Skip navigation.
Home
Istituto Scienze della Terra - SUPSI

GeoShield

The GeoShield project is released.

Download page: here
New site at  here

Google Groups
Subscribe to Geoshield project
Email:
Visit this group

 

Introduction

WMS Security

WFS Security

WPS Security

SOS Security

Web Interface

Tecnical Info

Download

Presentation

 

 

Introduction

In the last few years, here at the Institute of Earth Science (IST), we begin using OGC services for map generation (WMS, WFS), geodata processing (WPS) and sensor data interaction (SOS). Until our services were publicly accessible there aren't many problems, but when external entities (such as the Government) order some geo-application the data-confidentiality through the web became the main issue. Such kind of project contains sensitive data, and obviously it can't be accessible to everyone.

Searching around the web for a simple solution that suite our need we didn't find anything really simple, so we decided to develop ourself a security solution to garantee a strong protection for our geo-services. the first thing is to decide the project name: GeoShield.

GeoShield is a project born to offer a centralized way to define security access-control to geo-services. It acts like a proxy, intercepting all the communications between clients and OGC compliant services (WMS, WFS, WPS, SOS).

GeoShield is able to manage users and groups, it handles authentication and privileges settings among groups and registered services. It is capable to analyse requests applying the filters setted to the user and manipulating the response.

 

 

WMS Security

A Web Map Service (WMS) is a standard protocol for serving georeferenced map images over the Internet that are generated by a map server using data from a GIS database. The specification was developed and first published by the Open Geospatial Consortium in 1999.

For example handling WMS security, with GeoShield we can:
- define access privilege for each layer provided by the service,
- specify if a layer can be viewed or not,
- define geometrical extent of view permission.

All privileges on single layers are based on  Common Query Language (CQL) filters, that allow interesting combination of permissions definition that operate in a hidden way to end-user.

 

Example of CQL per Layer permissions:

Group:  FOO
Server:  BAR
Layer:  BAZ
Permission:  INCLUDE
Description:  users that belong to the group FOO can view the layer BAZ on server BAR.

Group:  FOO
Server:  BAR
Layer:  BAZ
Permission:  EXCLUDE
Description:  users that belong to the group FOO can't view the layer BAZ on server BAR.

Group:  FOO
Server:  BAR
Layer:  BAZ
Permission: COLOR='RED'
Description:  users that belong to the group FOO can view the layer BAZ on server BAR but only features with attribute color equals to red.

Group: FOO
Server: BAR
Layer: BAZ
Permission: BBOX(the_geom,707724,82464,732146,113847))
Description: users that belong to the group FOO can view the layer BAZ on server BAR but only the features inside the given BBOX.

Group: FOO
Server: BAR
Layer: BAZ
Permission: COLOR='RED' AND BBOX(the_geom,707724,82464,732146,113847))
Description: users that belong to the group FOO can view the layer BAZ on server BAR but only the features inside the given BBOX that have an attribute color equals to red.

 

WFS Security

WFS security has been presented in september 2010 at the FOSS4G in Barcelona, It works with the same concept of WMS security.

Take a look in the presentation file just here below.

 

WPS Security

(To do)

 

SOS Security

(To do)

 

Web interface

To administer user/group permissions, GeoShield offer a web interface written using the excellent ExtJS library.

 

 

Tecnical info

  • The core of Geoshield is written in Java and rely on GeoTools.
  • The database used for storing data is PostgreSQL.
  • Authentication method is  the "HTTP Authentication: Basic Access Authentication", that garantee compatibilities with most of clients (like uDig, ArcGis, etc.)
  • Basic access authentication is considered weak unless is not used in conjunction with some external secure system such as SSL.

 

Download

Version 0.2: (available by October 2010)

  • Web Archive
  • SVN (Trunk): 

    user: ??
    password: ??

    svn checkout http://istgeo.ist.supsi.ch/???/geoshield/trunk
  • Documentation 

 

Presentation

 

FOSS4G 2009

 

 

     
  • Presentazione (italian)