Proxify GeoServer's WFS to use Layman's authentication #65
Comments
jirik
changed the title
jirik
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, access to layers through WFS endpoint is controlled by GeoServer's security system, that is not connected to Layman's security system. So currently, access to GeoServer's web services lies outside of the scope of Layman's authentication and authorization mechanisms. This leads to some problems. Typically, if user wants to edit his layer through WFS, the layer must be either editable to all users including anonymous user, or he must authenticate to GeoServer using admin user.
Purpose of this issue is to enable Layman's authentication mechanism also for GeoServer's web services wherever it's necessary. Currently, the only necessary endpoint is WFS, because we do not restrict read access yet and WMS is read-only service. Other web services than WFS and WMS are not used at this time.
We can solve this by putting Geoserver's WFS behind proxy. The proxy will exchange Layman's authentication credentials for Geoserver's HTTP Header Proxy authentication credentials. Furthermore, we need also to make GeoServer aware of Layman's user and access rights of this user. It can be implemented using GeoServer's role system and layer security rules.
Summary of the whole suggested communication:
As Layman's authorization can be changed by sysadmin, it's also necessary to check and adjust GeoServer's role system and layer security rules on every Layman's startup, so that GeoServer reflects Layman's authorization even after the change.
The text was updated successfully, but these errors were encountered: