How to Handle Data Security Issue in GeoServer

While I was working on Geoserver during one of my projects, I observed that, there are some Data Security issue in GeoServer. The layers uploaded by the user are visible by default and can be downloaded by any one, if proper security has not been configured. I would like to share my experience and a workaround on how to handle this data security issue. The instructions mentioned below are tested with Geoserver 2.8.1 version.

“Geoserver, is an open source GIS server for sharing and serving geospatial data.”

1] How to disable Geoserver Layer Preview Option on the web interface?
After installation, the default Geoserver interface comes with a Layer Preview option to view and download the layers without any authentication. So a simple workaround would be to disable the layer preview option to hide the layers.
We can see, in the left hand section, there is a Layer Preview button. When we click on this button, all the layers published will be listed. It is open for the public to view and download which we do not want to happen.

1

To hide this option, there are two solutions.

i) Login with admin account and uncheck the advertised option available under the layer publishing tab.

ii) Remove the jar file from the Geoserver lib directory.

The executable jar file gs-web-demo-2.8.1.jar.

The directory location of this file is:

C:\Program Files (x86)\GeoServer 2.8.1\webapps\geoserver\WEB-INF\lib\

Img_12

2] How to change the default password of Geoserver?

Geoserver comes with the default username: admin and password: geoserver, during installation. People usually leave it unchanged. So there are more chances of vulnerability if you host the Geoserver for production. It is highly recommended to change the password.

2

To change your Geoserver master password follow the below process.

i) Login to your Geoserver by providing default username and password.

ii) Go to the Users, Groups, Roles option,

to see the details of Users, group and

roles.

3

iii)  To see the current Users, click on Users/Groups

4

iv) For changing your default password, click on admin button and change your default password and save it.

5

3] How to disable Geoserver Web Interface when Geoserver is hosted for production.

There is a bug that people can open any Geoserver by typing the following URL.

URL  : http://example.com/geoserver/

http://example.com:8080/geoserver/

This is not recommended and poses security issues.

Now I will guide you through the process of disabling Geoserver interface into the web. It is applicable only on Platform Independent Geoserver source file.

Open your Geoserver bin folder (C:\GeoServer 2.8.1\bin),edit startup.bat file, add this command and restart the Geoserver.

-DGEOSERVER_CONSOLE_DISABLED=true

after -DGEOSERVER_DATA_DIR=”C:\GeoServer 2.8.1\data_dir”.

Img_19

It will disable your GeoServer Web Interface. Once Geoserver is disabled in the web view, it is secure.

Img_20

If you see the above HTTP ERROR, this means that your Geoserver is now secure and cannot be accessed by any unauthenticated user on the web.

Incase of any issues in Open Source web technology, please use discussion or Question forum, we will try our level best to help you.

Related Posts

About The Author

Leave a Reply

3 Comments on "How to Handle Data Security Issue in GeoServer"

Notify of

Sort by:   newest | oldest | most voted
Guest
Sachin Agrawal
1 year 3 months ago
Thanks Swarnab for detailing out data restriction process. Andrea nice to see your comments. You seems to be an Geo-Server expert and Open Source Enthusiast. Welcome to GeoITHub. I agree with your point that Geo-Server has been intended for creating an Open Platform with data viewing and download open to all. I believe, if we disable the WFS and WCS, services, then features like Web Editing by users will not be possible? So can you suggest some better way to restricting data download by un-authorised person at the same time authorised users have all the privilege of data access and… Read more »
Guest
1 year 3 months ago

Of course I meant “the default settings are not a security issue, but the intended behavior”

Guest
1 year 3 months ago
GeoServer was born to provide open access to data (public SDI), as such, the default settings are a “security issue”, but the intended behavior., You simply have a different use case, where raw data should not be accessible, which is also fully supported, but requires a configuration different than the default one. The user interface is accessible with layer previews for anyone and does not allow modifying the configuration, leaving it open is thus not a security risk, although some prefer to remove it altogether it is more of a paranoid check, the activities that can be performed though the… Read more »
wpDiscuz
Sign Up
Fields with (*) are required
Account Info
Password must be at least 7 characters long. To make it stronger, use upper and lower case letters, numbers and symbols.
Type your password again.
 
Profile Info
 
 
Prove you're not a robot