MapStore2 users GeoServer integration with Authkey
This guide explains how to share users, groups and roles between MapStore and GeoServer. Applying this configurations will allow users logged in MapStore to be recognized by GeoServer. So security rules about restrictions on services, layers and so on can be correctly applied to MapStore users (also using GeoFence).
With the suggested implementation the MapStore database will be also a UserGroupService and a RoleService for GeoServer. This means that every user of MapStore will be also a user in GeoServer, with the same attributes, the same roles (ADMIN, USER) and the same user groups.
For every user-group assigned to a user GeoServer will see also a role of the same name, from the role service, assigned to the members of the user-group (as user-group derived roles).
Permission on GeoServer can be assigned using these roles or with more detailed granularity using a custom Resource Access Manager (like GeoFence).
Limits of this solution
This solution partially degradates the functionalities of user management UI of GeoServer (for users, groups and roles that belong to MapStore). If you want to use this solution, you should use the MapStore's user mananger and avoid the GeoSever's one.
Requirements
- GeoServer must have the Authkey Plugin Community Module installed
- MapStore2 Database must be reachable by GeoServer (H2 will not work, use PostgreSQL or Oracle)
- MapStore2 must be reachable by GeoServer via HTTP
This example will focus on PostgreSQL database type I am assuming this is a new installation, so no existing user or map will be preserved
Database preparation
- Follow Geostore wiki to setup a postgresql database (ignore the geostore_test part)
- Start your Tomcat at least once, so
mapstore.war
will be extracted in thewebapps
directory of tomcat instance. - Stop Tomcat.
- Copy from the extacted folder (
<TOMCAT_DIR>/webapps/mapstore
) the file located atWEB-INF/classes/db-conf/postgres.properties
to replace the fileWEB-INF/classes/geostore-database-ovr.properties
. - Edit the new
WEB-INF/classes/geostore-database-ovr.properties
file with your DB URL and credentials. - Start Tomcat
Default user password couples are
- admin:admin
- user:user
GeoServer Setup
Follow this https://github.com/geosolutions-it/geostore/tree/master/geoserver
Create the empty GeoStore database using scripts as described in GeoStore WIKI.
The following procedure will make GeoServer accessible to users stored in the MapStore database. In case of the users on MapStore and GeoServer have the same name, the users of MapStore will have precedence. At the end of the procedure, if you access with the user admin
, you will have to use the password of the admin
user of MapStore (admin
by default).
User Groups and Roles
Setup User Group
Steps below referenve usergroup and role service configuration files, as needed download the files from the geostore repository.
- in GeoServer and add a new User Group Service
- Setup the User Group Service
- Select JDBC
- name: geostore
- Password encryption : Digest
- password policy default
- Driver org.postgresql.Driver (or JNDI)
- connection url jdbc:postgresql://localhost:5432/geostore (or the one for your setup)
- JNDI only: the JNDI resource name should look like this java:comp/env/jdbc/geostore
- set username and password for the db (user 'geostore' with password 'geostore')
- Save
- Place the provided files in the created directory under
/security/usergroup/geostore . - Then go back to geostore user group service (the ddl and dml path should have values in them)
- Save again
Setup Role Service
1 2 3 4 5 6 7 8 9 10 11 |
|
Use these services as default
1 2 3 4 5 6 7 8 |
|
Use the Auth key Module with GeoStore/GeoServer
These last steps are required to allow users logged in MapStore to be authenticated correctly by GeoServer.
Configure GeoServer
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
|
Note: in the User Groups and Roles Services available options there are "AuthKEY WebService Body Response - UserGroup Service from WebService Response Body" and "AuthKEY REST - Role service from REST endpoint". Ignore them as they are not supported from MapStore2.
Configure MapStore
The last step is to configure MapStore to use the authkey with the configured instance of GeoServer. You can do it by adding to localConfig.json
like this:
1 2 3 4 5 6 7 8 9 10 11 |
|
- Verify that "useAuthenticationRules" is set to
true
authenticationRules
array should contain 2 rules:- The first rule should already be present, and defines the authentication method used internally in mapstore
- The second rule (the one you need to add) should be added and defines how to autenticate to GeoServer:
urlPattern
: is a regular expression that identifies the request url where to apply the rulemethod
: set it toauthkey
to use the authentication filter you just created in Geoserver.authkeyParamName
: is the name of the authkey parameter defined in GeoServer (set toauthkey
by default)