-
Notifications
You must be signed in to change notification settings - Fork 55
GeoServer Authentication
We'll explain here how the authentication is performed in GeoServer, and how GeoFence is used in this integration.
Authentication on GeoServer side is implemented using GeoServer's own auth architecture;
we have AuthFilters and AuthProviders that will retrieve authentication info from GeoFence.
In particular, the user credentials that will be used in GeoServer auth are the ones edited in GeoFence Users tab.
- User credentials are expected to be passed via basic authentication.
- If basic authentication info are not provided, or they are not resolved as a valid user by GeoFence, the access will be at unauthenticated guest level.
- User will have ADMINISTRATOR role in GeoServer if the flag isAdmin is defined for such user in GeoFence.
File data/security/config.xml defines the filter chains for the various services (web, login, logout, rest, gwc, default).
e.g.:
<filters name="web" path="/web/**,/gwc/rest/web/**">
<filter>contextAsc</filter>
<filter>rememberme</filter>
<filter>anonymous</filter>
<filter>guiException</filter>
<filter>interceptor</filter>
</filters>
<filters name="default" path="/**">
<filter>contextNoAsc</filter>
<filter>basic</filter>
<filter>anonymous</filter>
<filter>exception</filter>
<filter>interceptor</filter>
</filters>
We'll put the geofence filter just before the anonymous filter.
We'll also remove the basic filter.
The filter name is used for reading the file data/security/filter/FILTERNAME/config.xml,
e.g. for filtername=basic:
<org.geoserver.security.config.BasicAuthenticationFilterConfig>
<id>3c23db70:140aa7a5694:-7ffb</id>
<name>basic</name>
<className>org.geoserver.security.filter.GeoServerBasicAuthenticationFilter</className>
<useRememberMe>true</useRememberMe>
</org.geoserver.security.config.BasicAuthenticationFilterConfig>or, for GeoFence
<geofence>
<id>9e0fe5ce:9e0fe5ce000:-abcd</id>
<name>geofence</name>
<className>org.geoserver.geoserver.authentication.GeoFenceAuthFilter</className>
</geofence>Then the context is searched for a FilterProvider which handles the classname in the configuration.
This means we will have beans configured in the loaded appcontext.xml:
<bean id="usernamePasswordFilterProvider" class="org.geoserver.security.filter.GeoServerUserNamePasswordAuthenticationProvider"/>
<bean id="rememberMeFilterProvider" class="org.geoserver.security.filter.GeoServerRememberMeAuthenticationProvider"/>
and
<bean id="geofenceFilter" class="org.geoserver.geoserver.authentication.filter.GeoFenceAuthFilterProvider">
<property name="ruleReaderService" ref="ruleReaderService"/>
</bean>
with a declaration of this kind:
public Class<? extends GeoServerSecurityFilter> getFilterClass() {
return GeoFenceAuthFilter.class;
}
public GeoServerSecurityFilter createFilter(SecurityNamedServiceConfig config) {
GeoFenceAuthFilter filter = new GeoFenceAuthFilter();
...
return filter;File data/security/auth/default/config.xml defines the default authentication provider.
e.g.:
<usernamePassword>
<id>g30fe5c3:140aa7a5694:-7ff0</id>
<name>default</name>
<className>org.geoserver.geoserver.authentication.auth.GeofenceAuthenticationProvider</className>
<userGroupServiceName>default</userGroupServiceName>
</usernamePassword>
we updated it into
<usernamePassword>
<id>g30fe5c3:140aa7a5694:-7ff0</id>
<name>default</name>
<className>org.geoserver.geoserver.authentication.auth.GeofenceAuthenticationProvider</className>
</usernamePassword>
In the applicationContext there is the definition of a SecurityProvider
<bean id="geofenceAuth" class="org.geoserver.geoserver.authentication.auth.GeoFenceSecurityProvider">
<property name="ruleReaderService" ref="ruleReaderService"/>
</bean>
that is a factory for the GeofenceAuthenticationProvider class:
@Override
public Class<? extends GeoServerAuthenticationProvider> getAuthenticationProviderClass() {
return GeofenceAuthenticationProvider.class;
}
GeofenceAuthenticationProvider will query GeoFence to find out if user credentials are valid, and if an ADMIN role has to be granted to the user.