The GeoShield project is released.
Download page: here
New site at here
 |
| Subscribe to Geoshield project |
| Visit this group |
 |
Introduction
In the last few years, here at the Institute of Earth Science (IST), we begin using OGC services for map generation (WMS, WFS), geodata processing (WPS) and sensor data interaction (SOS). Until our services were publicly accessible there aren't many problems, but when external entities (such as the Government) order some geo-application the data-confidentiality through the web became the main issue. Such kind of project contains sensitive data, and obviously it can't be accessible to everyone.
Searching around the web for a simple solution that suite our need we didn't find anything really simple, so we decided to develop ourself a security solution to garantee a strong protection for our geo-services. the first thing is to decide the project name: GeoShield.
GeoShield is a project born to offer a centralized way to define security access-control to geo-services. It acts like a proxy, intercepting all the communications between clients and OGC compliant services (WMS, WFS, WPS, SOS).
GeoShield is able to manage users and groups, it handles authentication and privileges settings among groups and registered services. It is capable to analyse requests applying the filters setted to the user and manipulating the response.
WMS Security
A Web Map Service (WMS) is a standard protocol for serving georeferenced map images over the Internet that are generated by a map server using data from a GIS database. The specification was developed and first published by the Open Geospatial Consortium in 1999.
For example handling WMS security, with GeoShield we can:
- define access privilege for each layer provided by the service,
- specify if a layer can be viewed or not,
- define geometrical extent of view permission.
All privileges on single layers are based on Common Query Language (CQL) filters, that allow interesting combination of permissions definition that operate in a hidden way to end-user.
Example of CQL per Layer permissions:
|
Group: FOO |
 |
|
Group: FOO |
 |
|
Group: FOO |
 |
|
Group: FOO |
 |
| Group: FOO Server: BAR Layer: BAZ Permission: COLOR='RED' AND BBOX(the_geom,707724,82464,732146,113847)) Description: users that belong to the group FOO can view the layer BAZ on server BAR but only the features inside the given BBOX that have an attribute color equals to red. |
 |
WFS Security
WFS security has been presented in september 2010 at the FOSS4G in Barcelona, It works with the same concept of WMS security.
Take a look in the presentation file just here below.
WPS Security
(To do)
SOS Security
(To do)
Web interface
To administer user/group permissions, GeoShield offer a web interface written using the excellent ExtJS library.
Tecnical info
- The core of Geoshield is written in Java and rely on GeoTools.
- The database used for storing data is PostgreSQL.
- Authentication method is the "HTTP Authentication: Basic Access Authentication", that garantee compatibilities with most of clients (like uDig, ArcGis, etc.)
- Basic access authentication is considered weak unless is not used in conjunction with some external secure system such as SSL.
Download
Version 0.2: (available by October 2010)
- Web Archive
- SVN (Trunk):
user: ??
password: ??svn checkout http://istgeo.ist.supsi.ch/???/geoshield/trunk
- Documentation
Presentation
|
|
|
 |
|
.png) |
|
 |
