This page last changed on Jul 12, 2006 by acuster.

Introduction

This is a page to discuss what a security framework in GeoServer might look like. For the first step we only really want 'attribution', which just requires a log in for any operation. But further on we'd likely prefer more granular operations like who has view access, who has write access, ect.

Requirements

(please add more)

  • Not writing our own user permissioning management, handled by someone else
  • Able to plug in to other user management systems, like LDAP, ect.
  • Fairly independant of GeoServer (like perhaps its own module)
  • Ability for GeoServer services to access the permission information.
  • ?

Possibilities.

  • JAAS - The Java Authentication and Authorization Service (JAAS) is a set of APIs that enable services to authenticate and enforce access controls upon users. It implements a Java technology version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization. This is included in JDK 1.4. Not sure if it really does everything we need. There has been some geoserver work with this, see: [GEOTOOLS:SIS Meta Infrastructure current software], which has code for security. There may be stuff in there that can be reused.
  • Distribute Access Control System. These guys have worked with uDig in the past. They implemented with a WFS as well. It stands completely independant, and plugs in to a number of role backends. It's also very fast. Works with apache, installed separately. Can have integration at the code level without too much difficulty. Could be a very good option. Downside is that it's not java, would require people to install an extra piece of software.
  • Acegi - Security services for Spring. Lots of nice features. Suggested by Seraph, they said it's more complex, probably a bit of a higher learning curve. But if we've got spring going already it could be good... article about it.
  • more?
Document generated by Confluence on May 14, 2014 23:00