HomeDocumentationSecurity & Authentication

Security & Authentication

GeoServer employs a defense-in-depth security architecture, ensuring your geospatial data remains protected through industry-standard encryption, flexible authentication protocols, and granular access controls.

🔒
Security First: All data in transit is encrypted via TLS 1.3. Data at rest utilizes AES-256 encryption. GeoServer is SOC 2 Type II certified and ISO 27001 compliant.

Authentication Methods

GeoServer supports a wide range of authentication mechanisms to integrate seamlessly with your existing identity infrastructure. Choose the method that best fits your organizational requirements.

Method Description Status
OAuth 2.0 / OIDC Industry-standard token-based authentication. Supports Auth0, Okta, Azure AD, and Keycloak. Stable
SAML 2.0 Federation-based authentication for enterprise SSO integrations. Stable
LDAP / Active Directory Direct integration with on-premise or cloud directory services. Stable
API Keys Simple token-based auth for machine-to-machine communication. Stable
JWT Custom Claims Pass custom user attributes via JWT claims for dynamic access control. Beta

OAuth 2.0 Configuration

To enable OAuth 2.0, configure your provider's client ID and secret in the GeoServer admin console under Settings > Authentication. Ensure the redirect URI matches your GeoServer instance URL. 

# Example: GeoServer OAuth2 Config
auth:
  provider: oidc
  client_id: geoserver-app-123
  client_secret: ${OAUTH_SECRET}
  authorization_endpoint: https://auth.example.com/authorize
  token_endpoint: https://auth.example.com/token
  scopes:
    - openid
    - profile
    - geo:maps:read  # Custom scope for read access
    - geo:maps:write # Custom scope for write access

Authorization & RBAC

GeoServer implements Role-Based Access Control (RBAC) to enforce least-privilege access. Roles can be mapped to users or groups from your identity provider.

Geospatial-Specific Permissions

Unlike generic RBAC, GeoServer supports granular permissions at the layer, workspace, and tile level:

  • Workspace Level: Control read/write access to entire datasets.
  • Layer Level: Restrict access to specific map layers or feature collections.
  • Geo-Fencing: Limit data access based on user location or requested bounding box.
  • Attribute Redaction: Automatically mask sensitive attributes for certain roles.
⚠️
Geo-Fencing Note: Geo-fencing evaluates requests on the server side. Ensure your load balancer preserves client IP headers for accurate location-based filtering.

Encryption Standards

Data protection is paramount. GeoServer enforces strict encryption policies for data in transit and at rest.

In-Transit

  • TLS 1.3 enforced for all API endpoints and web console traffic.
  • HSTS headers enabled by default.
  • Support for mutual TLS (mTLS) for service-to-service authentication.

At-Rest

  • AES-256-GCM encryption for all database storage and tile caches.
  • Encryption keys managed via AWS KMS, Azure Key Vault, or on-premise HSM integration.
  • Automatic key rotation every 90 days.

API Security

GeoServer's REST APIs are secured using Bearer tokens. All requests must include a valid token in the Authorization header. 

# Example: Secure API Request
curl -X GET \
  "https://api.geoserver.io/v2/layers/heatmap-2024" \
  -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR..." \
  -H "Content-Type: application/json"

Rate Limiting

To protect against abuse, GeoServer enforces rate limits based on the subscription tier:

  • Free Tier: 100 requests/minute
  • Professional: 1,000 requests/minute
  • Enterprise: Custom limits with dedicated throughput

Rate limit headers are included in all responses: 

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 942
X-RateLimit-Reset: 1698765432

Compliance & Audits

GeoServer maintains rigorous compliance standards to ensure regulatory adherence for enterprises and government entities.

🛡️
SOC 2 Type II
Certified • Audited Quarterly
📜
ISO 27001
Certified • Audited Annually
🇪🇺
GDPR
Compliant • Data Processor
🏛️
FedRAMP Moderate
Authorized • ATO Available

Audit Logs

All authentication and authorization events are logged in real-time. Logs are immutable and retained for 365 days (Enterprise: configurable up to 7 years). 

# Sample Audit Log Entry
{
  "timestamp": "2024-11-01T14:32:01Z",
  "event": "AUTH_SUCCESS",
  "user_id": "u-8x9a2b",
  "ip": "203.0.113.42",
  "resource": "/v2/layers/infrastructure",
  "method": "GET",
  "user_agent": "GeoClient/2.1"
}

Incident Response

GeoServer maintains a 24/7 Security Operations Center (SOC) to monitor and respond to threats. In the event of a security incident:

  • Customers are notified within 24 hours.
  • A detailed post-incident report is published within 72 hours.
  • Emergency patches are deployed within 4 hours for critical vulnerabilities.
📧
Report a Vulnerability: If you discover a security issue, please report it via security@geoserver.io. We offer a bug bounty program for critical findings.