Skip to content

GSIP 159

Jody Garnett edited this page Sep 8, 2017 · 6 revisions

GSIP 159 - GeoWebCache data security API

Overview

Add an extension point to GeoWebCache allowing for a security check based on the layer and extent of the tile. Add an implementation of this extension point to GeoServer's GWC integration.

API changes will primarily be upstream in GeoWebCache but as it does not presently have a formal proposal system, the most active GWC developers are also GeoServer developers, and this has security implications for GeoServer, this proposal will be handled as a GSIP.

Proposed By

Kevin Smith

Assigned to Release

This proposal is for GeoServer 2.12 and GeoWebCache 1.12.

State

  • Under Discussion
  • In Progress
  • Completed
  • Rejected
  • Deferred

Motivation

Currently GeoServer intercepts requests to its embedded GWC instance, pareses them and then does a security check against its catalog to determine if the request should be allowed to proceed. This is brittle in the face of new services or differences between how the security check and actual service implementation interpret the request.

This will also open the possibility of a stand alone layer/location specific security system in upstream GeoWebCache.

Proposal

Filter to check that the request is allowed.

interface SecurityFilter {
  public void checkSecurity(TileLayer layer, BoundingBox extent, SRS srs) throws SecurityException;
}

The filter will pick up the security context from side band methods like the Spring Security thread local in GeoServer.

Amend method signatures to allow throwing an appropriate security exception.

Alternatives/Variations

  • The existing RequestFilter extension point might be used instead of making upstream changes, or the SecurityFilter might be made as a subclass of it or otherwise use it.

  • Instead of a security filter standard across the system, let the tile layer implementation handle security in whatever way it sees fit based on the conveyor's security context.

Backwards Compatibility

In the absence of a security check implementation, stand alone GeoWebCache will behave as it already does. The security GeoWebCache integration in GeoServer is not intended as an extension point to developers so replacing it should not affect anyone and its configuration consists of a flag to turn it on or off which can be maintained. This change should have no compatibility issues.

Some GWC APIs will change in a non-backward compatible way by adding a new checked exception.

Discussion

  • Jody preferred to use existing exception class.

  • Andrea disliked passing Security Context as an Object suggested not including it in the API and allowing implementations to use thread locals or similar means as Spring Security already provides this.

Voting

Project Steering Committee:

  • Alessio Fabiani:
  • Andrea Aime:
  • Ben Caradoc-Davies: +1
  • Brad Hards:
  • Christian Mueller:
  • Ian Turton:
  • Jody Garnett: +1
  • Jukka Rahkonen:
  • Kevin Smith: +1
  • Simone Giannecchini:

Links

Clone this wiki locally