GeoFence is an advanced authentication/authorization engine for GeoServer
GeoFence allows you to create authorization rules on GeoServer resources based on multiple parameters, such as the user requesting the data, its role, the source IP address of the web request, the used OGC service/request, the requested layer or its workspace.
You can setup authorization rules with the granularity you need: this means that you can allow or deny access to a given layer at a whole, or simply hide some attributes, restrict the output to only a given area, or only allow access to a subset of the features by filtering them using a CQL expression.
You can find more details on this page.
GeoFence can be run either as a standalone Java web application, or embedded into GeoServer.
The GeoFence standalone application run as a java service, and can be queried for auth by one or more GeoServer instances.
It provides a complete REST API for the programmatic administration of the rules and their ancillary data; a GUI is no longer provided since version 3.7.
In this configuration GeoServer needs a module (the GeoFence client plugin) that will send authorization queries to GeoFence using a configurable protocol (by default it uses Spring remoting over HTTP).
The embedded configuration will make the GeoFence engine run within GeoServer itself. The administration GUI will be seamlessly embedded into GeoServer. The embedded GeoFence should be installed as a GeoServer plugin as well.
GeoFence provides the authorization services using the interface described in GSIP 57.
GeoFence core modules and GUI, as well as the GeoFence plugins in GeoServer, are free and Open Source software, released under the GPL license (which is GPL v2.0), as it implements a GeoServer Java API.
Since there are two different ways to run GeoFence, you'll need different set of files according to your configuration.
- Standalone
- You'll need the GeoFence .war file, and the
geofenceplugin to be deployed into GeoServer. - Embedded
- You'll only need to deploy the
geofence-serverplugin into GeoServer.
Since GeoFence and GeoServer run side to side, every change of the API in either side requires a change on the other one.
Here's a compatibility table for the most recent versions of both applications (you may also want to refer to the comprehensive compatibility matrix):
| GeoFence | GeoServer | Main changes |
|---|---|---|
| 3.7.x (main) | 2.25 | |
| 3.7.1 | 2.24.x | Fix log4j libs |
| 3.7-RC | 2.24.0 | GeoTools 30: opengis packages renaming JDK11 compatibility GUI removed |
| 3.6.1 | 2.23.x | Fix log4j libs |
| 3.6.0 | 2.23.0 - 2.23.3 | DTO changes (#226 - subfield) |
| 3.5.1 | 2.22.0 - 2.22.x (client) (embedded) 2.21.2 - 2.21.x 2.20.6 - 2.20.x |
#222: Improve filtering by role #87: Exclude JPA1 dep |
| 3.5.0 | 2.21.0 - 2.21.1 2.20.0 - 2.20.5 2.19.0 - 2.19.6 |
DTO changes (#163 - restricted area, clip) |
| 3.4.6.1 | 2.18.x 2.17.x |
#166: JTS Version update Minor DTO changes |
Once you have downloaded the resources you need, please follow the instructions on the GeoFence installation wiki page.
- How to install GeoFence
- 5 Minutes intro to using GeoFence
- How to configure GeoFence
- How to build GeoFence
- Documentation Index
The GeoFence project is part of GeoServer, so any question can be directed to the GeoServer user mailing list, and developer collaboration discussed in the GeoServer developer mailng list.