GeoFence is an advanced authentication/authorization engine for GeoServer
GeoFence allows you to create authorization rules on GeoServer resources based on multiple parameters, such as the user requesting the data, its role, the source IP address of the web request, the used OGC service/request, the requested layer or its workspace.
You can setup authorization rules with the granularity you need: this means that you can allow or deny access to a given layer at a whole, or simply hide some attributes, restrict the output to only a given area, or only allow access to a subset of the features by filtering them using a CQL expression.
You can find more details on this page.
GeoFence can be run either as a standalone Java web application, or embedded into GeoServer.
The GeoFence standalone application run as a java service, and can be queried for auth by one or more GeoServer instances.
It provides a graphical user interface to administer GeoServer users and authorization rules.
Furthermore, a quite complete REST API allows the programmatic administration of the rules and their ancillary data.
In this configuration GeoServer needs a module (the GeoFence client plugin) that will send authorization queries to GeoFence using a configurable protocol (by default it uses Spring remoting over HTTP).
The embedded configuration will make the GeoFence engine run within GeoServer itself. The administration GUI will be seamlessly embedded into GeoServer. The embedded GeoFence should be installed as a GeoServer plugin as well.
GeoFence provides the authorization services using the interface described in GSIP 57.
GeoFence core modules and GUI, as well as the GeoFence plugins in GeoServer, are free and Open Source software, released under the GPL license (which is GPL v2.0), as it implements a GeoServer Java API.
Since there are two different ways to run GeoFence, you'll need different set of files according to your configuration.
- Standalone
- You'll need the GeoFence .war file, and the
geofence
plugin to be deployed into GeoServer. - Embedded
- You'll only need to deploy the
geofence-server
plugin into GeoServer.
Since GeoFence and GeoServer run side to side, every change of the API in either side requires a change on the other one. Here's a compatibility table for the versions of both applications:
GeoFence | GeoServer | Main changes |
---|---|---|
3.5.x - nightly: 3.5.x |
2.19.x (client) (embedded) | DTO changes in restricted area: wkt, clip |
3.4.x - stable: 3.4.6.1 |
2.18.x (client) (embedded) 2.17.x (client) (embedded) |
JTS Version update Minor DTO changes |
3.3.x | LDAP improvements Minor DTO changes |
|
3.2.x | 2.12 2.11 2.10 2.9 |
Spring 4, JDK 8 |
3.1.x | >=2.8.2 | Handle Workspace admin (feature for embedded version only) |
3.0.x | 2.8.0, 2.8.1 | GeoFence embedded into GeoServer (Only for older 2.8 releases; Not recommended) |
2.2.x | 2.7 2.6 |
*: Since GeoServer 2.15, GeoFence modules have been promoted to regular extensions
Once you have downloaded the resources you need, please follow the instructions on the GeoFence installation wiki page.
- How to install GeoFence
- 5 Minutes intro to using GeoFence
- How to configure GeoFence
- How to build GeoFence
- Documentation Index
The GeoFence project is part of GeoServer, so any question can be directed to the GeoServer user mailing list, and developer collaboration discussed in the GeoServer developer mailng list.