Logo of 52°North

Tutorial, advanced track.

Summary

In this advanced part of the tutorial, we will set up a new enforcement point for a local GeoServer WMS instance.

The GeoServer instance is part of the Jetty WSS/GeoServer bundle you should already have downloaded.

The GeoServer WMS serves basic data of Manhattan, which is part of the demo data delivers with the GeoServer executables.

Task 3: Create a new Enforcement Point for the GeoServer WMS

  • Start the Jetty Web Server
    • In the command shell, switch enter cd [SERVER_HOME].
    • Run java -jar start.jar (Press Ctrl-C to shutdown the server if necessary)
  • In a browser open http://localhost:8080/wss.
  • Click "Manage WSS configuration for the service 'WSS'"
  • Log in as 52n/52n
  • Below the list of currently defined Enforcement Points, click Add
  • In the form enter or select the following:
    • Name: geoserver_wms
    • Protected Service Type: WMS
    • Protected Service URL: http://localhost:8080/geoserver/wms
    • Interceptor: Select "URL Replacement Interceptor" and all "WMS *** Interceptor"
    • Exception Handler: WMS
    • Allow login using 'HTTP Basic Authentication': [x] (enable)
  • Click Ok
  • Click Apply

    The Enforcement Point is now listening on http://localhost:8080/wss/httpauth/geoserver_wms for requests using HTTP Basic Authentication.

Task 4: Create Permissions for Alice

  • In [SERVER_HOME]/webapps/wss/WEB-INF/classes/permissions.xml add a new PermissionSet right below the existing one:
        <PermissionSet name="Local GeoServer WMS Permissions">
        <ResourceDomain value="http://localhost:8080/wss/*/geoserver_wms/" />
        <ActionDomain value="http://localhost:8080/wss/*/geoserver_wms/" />
        <SubjectDomain value="urn:n52:security:subject:role" />
        <Permission name="alice_all_geoserver">
            <Resource value="layers/*" />     <!-- Any layers -->
            <Action value="operations/*" />   <!-- Any operations -->
            <Subject value="alice" />
        </Permission>
    </PermissionSet>
  • Save the file and reload the WSS (stop-start Jetty Web Server)

To test the permissions, load the protected service into uDig.

  • Start uDig and create an empty map

    File > New > New Map

  • Rename map to "Alice's Map" or alike
  • Add the protected WMS to the map

    > [right-click "Alice's Map"] > Add... > Web Map Server

    > [paste URL http://localhost:8080/wss/httpauth/geoserver_wms/] > Next > [log in as alice/alice]

    > [select all "Manhattan" layers] > Finish

  • Zoom to one of the layers if necessary
  • Rearrange the layers, if necessary, to get a reasonable map and until you are satisfied :-).
  • Zoom downtown, click the info button (i), and query information about a Point of Interest. You might need to authenticate again.

As you can see, for Alice everything works as if she had loaded the WMS directly.

Task 5: Add another user with less permissions

Summary
Within this task we will create a new user "Bob" who just has access to a selection of layers. Bob shall only be allowed to query feature information on the tiger:poi layer and has no access to tiger:poly_landmarks.
  • If not already exists, create the new user "Bob"
    • Open the file [SERVER_HOME]/webapps/wss/WEB-INF/classes/users.xml with a text editor.
    • Add the following XML element to the <UserRepository> element
          <User  username="bob" password="bob" realname="Bob">
        <Role name="bob"/>
        <Role name="main"/>
    </User>
    • Save the file
  • Create permissions for Bob
    • Open the file [SERVER_HOME]/webapps/wss/WEB-INF/classes/permissions.xml with a text editor
    • Add the following XML elements to the <PermissionSet name="Local GeoServer WMS Permissions"> element, right below the existing <Permission> element.
      <!--  Users of role 'bob' can view 
        GetFeatureInfo only on tiger:poi  -->
<Permission name="most_GetMap_GetCaps_geoserver">
    <Resource value="layers/tiger%3Atiger_roads" />
    <Resource value="layers/tiger%3Apoi" />
    <Action value="operations/GetCapabilities" />
    <Action value="operations/GetMap" />
    <Subject value="bob" />
</Permission>
<Permission name="bob_poi_GetFeatureInfo_geoserver">
    <Resource value="layers/tiger%3Apoi" />
    <Action value="operations/GetFeatureInfo" />
    <Subject value="bob" />
</Permission>
    • Save the file and reload the WSS (stop-start Jetty Web Server)
  • Delete Alice's map in uDig and restart uDig (otherwise you cannot access the proteced service as another user) .
  • Add a new map named "Bob's Map" to the uDig project and add the WMS http://localhost:8080/wss/httpauth/geoserver_wms.
  • This time log in as bob/bob
  • Again, zoom to the layers and rearrange them if necessary.
  • When you try to identify a road, you should not get any information but the message "no rights". That's because users with role bob don't have permission to query GetFeatureInfo on that layer.

Task 6: Add guest user with spatial constraints

Summary
Within this task we will create a new user "Guest" who just has access to a selection of layers. Guest shall only be allowed to query feature information on the tiger%3Apoi layer in the area of the very south end of Manhattan.
  • If not already exists, create a new user "Guest" with username/password/role guest/guest/guest in the users.xml file of the WSS.
  • In the permissions.xml file, add a second <Subject> element to the Permission with name="most_GetMap_GetCaps" to allow users with role guest to view the same layers as role bob:
        <Subject value="guest" />
  • In the permissions.xml file, add the following XML elements to the <PermissionSet name="Local GeoServer WMS Permissions"> element, right below last <Permission> element.
    <!--  users with role guest can request GetFeatureInfo on Countries only within american continent -->
<Permission name="guest_poi_GetFeatureInfo_obliged_geoserver">
    <Resource value="layers/tiger%3Apoi" />
    <Action value="operations/GetFeatureInfo" />
    <Subject value="guest" />
    <Obligation name="obligation:wms:extent:boundingbox">
        <Attribute name="srs">EPSG:4326</Attribute>
        <Attribute name="box">-74.0130,40.7070,-74.0097,40.7100</Attribute>
    </Obligation>
</Permission>
  • Save the file and reload the WSS (stop-start Jetty Web Server)
  • Delete Bob's map in uDig and restart uDig (otherwise you cannot access the proteced service as another user) .
  • Add a new map named "Guest's Map" to the uDig project and add the WMS http://localhost:8080/wss/httpauth/geoserver_wms.
  • Again, rearrange the layers to get a fancy map
  • Try to identify POI's of the northern or the southern part. You should not get information but the message "no rights" in the northern part.