secure your gis - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfsecure your gis protecting...
TRANSCRIPT
![Page 1: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/1.jpg)
camptocamp / 9. septembre 2010 / www.camptocamp.com / [email protected]
Secure your GIS
Protecting GIS applications suites
![Page 2: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/2.jpg)
Outline- Camptocamp SA- Introduction
Green field Heterogenous FOSS applications Geospatial applications
- Landscape Non-spatial solutions Geoserver SecureOWS 52˚ North WSS Deegree
- Examples of Complete Solutions- Resources
![Page 3: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/3.jpg)
Chambéry
Lausanne
Open Source solutions provider as editor and integrator
Staff of 35 in Switzerland and France Camptocamp helps you move forward
with the latest Open Source technologies
![Page 4: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/4.jpg)
Camptocamp activity domains
Geospatial Solutions
Infrastructure Solutions
Business Solutions
CONSULTING, RESEARCH & DEVELOPMENT
ENGINEERING, IMPLEMENTATION
OPEN SOURCE SUPPORT
TRAINING
Webmapping GIS Geopspatial databases Spatial Data
Infrastructure OGC Web Services
ERP Business Intelligence ETL
Linux HTTP, Apache Load
balancing Cloud computing (AWS) VoIP
![Page 5: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/5.jpg)
Green field- Non-geospatial is easy - Most frameworks have security components
Choose framework of choice Develop applications
- Framework Evaluation Single Sign on Authentication mechanisms (LDAP, Database, CAS, OpenID) Authorization mechanisms (LDAP, Database)
![Page 6: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/6.jpg)
Suite of FOSS Applications- Different application frameworks- Different Languages- Different frameworks supporting different options- Challenging for sysadmins to configure - Single Sign on may be required (or at least desirable)
![Page 7: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/7.jpg)
Geospatial aspect- Typical frameworks do not support Geospatial domain- Most frameworks allow URL restrictions for queries like:
http://myservice/ows?service=wms&layer=***
- Cumbersome security- BBox queries are difficult
![Page 8: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/8.jpg)
Non-spatial Solutions- Framework X security
Not useful for retrofitting heterogenous application suite
- Security Proxy http://www.google.ch/search?q=security+proxy Not all are open source solutions
- Spring Security Good basis for a security proxy
![Page 9: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/9.jpg)
Geospatial solutions- Geoserver (embedded security)
www.geoserver.org
- Secure OWS (security proxy) www.secureows.org/
- 52˚ North Web Security Service (security proxy) 52north.org/maven/project-sites/security/
- Deegree (embedded security) wiki.deegree.org/deegreeWiki/deegree3/SecuritySubsystemDocumentation
![Page 10: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/10.jpg)
Proxy VS embedded
Client
Client
Client
Proxy
Server 1
Server 2
Client
Client
Client
Server 1
Server 2
![Page 11: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/11.jpg)
Hybrid Proxy/Embedded (Geoserver)
Client
Client
Client
Server 1
Server 2
![Page 12: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/12.jpg)
Proxy VS Embedded- Both have advantages- Proxy
Forward all requests (Can cause problems for performance) Only one place for all security configuration Can secure many servers
- Embedded Potentially less load on servers and possible better performance Deeper integration and therefore (theoretically) less chance of misconfiguration Less complicated configuration
![Page 13: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/13.jpg)
Geoserver- Built-in geospatial security- Services Secured
Web Feature Service (WFS) Web Map Service (WMS) Web Coverage Service (WCS) WFS Proxy WMS Proxy
- Security Axes Layer Namespace Service
![Page 14: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/14.jpg)
Geoserver Pro/Con- Pros
Performance, no proxying requests Based on Spring/Acegi security
• Support almost all authentication and authorization schemes• Large community testing and using it• Very flexible
Supports most common protocols Simple/powerful configuration options
- Cons Extent restriction not supported Projection restriction not supported Non-standard configuration files
![Page 15: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/15.jpg)
SecureOWS- Geospatial Security Proxy- Services Secured
WMS WFS WCS
- Security Axes Layer Service Extent MapSize Projection
![Page 16: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/16.jpg)
SecureOWS Pro/Con- Pros
Fine grained security configuration options Can secure an number of servers Provides a client for managing connections
• https://www.secureows.org/trac/secureows/wiki/ClientSoftware
- Cons Proxy solution Non-standard configuration files Limited number supported authentication/authorization mechanisms
![Page 17: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/17.jpg)
52˚ North WSS- Geospatial Security Proxy- Services Secured
WMS WFS
- Security Axes Layer Service Extent Projection
![Page 18: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/18.jpg)
52˚ North WSS Pro/Con- Pros
Standards compliant configuration files• I have not found any other implementations, please let me know of more solutions
Fine grained security configuration options Can secure any number of servers Pluggable architecture
- Cons Limited number supported authentication/authorization mechanisms Limited number of services supported Proxy issues
![Page 19: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/19.jpg)
Deegree- Embedded security- Proxy options?- Services Secured
WMS WFS WCS CSW
- Security Axes Service
![Page 20: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/20.jpg)
Deegree Pro/Con- Pros
Embedded security Many types of services supported
- Cons Very limited documentation Limited number supported authentication/authorization mechanisms Poor granularity of security options
![Page 21: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/21.jpg)
Complete Solution 1
Spring-based Security Proxy
Geoserver App2
LDAP
CAScredentials
- Geoserver and App2 obtain authorization from proxy- Or Proxy controls access based on URL patterns
Authentication /Authorization
WMS2
![Page 22: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/22.jpg)
Complete Solution 2
Spring-based Security Proxy Geoserver
App2
LDAP CAS
- Geoserver has same configuration as proxy and accesses CAS and LDAP directly
Authentication/Authorization
WMS2
![Page 23: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/23.jpg)
Complete Solution 3
GeoserverSpring-based Security Proxy
App2 LDAP CAS
- Embed proxy within Geoserver
Authentication/Authorization
WMS2
![Page 24: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/24.jpg)
Wrap up- 52˚ North WSS seems like one of the best Geospatial solution
Lacks plethora of authentication strategies for application suite
- Geoserver is not as advanced Geospatial Spring Security more than makes up when securing an application suite
- SecureOWS client is useful for Applications like ArcView
![Page 25: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/25.jpg)
Resources- Camptocamp
http://www.camptocamp.com/
- GeoServer http://www.geoserver.org/
- SecureOWS https://www.secureows.org/
- 52 North http://52north.org/maven/project-sites/security/
- Deegree http://wiki.deegree.org/deegreeWiki/deegree3/SecuritySubsystemDocumentation
![Page 26: Secure your GIS - 2010.foss4g.org2010.foss4g.org/presentations/3235.pdfSecure your GIS Protecting GIS applications suites. ... Based on Spring/Acegi security ... Spring Security more](https://reader033.vdocument.in/reader033/viewer/2022052711/5abfe0f77f8b9ae45b8b805c/html5/thumbnails/26.jpg)
camptocamp SA / www.camptocamp.com / [email protected]
Thank you for your attention
Camptocamp SA
[email protected] +41 21 619 10 10 +33 4 79 44 44 94