Using Drupal users and roles in GeoServer

Last updated April 16, 2013. Created by augustus.kling on September 7, 2012.
Edited by friedjoff. Log in to edit this page.

The core idea of Cartaro is the closest possible integration of geodata with other content in a single software stack. This aspect also extends to the common management of users, roles and their privileges, meaning you should be able to apply the same security mechanisms and privileges for spatial and non-spatial content. Within Cataro the privileges for non-spatial content are handled by Drupal. GeoServer, on the other hand, is responsible to deliver optionally protected geospatial data to the web either through web services (OWS and others) or through a number of downloadable file formats.

A GeoServer extension is provided in order to use Drupal as user and role provider for GeoServer – allowing Cartaro to forward Drupal authorizations to GeoServer. This means you can set up a protected geo web service with GeoServer that is automatically available to a user after login in the main Drupal site.

Further the same GeoServer provided service is available outside of your Drupal site too, e.g. in a Desktop GIS connecting to GeoServer directly. The usual authentication mechanisms as defined by the OGC and implemented by GeoServer apply but do respect any permissions set in Drupal (those are merged with the permissions you set in GeoServer).

Even though setting GeoServer up this way is optional we do strongly recommend doing so as it automates user/permission synchronization which is an error prone process if done by hand.

Installing the extension

The GeoServer extension is provided as a JAR file that needs to be placed in GeoServers WEB-INF/lib/ folder. Once located there one needs to use Spring's (framework GeoServer is built on) dependency injection means to supply the implementation instead of the file based user and role system.

A classpath modification is used to override GeoServer's default implementation. Open WEB-INF/web.xml and append classpath*:/applicationSecurityContextOverride.xml to the contextConfigLocation context parameter. This parameter sets where Spring looks for implementations of classes when its dependency injection subsystem is asked for Java beans. The later a configuration is read, the more prioritized it is. Putting the definitions from geoserver-sec-drupal last ensures that the new implementation is chosen over the default one. Restart GeoServer so that it picks up the new classes.

Log into GeoServer using the user root and add a new role service of type Drupal. It does not matter which name you set and one such service is sufficient for any number of bound Drupal instances. Finally make sure GeoServer does actually use the new service by selecting it in GeoServer's global security settings.

Binding Drupal instances

Each Drupal instance whose users and roles should be available in GeoServer needs to be added, too. To do so add an Authentication Provider of type Drupal and enter the connection parameters for the Drupal database. The user you set here needs to be able to read users and roles because GeoServer will use it to verify credentials and to read the roles for each authenticated user.

Continue by adding a User Group Service with the same credentials as used for the Authentication Provider. Make sure the name you chose for both services is the same and that it equals the workspace name that you choose when installing Cartaro. See geoserver-sec-drupal's readme for more detailed instructions.

Activate the authentication provider by moving it into the list of active providers. GeoServer will now acquire a database connection to your Drupal instance on its next restart and accept Drupal users for login thereafter.

Using GeoServer

As long as you are using your browser to access Cartaro there is no need to bother about logging into GeoServer. Cartaro will take care that you are logged into GeoServer as well when logging into Cartaro which allows access to all maps where your user has been granted by the permission settings within Drupal.

Simply use the same user name and password as for logging into Cartaro when accessing Cartaro's web services from a third-party application. This applies in case you want to access Cartaro from a desktop GIS for feature editing over WFS for example.
Note that you need to prepend your Drupal user name with Cartaro's workspace if, and only if, your GeoServer is shared by multiple Cartaro instances. For example if the GeoServer workspace used by Cartaro is called forestry and your Drupal user is pat, your desktop GIS would need to use forestry_pat as user name. Your password is unaltered. Prefixing user names and roles in GeoServer provides that the Cartaro instances are distinguishable in GeoServer in such case.

You can now proceed with installing Cartaro.