Managing Users and RolesΒΆ

Security in GeoServer is a role-based system. Roles are created to serve particular functions (Examples: access WFS, administer UI, read certain layers), and users are linked to those roles. Since GeoServer 2.2 the concept of group has been introduced; a group is basically a set of Users.

Users and groups are managed by user/group services. A default service is available in standard GeoServer installation, that uses xml files in the GeoServer data dir to store data. Roles are managed by role services. A default service is available in standard GeoServer installation, that uses xml files in the GeoServer data dir to store data.

Alternative services can be created if needed to:
  • store user data in a database or different source
  • bind different sets of users/groups to different authentication providers

To have more detail:

We will now see how to add a new user to the default user service:

  1. From the Welcome page click the Users, Groups, Roles link on the Menu Security section.

    ../_images/UsersGroupsRolesFullScreen.png

    The Main page for managing Users, Group and Roles.

As you can see there are two sections: the first to handle Users and Groups and the second to handle Roles. By default there is only one service, called default. It is possible to add more clicking on the Add new button.

  1. Add more Users to default service (or any other) accessing to the service page clicking on the service name, then click on the second tab called Users.

    ../_images/UsersGroupsRolesFullScreen.png

    The Main page for managing Users and Group

  2. From the users manager menu click Add new user and enter the following user configuration:

    • user=wsuser

    • password=wsuser

    • Create a new role clicking Add a new role button, entering ROLE_WS in the Name field and clicking Save button.

    • Assign the user the new role selecting it in the Available list and moving it to the Selected list using the right arrow button.

      ../_images/users2.png

      The users list

  3. Click Save to create the new user.

Note

Linking users and roles is done via the file users.properties (located in $GEOSERVER_DATA_DIR/security directory). By default, this file contains one line: admin=geoserver,ROLE_ADMINISTRATOR (user=admin and password=geoserver). The ROLE_ADMINISTRATOR is the predefined role and provides full access to all systems inside GeoServer. If you are using GeoServer in a production environment, the password (and possibly the user name as well) must be immediately changed.