Restricting access to WPS processes

The Web Processing Service (WPS) is a very powerful geospatial analysis platform. That said, by default, the WPS service is open to receiving requests from any user (anonymous access). As processes can add, edit, and delete data on the server, this is generally inadvisable.

This section will show how to restrict WPS for optimal usage in most environments.

Note

WPS is an optional extension and needs to be installed separately.

Restricting processes that can add layers

Two built-in processes, gs:Import and gs:StoreCoverage, add the ability to save new vector and raster data (respectively) to the GeoServer catalog. These processes can be very useful, especially when chained with other processes, in that one can save the output of one process to the server as a new layer, as opposed to just sending the output back to the client.

That said, there is great potential for misuse if left unrestricted.

Processes are restricted based on roles, much in the same way as layers and services. So in the tutorial, we will change the allowed role for these processes to be ADMIN only.

Note

See the GeoServer documentation on the security subsystem.

  1. Navigate to Security ‣ WPS security.

    ../../_images/wps_seclink.png

    Click to access WPS security settings

  2. Processes are not specifically listed on this page, but instead are listed by group (prefix). Click the Manage link next to the gs group to see the processes in that group.

    ../../_images/wps_secgroups.png

    WPS security groups

  3. Now the individual processes are displayed. In the boxes titled Roles, type ADMIN; for both gs:Import and gs:StoreCoverage.

    ../../_images/wps_secprocessroles.png

    Restricting the processes to be accessed only by the ADMIN role.

  4. Click Apply.

  5. Click Submit. (Both Apply and Submit are required for changes to persist.)

It is easy to test that these restrictions have gone into effect:

  1. Log out of the admin account, or log in as a different user.

  2. Navigate to Demos ‣ WPS request builder

  3. In the Choose process dialog, you should not see the restricted processes in the list.

    ../../_images/wps_processhidden.png

    The gs:Import process is hidden for a non-ADMIN user

Note

You can also view the WPS capabilities document to see if the processes are displayed there.

Note

The processes will only be hidden if the Process Access Mode is set to HIDE or MIXED. If set to CHALLENGE, the process will be displayed, but just won’t be able to be executed.

../../_images/wps_accessmode.png

Process Access Mode

For more about the Process Access Mode, please see the GeoServer documentation on WPS security.

Disabling processes

If these processes (or any others) aren’t planned to be used on the server at all, it would be better to disable them outright. To do this:

  1. Navigate back to Security ‣ WPS security.

  2. Click the Manage link next to the gs group.

  3. Uncheck the Enabled box for all the processes to be disabled.

    ../../_images/wps_processdisable.png

    Disabling processes

  4. Click Apply.

  5. Click Submit.

Repeat for any process or process group that you would like to disable.