This page last changed on Jul 12, 2006 by acuster.
This is a page to discuss what a security framework in GeoServer might look like. For the first step we only really want 'attribution', which just requires a log in for any operation. But further on we'd likely prefer more granular operations like who has view access, who has write access, ect.
(please add more)
- Not writing our own user permissioning management, handled by someone else
- Able to plug in to other user management systems, like LDAP, ect.
- Fairly independant of GeoServer (like perhaps its own module)
- Ability for GeoServer services to access the permission information.
- JAAS - The Java Authentication and Authorization Service (JAAS) is a set of APIs that enable services to authenticate and enforce access controls upon users. It implements a Java technology version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization. This is included in JDK 1.4. Not sure if it really does everything we need. There has been some geoserver work with this, see: [GEOTOOLS:SIS Meta Infrastructure current software], which has code for security. There may be stuff in there that can be reused.
- Distribute Access Control System. These guys have worked with uDig in the past. They implemented with a WFS as well. It stands completely independant, and plugs in to a number of role backends. It's also very fast. Works with apache, installed separately. Can have integration at the code level without too much difficulty. Could be a very good option. Downside is that it's not java, would require people to install an extra piece of software.
- Acegi - Security services for Spring. Lots of nice features. Suggested by Seraph, they said it's more complex, probably a bit of a higher learning curve. But if we've got spring going already it could be good... article about it.