Inicio Explorar Axuda
Rexistro Iniciar sesión
siwei
/
web-server
1
0
Fork 0
Ficheiros Incidencias 0 Pull Requests 0 Wiki
Rama: master
Ramas Etiquetas
web-server
/
doc
/
en
/
user
/
source
/
security
/
webadmin
/
auth.rst

auth.rst 12 KB
Permalink Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257 
  1. .. _security_webadmin_auth:
    2. 

  2. 

  3. Authentication
    4. 

  4. ==============
    5. 

  5. 

  6. This page manages the authentication options, including authentication providers and the authentication chain.
    7. 

  7.    
    8. 

  8. Brute force attack prevention
    9. 

  9. -----------------------------
    10. 

  10. 

  11. GeoServer ships with a delay based brute force attack prevention system.
    12. 

  12. 

  13. .. figure:: images/auth_brute_force.png
    14. 

  14.    :align: center
    15. 

  15.    
    16. 

  16.    *Brute force attack prevention settings*
    17. 

  17. 

  18. .. list-table:: 
    19. 

  19.    :widths: 40 60 
    20. 

  20.    :header-rows: 1
    21. 

  21. 

  22.    * - Option
    23. 

  23.      - Description
    24. 

  24.    * - Enabled
    25. 

  25.      - Whether the brute force attack prevention is enabled. Defaults to true.
    26. 

  26.    * - Minimum delay on failed authentication (seconds)
    27. 

  27.      - Minimum number of seconds a failed login request will be made to wait before getting a response
    28. 

  28.    * - Maximum delay on failed authentication (seconds)
    29. 

  29.      - Maximum number of seconds a failed login request will be made to wait before getting a response
    30. 

  30.    * - Excluded network masks
    31. 

  31.      - Network masks identifying hosts that are excluded from brute force attack prevention. Can be empty, include specific IPs, or a list of network masks. 
    32. 

  32.        Defaults to 127.0.0.1, the localhost.
    33. 

  33.    * - Maximum number of threads blocked on failed login delay
    34. 

  34.      - Limits the number of threads that get delayed on failed login, should be set to a value less than the container's available response threads.
    35. 

  35.        
    36. 

  36. The mechanism works as follows:
    37. 

  37. 

  38. * Each failed authentication request is made to wait between min and max seconds before getting an actual response back.
    39. 

  39. * Each attempt to authenticate the same username in parallel fails immediately, regardless of whether the credentials were valid or not, with a message stating concurrent login attempts are not allowed.
    40. 

  40. 

  41. The first item slows down a single threaded attack to the point of making it ineffective (each failed attempt is logged
    42. 

  42. along with the IP attempting access), the second item breaks multi-threaded attacks ability to scale.
    43. 

  43. Login attempts are slowed down/blocked on all protocols, be either a OGC request, a REST call, or the UI.
    44. 

  44. 

  45. A user trying to login from the user interface while another request is blocked waiting for the cool-down period to
    46. 

  46. expire will see a message like the following:
    47. 

  47. 

  48. .. figure:: images/auth_brute_force_message.png
    49. 

  49.    :align: center
    50. 

  50.    
    51. 

  51.    *Error message for parallel user interface login*
    52. 

  52.   
    53. 

  53. A HTTP request (REST or OGC) will instead get an immediate 401 with a message like:
    54. 

  54. 

  55. HTTP/1.1 401 User foo, 5896 concurrent login attempt(s) denied during the quiet period
    56. 

  56.   
    57. 

  57. 

  58. A blessed set of IPs that can dodge the mechanism allows legit administrators to take control of the server even during
    59. 

  59. an attack. The system only trusts the actual requestor IP, ignoring "X-Forwarded-For" headers, as they can be easily spoofed
    60. 

  60. (this in turn requires the admin to access the system from a local network, without proxies in the middle, for the blessed
    61. 

  61. IP to be recognized).
    62. 

  62. 

  63. The maximum number of threads blocked configuration allows to setup the system so that an attacker can misuse the
    64. 

