Web Map Service (WMS) endpoint is implemented using combination of Layman's authentication proxy and GeoServer.
The authentication proxy understands same authentication credentials as Layman REST API (e.g. OAuth2 credentials) and passes the request to GeoServer with credentials understandable by GeoServer.
WMS respects publication access rights. If user asks for layer he has not read access to by GetMap or GetFeatureInfo request, GeoServer returns standard ServiceExceptionReport (code LayerNotDefined).
Web Feature Service (WFS) endpoint is implemented using combination of Layman's authentication proxy, Layman's WFS proxy, and GeoServer.
The authentication proxy behaves in the same way as in case of WMS.
The WFS proxy automatically creates missing attributes in DB table before redirecting WFS-T request to GeoServer. Each missing attribute is created as VARCHAR(1024). Also if QML style is used, attribute is automatically added to QGS project file. Works for WFS-T 1.0, 1.1 and 2.0 on actions Insert, Update and Replace. If creating attribute fails for any reason, warning is logged and request is forwarded to GeoServer nevertheless.
WFS respects publication access rights. If user asks for type (layer) he has not read access to by DescribeFeatureType or GetFeature request, GeoServer returns standard ExceptionReport (code InvalidParameterValue, locator typeName or typeNames). To perform WFS-T requests, write access is needed.
Catalogue Service (CSW) is implemented using Micka.