[Geoprisma-users] Security and user authentication - open question

[Yves Moisan]

Le 2010-03-29 07:39, paweluz a écrit :
> Hi!
>
> I wrote an application using GWT
> (http://sourceforge.net/projects/gwt-openlayers/), OL2.8, Geoserver2.0.1 and
> PostGIS. The user is able to view, save, delete and modify data using web
> browser. Now I have been thinking about a way to limit the functionality to
> the user.
> For example:
> - only the admin user can modify data.
> - only some users can view the specific layers
> - the anonymous user can just watch few layers
>    
Hi Poul,

Exactly what we do with GeoPrisma :-).
> I have been reading about some authentication with geoserver:
> http://docs.geoserver.org/stable/en/user/security/sec_layer.html
>
> I have found information about GeoPrisma in some topic in geoserver forum. I
> have been wondering is there a way to use it in my application. I know that
> that GeoPriosma was written in PHP so I am guessing this is not hood idea in
> my case since I have been writing application in JAVA (GWT).
You can always mix and match languages especially considering you are 
accessing those applications developed in diverse programming languages 
as services so there is no coupling at the application level provided 
you meet the services requirements for input and output.  We use 
FeatureServer, which is a Python application, as a replacement for the 
write capabilities of GeoServer and we may also use the MapFish server 
(another Python web application).  We're also using the MapFish print 
server which is a Java servlet.
>
> I have also been reading that Geoserver has implemented Acegi security. This
> is using basic authorization - but I found out that this is rather not save,
> especially if your application and server is on the different machine.
> I know that Acegi used in Geoserver may work with CAD or LDAP, but it is
> quite difficult to use.
>
> I know this is a really open question, but my programing experience is
> actually a little short, and I would very appreciate any help.
>
> So to sum up:
> - Is there a way to use Geoserver authorization (Acegi) from outside, in
> client application, and is this save enough (this question for users that
> have some experience with geoserver)
> - Is it possible to use GeoPrisma with java technology (GWT) - since it was
> written in PHP??
>
> I am completely new in security subject and I honestly have no idea what to
> choose... Maybe for someone this is really simple...
>
> Regards,
> Poul
>    

It's funny at one point in time we as a company have been quite 
interested in "securing" GeoServer.  At the time, we were almost ready 
to help integrate Spring (the new incarnation of Acegi) into GeoServer.  
I don't know what the status of this project is nowadays, but I also 
recall it was not easy to integrate fine-grained security in GeoServer.  
At least not for me.  As to your question about Acegi, I doubt you will 
find answers on this list.  Refer to the GeoServer users list or to a 
Java list.

The way I see one could secure GeoServer on the UI side using GeoPrisma 
would be to develop a driver for GeoServer in GeoPrisma that would 
support WFS-T.  The way we secure things is to deny acces to our web 
services (MapServer for WMS/WFS) and FeatureServer to write features to 
all machines but the server where the GeoPrisma proxy is installed 
making it impossible from client computers to directly access the 
services.  Then we secure an application, basically the UI, with GeoPrisma.

HTH,

Yves