  64. system to simply block all service threads, by issuing requests with random usernames (the system cannot determine
    65. 

  65. if a username is valid or not, none of the authentication mechanisms provides this information for security reasons).
    66. 

  66. 

  67. Considerations on how to setup the system:
    68. 

  68. 

  69. * A small delay is normally more than enough to stop a brute force attack, resist the temptation of setting high delay values
    70. 

  70.   as they might end up blocking too many legitimate accounts and trigger the max blocked threads mechanism.
    71. 

  71. * Ensure that the excluded networks are well protected by other means.
    72. 

  72. * Set the maximum number of blocked threads to a value large allow peak hour legit logins (e.g., early morning when
    73. 

  73.   all the users start working) while still leaving room for successful authentication requests.
    74. 

  74. * A clustered/load balanced setup will not share the state of blocked logins, each host tracks its local login failures.
    75. 

  75. 

  76. Authentication filters
    77. 

  77. ----------------------
    78. 

  78. 

  79. This section manages the Authentication Filters (adding, removing, and editing). Several authentication filters are configured by default (anonymous, basic, form, rememberme), but others can be added to the list.
    80. 

  80. 

  81. .. figure:: images/auth_filters.png
    82. 

  82.    :align: center
    83. 

  83.    
    84. 

  84.    *List of authentication filters*
    85. 

  85. 

  86. Anonymous access
    87. 

  87. ~~~~~~~~~~~~~~~~
    88. 

  88. 

  89. By default, GeoServer will allow anonymous access to the :ref:`web_admin`. Without authentication, users will still be able to view the :ref:`layerpreview`, capabilities documents, and basic GeoServer details. Anonymous access can by removing the :guilabel:`anonymous` authentication filter. If removed, anonymous users navigating to the GeoServer page will get an HTTP 401 status code, which typically results in a browser-based request for credentials.
    90. 

  90. 

  91. Credentials from Headers filter
    92. 

  92. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    93. 

  93. 

  94. This filter allows gathering user credentials (username and password) from request headers in a flexible and configurable way.
    95. 

  95. 

  96. .. figure:: images/auth_filter_credentials_from_header.png
    97. 

  97.    :align: center
    98. 

  98. 

  99.    *Creating a new authentication filter fetching credentials from request headers*
    100. 

  100.    
    101. 

  101.    
    102. 

  102. .. list-table:: 
    103. 

  103.    :widths: 40 60 
    104. 

  104.    :header-rows: 1
    105. 

  105. 

  106.    * - Option
    107. 

  107.      - Description
    108. 

  108.    * - Name
    109. 

  109.      - Name of the filter
    110. 

  110.    * - Username Header
    111. 

  111.      - Name of the Request Header containing the username
    112. 

  112.    * - Regular Expression for Username
    113. 

  113.      - Regular Expression used to extract the username from the related Header. Must define a group that will match the username.
    114. 

  114.    * - Password Header
    115. 

  115.      - Name of the Request Header containing the password
    116. 

  116.    * - Regular Expression for Password
    117. 

  117.      - Regular Expression used to extract the password from the related Header. Must define a group that will match the password.
    118. 

  118.    * - Parse Arguments as Uri Components
    119. 

  119.      - If checked username and password are URI decoded before being used as credentials
    120. 

  120. 

  121.    
    122. 

  122. 	 
    123. 

  123. Authentication providers
    124. 

  124. ------------------------
    125. 

  125. 

  126. This section manages the :ref:`security_auth_providers` (adding, removing, and editing). The default authentication provider uses basic :ref:`username/password authentication <security_auth_provider_userpasswd>`. :ref:`JDBC <security_auth_provider_jdbc>` and :ref:`LDAP <security_auth_provider_ldap>` authentication can also be used.
    127. 

  127. 

  128. Click :guilabel:`Add new` to create a new provider. Click an existing provider to edit its parameters.
    129. 

  129. 

  130. .. figure:: images/auth_providers.png
    131. 

  131.    :align: center
    132. 

