Developer's Corner: Authenticating dummy clients in GeoServer

In this blog post we'll introduce a simple authentication method we developed for GeoServer that allows to deal with security unaware clients.

GeoServer can be configured to force a user to authenticate, either directly when trying to access the capabilities document (challenge mode) or when trying to access a protected resource (mixed mode). GeoServer will send a "http basic authentication" challenge, that will force browsers to show up the "username/password" authentication dialog, and make other desktop application ask and send over the user credentials.

There are surely more secure means to authenticate a user, yet basic http authentication is the minimum common denominator, something that most clients support, and coupled with HTTPS transport it provides a good starting point for a secured site.

Unfortunately there are clients out there that cannot even deal with basic authentication.

Some of the existing solutions deal with this by making you install a little desktop proxy software that the other software can connect to, with the proxy dealing with all security considerations. That is fine when you are in control of the client side, but not practical when the user is not able, willing, or allowed to install extra software on their machine.

To allow for some level of authentication and security in those cases we developed a community module called "authkey", or "Key authentication module", where all that is requested to the client is to add a unique key indentifying the user into the capabilities request.

Something like:

http://myhost/geoserver/wms?service=WMS&request=GetCapabilities&authkey=ef18d7e7-963b-470f-9230-c7f9de166888

And voilà, the user associated to that code will be recognized. The capabilities document returned will also contain back links to GeoServer that replicate the same code, so that also GetMap and GetFeatureInfo requests will work under that same user.

This way the authentication is done without the software having to willingly participate in the authentication mechanism.

The default implementation of the module will look for a property file that configures the associations between the unique codes and the existing users, but different solutions can be plugged in that allow for authentication via hardware code tokens, or daily tokens, or whatever solution you might come up with: see the documentation for more details on the configuration and instructions on how to write your own plugin.

Of course the solution is simple, but coupled with HTTPS it's more or less as secure as using basic authentication, and allows a wider range of client software solutions to participate in the game.

What about you, looking for some missing GeoServer security features? Interested in knowing more about our Enterprise Services? Let us know!

The GeoSolutions team,

Saving the world one application at a time: FAO Regional Fishery Bodies Viewer

At GeoSolutions we believe that success stories about important organizations and Open Source Software should be openly shared and they can be used as a measure of OSS success in the formal enterprise environment.  In this blog post we are going to quickly introduce some work we have done for the Fishery and Acqualture Department of the Food and Agriculture Organization (FAO) of the United Nations (UN).

The FAO Fishery and Acqualture Department, specifically the FIGIS group; is involved in many efforts geared towards the conservation of the marine ecosystem and GeoSolutions is honored to work with them on some of the mapping applications they need in order to create effective querying and visualizations of the data they manage.

This blog post covers some work we have done to support information dissemination about Regional Fishery Bodies (RFB). As stated on their website:
"Regional Fishery Bodies (RFB) -- a group of States or organizations that are parties to an international fishery arrangement -- work together towards the conservation and management of fish stocks.
RFB can play a critical role in promoting longterm sustainable fisheries where international cooperation is required in conservation and management."

Using Geoserver and OpenLayers we built with them a comprehensive web based API to create on the fly maps with the relevant information for each resource with just a couple of lines of Javascript code. Maps are embedded in the FIGIS portal, as can be seen here and in the pictures below,

but also a specific RFB Viewer can be used to quickly show the RFBs' coverage on a map as shown at this link and in the screenshot below.

Let's take a deeper look at the implementation.
Interacting with GeoServer's WMS module we dynamically build the map with the continental layer, the member countries, the coast lines and the fishery boundaries. The API supports 3 different projections: WGS84 (EPSG:4326), Google Mercator (EPSG:900913) and Polar Stereographic (EPSG:3031).

For each of the regional fisheries body selected in first drop down menu, we generate an embed code as pictured below, this is used by the Fishery department web designers to replace what previously were static images representing the resources distribution and limits. It could also be used by an external website to embed these maps into their site.

More could be said about this project regarding its infrastructure, let's summarise a few interesting points:

• background maps are served with GeoWebCache
• most of the data is stored inside the corporate instance of Oracle Spatial, demonstrating perfect integration of Open Source with COTS
• Extensive usage of CQL filters to drive the dynamic maps is used

Last but not least, we believe it is worth to mention that this work was performed via our GeoSolutions Enterprise Service. Therefore, if you'd like to know more about what we could achieve together, do not hesitate and get in touch with us!

The GeoSolutions team,

GeoSolutions Enterprise Services: Open Source meets Enterprise

• Are you looking for high-end professional support to help you with the creation of a SDI based on Open Source frameworks?
• Are you thinking about an infrastructure to support the OpenData and are you wondering if a proprietary software is the best choice?
• Are you tired of spending all your budget for licenses without creating the infrastructure you need?
• Would you like to integrate a proprietary SDI with an Open Source software?

GeoSolutions can help you! 

The GeoSolutions  Enterprises Plans offer the possibility for creating an Enterprise SDI based on the best Open Source frameworks as GeoServer, GeoNetwork and MapStore.

Thanks to GeoSolutions it is easy to meet the Open Source world, forget about licenses and decide the budget for the solutions you are looking for!
Our support plans are available in different packages because we care about who has small needs and budget and about who must manage complex infrastructures and needs high specialized support.

Don't get lost, leverage on the support from the developers of the software you are using!

Visit the web site for more information and ask us to contact you, we will discuss about how many users we can support with your computing resources rather than about how many licenses you should buy!

The GeoSolutions team,

Developer's Corner: ImageIO-Ext 1.1.3 Release is available

Dear all,
We would like to take the occasion to introduce the ImageI/O-Ext 1.1.3 release (which is now supported by GeoServer 2.1.x, 2.2.x and GeoTools 2.7.x and 8.x.

Various improvements have been implemented for the GDAL framework in order to enhance its speed and robustness:

• Tested with GDAL 1.7.3 and 1.8.1 on all Linux32/linux64/win32/win64
• More aggressive caching of GDAL Dataset resulting in more speed
• Less synchronization around GDAL calls resulting in more scalability

Artifacts Released
Artifacts for Imageio-Ext have been deployed on the GeoSolutions maven repository, as well as on the OSGEO one.


The GeoSolutions team,