While I was working on Geoserver during one of my projects, I observed that, there are some Data Security issue in GeoServer. The layers uploaded by the user are visible by default and can be downloaded by any one, if proper security has not been configured. I would like to share my experience and a workaround on how to handle this data security issue. The instructions mentioned below are tested with Geoserver 2.8.1 version.
“Geoserver, is an open source GIS server for sharing and serving geospatial data.”
1] How to disable Geoserver Layer Preview Option on the web interface?
After installation, the default Geoserver interface comes with a Layer Preview option to view and download the layers without any authentication. So a simple workaround would be to disable the layer preview option to hide the layers.
We can see, in the left hand section, there is a Layer Preview button. When we click on this button, all the layers published will be listed. It is open for the public to view and download which we do not want to happen.
To hide this option, there are two solutions.
i) Login with admin account and uncheck the advertised option available under the layer publishing tab.
ii) Remove the jar file from the Geoserver lib directory.
The executable jar file gs-web-demo-2.8.1.jar.
The directory location of this file is:
C:\Program Files (x86)\GeoServer 2.8.1\webapps\geoserver\WEB-INF\lib\
2] How to change the default password of Geoserver?
Geoserver comes with the default username: admin and password: geoserver, during installation. People usually leave it unchanged. So there are more chances of vulnerability if you host the Geoserver for production. It is highly recommended to change the password.
To change your Geoserver master password follow the below process.
i) Login to your Geoserver by providing default username and password.
ii) Go to the Users, Groups, Roles option,
to see the details of Users, group and
iii) To see the current Users, click on Users/Groups
iv) For changing your default password, click on admin button and change your default password and save it.
3] How to disable Geoserver Web Interface when Geoserver is hosted for production.
There is a bug that people can open any Geoserver by typing the following URL.
This is not recommended and poses security issues.
Now I will guide you through the process of disabling Geoserver interface into the web. It is applicable only on Platform Independent Geoserver source file.
Open your Geoserver bin folder (C:\GeoServer 2.8.1\bin),edit startup.bat file, add this command and restart the Geoserver.
after -DGEOSERVER_DATA_DIR=”C:\GeoServer 2.8.1\data_dir”.
It will disable your GeoServer Web Interface. Once Geoserver is disabled in the web view, it is secure.
If you see the above HTTP ERROR, this means that your Geoserver is now secure and cannot be accessed by any unauthenticated user on the web.
Incase of any issues in Open Source web technology, please use discussion or Question forum, we will try our level best to help you.