  132. 

  133.    *List of authentication providers*
    134. 

  134.    
    135. 

  135. Username/password provider
    136. 

  136. ~~~~~~~~~~~~~~~~~~~~~~~~~~
    137. 

  137. 

  138. The default new authentication provider uses a user/group service for authentication.
    139. 

  139. 

  140. .. figure:: images/auth_userpass.png
    141. 

  141.    :align: center
    142. 

  142. 

  143.    *Creating a new authentication provider with a username and password*
    144. 

  144. 

  145. .. list-table:: 
    146. 

  146.    :widths: 40 60 
    147. 

  147.    :header-rows: 1
    148. 

  148. 

  149.    * - Option
    150. 

  150.      - Description
    151. 

  151.    * - Name
    152. 

  152.      - Name of the provider
    153. 

  153.    * - User Group Service
    154. 

  154.      - Name of the user/group service associated with this provider. Can be any one of the active user/group services.
    155. 

  155. 

  156. JDBC provider
    157. 

  157. ~~~~~~~~~~~~~
    158. 

  158. 

  159. The configuration options for the JDBC authentication provider are illustrated below.
    160. 

  160. 

  161. .. figure:: images/auth_jdbc.png
    162. 

  162.    :align: center
    163. 

  163. 

  164.    *Configuring the JDBC authentication provider*
    165. 

  165. 

  166. 

  167. .. list-table::
    168. 

  168.    :widths: 40 60
    169. 

  169.    :header-rows: 1
    170. 

  170. 

  171.    * - Option
    172. 

  172.      - Description
    173. 

  173.    * - Name
    174. 

  174.      - Name of the JDBC connection in GeoServer
    175. 

  175.    * - User Group Service
    176. 

  176.      - Name of the user/group service to use to load user information after the user is authenticated
    177. 

  177.    * - Driver class name
    178. 

  178.      - JDBC driver to use for the database connection
    179. 

  179.    * - Connection URL
    180. 

  180.      - JDBC URL to use when creating the database connection
    181. 

  181. 

  182. LDAP provider
    183. 

  183. ~~~~~~~~~~~~~
    184. 

  184. 

  185. The following illustration shows the configuration options for the LDAP authentication provider. The default option is to use LDAP groups for role assignment, but there is also an option to use a user/group service for role assignment. Depending on whether this option is selected, the page itself will have different options.
    186. 

  186. 

  187. .. figure:: images/auth_ldap1.png
    188. 

  188.    :align: center
    189. 

  189. 

  190.    *Configuring the LDAP authentication provider using LDAP groups for role assignment*
    191. 

  191. 

  192. .. figure:: images/auth_ldap2.png
    193. 

  193.    :align: center
    194. 

  194. 

  195.    *Configuring the LDAP authentication provider using user/group service for authentication*
    196. 

  196. 

  197. 

  198. .. list-table::
    199. 

  199.    :widths: 40 60
    200. 

  200.    :header-rows: 1
    201. 

  201. 

  202.    * - Option
    203. 

  203.      - Description
    204. 

  204.    * - Name
    205. 

  205.      - Name of the LDAP connection in GeoServer
    206. 

  206.    * - Server URL
    207. 

  207.      - URL for the LDAP server connection. It must include the protocol, host, and port, as well as the "distinguished name" (DN) for the root of the LDAP tree.
    208. 

  208.    * - TLS
    209. 

  209.      - Enables a STARTTLS connection. (See the section on :ref:`security_auth_provider_ldap_secure`.)
    210. 

  210.    * - User DN pattern
    211. 

  211.      - Search pattern to use to match the DN of the user in the LDAP database. The pattern should contain the placeholder ``{0}`` which is injected with the ``uid`` of the user. Example: ``uid={0},ou=people``. The root DN specified as port of the *Server URL* is automatically appended.
    212. 

  212.    * - User Filter
    213. 

