/geofence

Advanced Authorization Manager for GeoServer

Primary LanguageJavaGNU General Public License v2.0GPL-2.0

GeoFence

GeoFence is an advanced authentication/authorization engine for GeoServer

Features

GeoFence allows you to create authorization rules on GeoServer resources based on multiple parameters, such as the user requesting the data, its role, the source IP address of the web request, the used OGC service/request, the requested layer or its workspace.

You can setup authorization rules with the granularity you need: this means that you can allow or deny access to a given layer at a whole, or simply hide some attributes, restrict the output to only a given area, or only allow access to a subset of the features by filtering them using a CQL expression.

You can find more details on this page.

Architecture

GeoFence can be run either as a standalone Java web application, or embedded into GeoServer.

The GeoFence standalone application provides a graphical user interface to administer GeoServer users and authorization rules. Furthermore, a quite complete REST API allows the programmatic administration of the rules and their ancillary data.
In this configuration GeoServer needs a module (the probe) that will send authorization queries to GeoFence using a configurable protocol (by default it uses Spring remoting over HTTP).

The embedded configuration will make the GeoFence engine run within GeoServer itself. The administration GUI will be seamlessly embedded into GeoServer.

GeoFence provides the authorization services using the interface described in GSIP 57.

License

GeoFence core modules and GUI, as well as the part of GeoFence that shall be installed as a module into GeoServer (either the probe or the embedded logic), are free and Open Source software, released under the GPL license, (which is GPL v2.0), as it implements a GeoServer Java API.

Getting GeoFence

Since there are two different ways to run GeoFence, you'll need different set of files according to your configuration.

Standalone
You'll need the GeoFence .war file, and the probe module to be deployed into GeoServer.
Embedded
You'll only need to deploy the linked embedded module into GeoServer. The embedded version is only available starting from the 3.0 version.

Since GeoFence and GeoServer run side to side, every change of the API in either side requires a change on the other one. Here's a compatibility table for the versions of both applications:

GeoFence GeoServer Main changes
master branch:
- stable: 3.3.0
- nightly: 3.3.x
LDAP improvements
Minor DTO changes
3.2.x branch:
- stable: 3.2.2
- nightly: 3.2.x
2.11 (probe) (embedded)
2.10 (probe) (embedded)
2.9 (probe) (embedded)
Spring 4, JDK 8
3.1.x branch:
- stable: 3.1.0
- nightly: 3.1.x
>=2.8.2 (probe) (embedded) Handle Workspace admin
(feature for embedded version only)
3.0.x 2.8.0, 2.8.1 GeoFence embedded into GeoServer
(Only for older 2.8 releases; Not recommended)
2.2.x branch:
- stable: 2.2.0
- nightly: 2.2.x
2.7 (probe)
2.6 (probe)

Once you have downloaded the resources you need, please follow the instructions on the [GeoFence installation] (https://github.com/geoserver/geofence/wiki/GeoFence-installation) wiki page.

Documentation

Community

The GeoFence project is part of GeoServer, so any question can be directed to the GeoServer user mailing list, and developer collaboration discussed in the GeoServer developer mailng list.