided in the request, and verifies the password) >>>>>> 3: adds role to a given user, after it has been authenticated >>>>>> >>>>>> Cheers >>>>>> Andrea >>>>>> >>>>>> On Wed, Mar 3, 2021 at 3:50 PM Ian Turton <ijtur...@gmail.com> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, 3 Mar 2021 at 13:33, Andrea Aime < >>>>>>> andrea.a...@geo-solutions.it> wrote: >>>>>>> >>>>>>>> Hi Ian, >>>>>>>> there are both functionalities, they are separate classes and are >>>>>>>> configured in a different way: >>>>>>>> >>>>>>>> >>>>>>>> - Authenticating using the database own users: >>>>>>>> >>>>>>>> https://docs.geoserver.geo-solutions.it/edu/en/security/jdbc_authentication.html >>>>>>>> - Storing credentials in the database, use the table contents >>>>>>>> for authentication: >>>>>>>> >>>>>>>> https://docs.geoserver.geo-solutions.it/edu/en/security/jdbcusergroup_services.html >>>>>>>> >>>>>>>> >>>>>>> I think (and I may be wrong) that this one only assigns a role to a >>>>>>> postgres user (that is why you can set the password field to empty) - >>>>>>> if >>>>>>> it was intended to work that way I can try to find some time to debug it >>>>>>> (when I finish this course). >>>>>>> >>>>>>> >>>>>>> Back when we wrote the training material they were both working, not >>>>>>>> sure about the present. >>>>>>>> >>>>>>> >>>>>>> I'm pretty sure it used to work (when I wrote my training notes too) >>>>>>> but it's been a while since I had a trainee choose the JDBC path >>>>>>> instead of >>>>>>> the LDAP path through the course (we have a lot of windows users) so I >>>>>>> can't recall for sure (and if I used ian as my test user then it would >>>>>>> have >>>>>>> worked as I have a DB login). >>>>>>> >>>>>>> >>>>>>>> Just a note, one has to be very careful when using the auth >>>>>>>> subsystem, many options, lots of complexity. I know I curse every time >>>>>>>> :-D >>>>>>>> >>>>>>> >>>>>>> Oh, yes that is for sure! >>>>>>> >>>>>>> Ian >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Cheers >>>>>>>> Andrea >>>>>>>> >>>>>>>> On Wed, Mar 3, 2021 at 12:42 PM Ian Turton <ijtur...@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> Just to check before I break out the debugger: >>>>>>>>> >>>>>>>>> When you use JDBC Authentication can it allow any user you create >>>>>>>>> in GeoServer (which get written in then tables) login in or does it >>>>>>>>> only >>>>>>>>> allow the user used for the postgis connection (or other postgis >>>>>>>>> users) to >>>>>>>>> log in? >>>>>>>>> >>>>>>>>> It seems like this is a bug, but I may just be missing something >>>>>>>>> (and I think I'm not the only one >>>>>>>>> https://gis.stackexchange.com/questions/274834/geoserver-jdbc-user-group-services-problem >>>>>>>>> ) >>>>>>>>> >>>>>>>>> I'd be interested if any one is successfully using JDBC >>>>>>>>> authentication in the wild? >>>>>>>>> >>>>>>>>> Cheers >>>>>>>>> >>>>>>>>> Ian >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Ian Turton >>>>>>>>> _______________________________________________ >>>>>>>>> Geoserver-users mailing list >>>>>>>>> >>>>>>>>> Please make sure you read the following two resources before >>>>>>>>> posting to this list: >>>>>>>>> - Earning your support instead of buying it, but Ian Turton: >>>>>>>>> http://www.ianturton.com/talks/foss4g.html#/ >>>>>>>>> - The GeoServer user list posting guidelines: >>>>>>>>> http://geoserver.org/comm/userlist-guidelines.html >>>>>>>>> >>>>>>>>> If you want to request a feature or an improvement, also see this: >>>>>>>>> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >>>>>>>>> >>>>>>>>> >>>>>>>>> Geoserver-users@lists.sourceforge.net >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/geoserver-users >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> Regards, Andrea Aime >>>>>>>> >>>>>>>> == GeoServer Professional Services from the experts! Visit >>>>>>>> http://goo.gl/it488V for more information. == Ing. Andrea Aime >>>>>>>> @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 >>>>>>>> Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 >>>>>>>> 339 >>>>>>>> 8844549 http://www.geo-solutions.it >>>>>>>> http://twitter.com/geosolutions_it >>>>>>>> ------------------------------------------------------- *Con >>>>>>>> riferimento alla normativa sul trattamento dei dati personali (Reg. UE >>>>>>>> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si >>>>>>>> precisa che ogni circostanza inerente alla presente email (il suo >>>>>>>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è >>>>>>>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il >>>>>>>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra >>>>>>>> operazione è illecita. Le sarei comunque grato se potesse darmene >>>>>>>> notizia. >>>>>>>> This email is intended only for the person or entity to which it is >>>>>>>> addressed and may contain information that is privileged, confidential >>>>>>>> or >>>>>>>> otherwise protected from disclosure. We remind that - as provided by >>>>>>>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of >>>>>>>> this >>>>>>>> e-mail or the information herein by anyone other than the intended >>>>>>>> recipient is prohibited. If you have received this email by mistake, >>>>>>>> please >>>>>>>> notify us immediately by telephone or e-mail.