  213.      - LDAP Filter used to extract User data from LDAP database. Used alternatively to User DN pattern and combined with User Format to separate bind and user data extraction handling. Example: ``(userPrincipalName={0})``. Gets user data searching for a single record matching the filter. This may contain two placeholder values:
    214. 

  214.        ``{0}``, the full DN of the user, for example ``uid=bob,ou=people,dc=acme,dc=com``
    215. 

  215.        ``{1}``, the ``uid`` portion of the full DN, for example ``bob``.
    216. 

  216.    * - User Format
    217. 

  217.      - String formatter used to build username used for binding. Used alternatively to User DN pattern and combined with User Filter to separate bind and user data extraction handling. Example: ``{0}@domain``. Binds user with the username built applying the format.  This may contain one placeholder:
    218. 

  218.        ``{0}``, the username, for example ``bob``
    219. 

  219.    * - Use LDAP groups for authorization
    220. 

  220.      - Specifies whether to use LDAP groups for role assignment
    221. 

  221.    * - Bind before group search
    222. 

  222.      - Specifies whether to bind to LDAP server with the user credentials before doing group search
    223. 

  223.    * - Group search base
    224. 

  224.      - Relative name of the node in the tree to use as the base for LDAP groups. Example: ``ou=groups``. The root DN specified as port of the *Server URL* is automatically appended. Only applicable when the *Use LDAP groups for authorization( parameter is **checked**.
    225. 

  225.    * - Group search filter
    226. 

  226.      - Search pattern for locating the LDAP groups a user belongs to. This may contain two placeholder values:
    227. 

  227.        ``{0}``, the full DN of the user, for example ``uid=bob,ou=people,dc=acme,dc=com``
    228. 

  228.        ``{1}``, the ``uid`` portion of the full DN, for example ``bob``.
    229. 

  229.        Only applicable when the *Use LDAP groups for authorization( parameter is **checked**.
    230. 

  230.    * - Admin Group
    231. 

  231.      - Name of the group to be mapped to Administrator role (defaults to ADMINISTRATOR). Example: ``ADMIN``. Adds the role ROLE_ADMINISTRATOR if the user belongs to a group named ADMIN (case insensitive)
    232. 

  232.    * - Group Admin Group
    233. 

  233.      - Name of the group to be mapped to Group Administrator role (defaults to GROUP_ADMIN). Example: ``GROUPADMIN``. Adds the role ROLE_GROUP_ADMIN if the user belongs to a group named GROUPADMIN (case insensitive)     
    234. 

  234.    * - User Group Service
    235. 

  235.      - The user/group service to use for role assignment. Only applicable when the *Use LDAP groups for authorization* parameter is **cleared**.
    236. 

  236.    * - Enable Hierarchical groups search 
    237. 

  237.      - Specifies whether to use Hierarchical LDAP groups search for role assignment
    238. 

  238.    * - Max depth for hierarchical groups search 
    239. 

  239.      - Specifies the max group search depth level to use with Hierarchical LDAP groups search. Use ``-1`` for no limit. Only applicable when the *Enable Hierarchical groups search( parameter is **checked**.
    240. 

  240.    * - Nested group search filter
    241. 

  241.      - Search pattern for locating parent LDAP groups a group belongs to. This may contain two placeholder values:
    242. 

  242.      
    243. 

  243.        ``{0}``, the full DN of the user, for example ``cn=it,ou=groups,dc=acme,dc=com``
    244. 

  244.        
    245. 

  245.        ``{1}``, the ``cn`` portion of the full DN, for example ``it``.
    246. 

  246.        Only applicable when the *Enable Hierarchical groups search( parameter is **checked**.
    247. 

  247. 

  248. Authentication chain
    249. 

  249. --------------------
    250. 

  250. 

  251. This section selects the authentication chain. Currently, only one default authentication chain is available. For further information about the default chain, please refer to :ref:`security_auth_chain`.
    252. 

  252. 

  253. .. figure:: images/auth_chain.png
    254. 

  254.    :align: center
    255. 

  255. 

  256.    *Selecting the authentication chain*
    257. 

  257.