GSIP 53 Geoserver security improvement

Overview

Make Geoserver ready for access control specific to geodata and evaluate Single Sign On technologies.

Overview
Motivation
Proposal
Feedback
Backwards Compatibility
Voting
Links

This proposal has been superseded by GSIP 71 - New Security Subsystem.

Proposed By

Christian Mueller

Assigned to Release

This proposal will be implemented for release 2.1.0 or a later one, depending on GSIP 54 which is a prerequisite.

State

Choose one of: Under Discussion, In Progress, Completed, Rejected, Deferred

Motivation

Spatial Data causes additional requirements for access control, an example is given in the proposal section. Since most of the OGC Web Services are stateless, it makes sense to offer the possibility of SSO and allow geoserver deployments working in a host farm (clustering).

Proposal

This proposal is based on Spring Security. The actual version of Spring Security is 3.x requiring Spring Framework 3.0. At the time of writing this proposal, Geoserver uses Spring 2.x. There are 2 possibilities

Using Spring Security 2.x and defer migration to Spring 3.x ( GSIP 54 )
Migrating Geoserver to Spring 3.x and use Spring Security 3.x

The first step is to find a solution for access control specific for geographical data. At a minimum, it should be possible to add a GeoXACML plugin. Normally, an access control decision is a simple YES or NO. This is not sufficient for spatial data. A simple example to illustrate the problem.

Given: a map of Europe and a layer with all cities of Europe.

Access Control: User Bob has the right to view all cities of Italy, he has no right to see other cities.

Problem: It is not possible to construct the proper WMS GetMap request since Italy is not a rectangle and this kind of request needs a bounding box.

Solution:

XACML has a concept called obligations. An obligation can be anything, obligations themselves are attached to an access decision. In this example, the result of the access decision system should be YES, but with an obligation telling Geoserver to intersect the city layer with the border of Italy.

The second step is an investigation concerning how nice Geoserver can play in SSO scenarios.

SAML and XACML are possible technologies for taking a deeper look.

Feedback

This section should contain feedback provided by PSC members who may have a problem with the proposal.

Backwards Compatibility

No migration are necessary for already deployed Geoserver installations.

Voting

Alessio Fabiani
Andrea Aime
Chris Holmes (Chair)
Jody Garnett
Rob Atkinson
Simone Giannecchini
Ben Caradoc-Davies
Mark Leslie

Links

[JIRA Task|]
[Email Discussion|]
[Wiki Page|]