* >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Ian Turton >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> Regards, Andrea Aime >>>>>> >>>>>> == GeoServer Professional Services from the experts! Visit >>>>>> http://goo.gl/it488V for more information. == Ing. Andrea Aime >>>>>> @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 >>>>>> Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 >>>>>> 8844549 http://www.geo-solutions.it >>>>>> http://twitter.com/geosolutions_it >>>>>> ------------------------------------------------------- *Con >>>>>> riferimento alla normativa sul trattamento dei dati personali (Reg. UE >>>>>> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si >>>>>> precisa che ogni circostanza inerente alla presente email (il suo >>>>>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è >>>>>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il >>>>>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra >>>>>> operazione è illecita. Le sarei comunque grato se potesse darmene >>>>>> notizia. >>>>>> This email is intended only for the person or entity to which it is >>>>>> addressed and may contain information that is privileged, confidential or >>>>>> otherwise protected from disclosure. We remind that - as provided by >>>>>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of >>>>>> this >>>>>> e-mail or the information herein by anyone other than the intended >>>>>> recipient is prohibited. If you have received this email by mistake, >>>>>> please >>>>>> notify us immediately by telephone or e-mail.* >>>>>> >>>>> >>>>> >>>>> -- >>>>> Ian Turton >>>>> >>>> >>>> >>>> -- >>>> >>>> Regards, Andrea Aime >>>> >>>> == GeoServer Professional Services from the experts! Visit >>>> http://goo.gl/it488V for more information. == Ing. Andrea Aime >>>> @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 >>>> Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 >>>> 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it >>>> ------------------------------------------------------- *Con >>>> riferimento alla normativa sul trattamento dei dati personali (Reg. UE >>>> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si >>>> precisa che ogni circostanza inerente alla presente email (il suo >>>> contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è >>>> riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il >>>> messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra >>>> operazione è illecita. Le sarei comunque grato se potesse darmene notizia. >>>> This email is intended only for the person or entity to which it is >>>> addressed and may contain information that is privileged, confidential or >>>> otherwise protected from disclosure. We remind that - as provided by >>>> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this >>>> e-mail or the information herein by anyone other than the intended >>>> recipient is prohibited. If you have received this email by mistake, please >>>> notify us immediately by telephone or e-mail.* >>>> >>> >> >> -- >> >> Regards, Andrea Aime >> >> == GeoServer Professional Services from the experts! Visit >> http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf >> Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa >> (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 >> http://www.geo-solutions.it http://twitter.com/geosolutions_it >> ------------------------------------------------------- *Con riferimento >> alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - >> Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni >> circostanza inerente alla presente email (il suo contenuto, gli eventuali >> allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i >> destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per >> errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le >> sarei comunque grato se potesse darmene notizia. This email is intended >> only for the person or entity to which it is addressed and may contain >> information that is privileged, confidential or otherwise protected from >> disclosure. We remind that - as provided by European Regulation 2016/679 >> “GDPR” - copying, dissemination or use of this e-mail or the information >> herein by anyone other than the intended recipient is prohibited. If you >> have received this email by mistake, please notify us immediately by >> telephone or e-mail.* >> _______________________________________________ >> Geoserver-users mailing list >> >> Please make sure you read the following two resources before posting to >> this list: >> - Earning your support instead of buying it, but Ian Turton: >> http://www.ianturton.com/talks/foss4g.html#/ >> - The GeoServer user list posting guidelines: >> http://geoserver.org/comm/userlist-guidelines.html >> >> If you want to request a feature or an improvement, also see this: >> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> >> >> Geoserver-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-users >> > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > -- Thank you, Krishna G. Lodha http://krishnaglodha.com
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
