Restricting access to WPS processes¶
The Web Processing Service (WPS) is a very powerful geospatial analysis platform. That said, by default, when the WPS Service is enabled it is open to receiving requests from any user (anonymous access). As processes can add, edit, and delete data on the server, this is generally inadvisable.
This section will show how to restrict WPS for optimal usage in most environments.
WPS is disabled by default, and needs to be enabled to be used.
Restricting processes that can add layers¶
Two built-in processes,
gs:StoreCoverage, add the ability to save new vector and raster data (respectively) to the GeoServer catalog. These processes can be very useful, especially when chained with other processes, in that one can save the output of one process to the server as a new layer, as opposed to just sending the output back to the client.
That said, there is great potential for misuse if left unrestricted.
Processes are restricted based on roles, much in the same way as layers and services. So in the tutorial, we will change the allowed role for these processes to be
See the GeoServer documentation on the security subsystem.
Processes are not specifically listed on this page, but instead are listed by group (prefix). Click the Manage link next to the
gsgroup to see the processes in that group.
Now the individual processes are displayed. In the boxes titled Roles, type
Click Submit. (Both Apply and Submit are required for changes to persist.)
It is easy to test that these restrictions have gone into effect:
Log out of the admin account, or log in as a different user.
In the Choose process dialog, you should not see the restricted processes in the list.
You can also view the WPS capabilities document to see if the processes are displayed there.
The processes will only be hidden if the Process Access Mode is set to HIDE or MIXED. If set to CHALLENGE, the process will be displayed, but just won’t be able to be executed.
For more about the Process Access Mode, please see the GeoServer documentation on WPS security.
If these processes (or any others) aren’t planned to be used on the server at all, it would be better to disable them outright. To do this:
Navigate back to.
Click the Manage link next to the
Uncheck the Enabled box for all the processes to be disabled.
Repeat for any process or process group that you would like to disable.