Security & Roles

Overview

GeoServer's security architecture is built on defense-in-depth principles. Every request, data layer, and administrative action is governed by granular policies that ensure only authorized users and systems can access your spatial infrastructure.

💡

Security policies apply at the workspace, layer, and request level. You can combine roles with IP whitelisting and time-bound tokens for maximum protection.

Role-Based Access Control (RBAC)

Define fine-grained permissions across workspaces, layers, and APIs. Predefined roles accelerate deployment, while custom roles adapt to your organization's hierarchy.

Role	Capabilities	Use Case
Administrator	Full system config, role management, audit access	DevOps / Platform Engineers
Editor	Read/Write layers, publish styles, manage workspaces	GIS Analysts, Cartographers
Viewer	Read-only access to published maps & WMS/WFS	End-users, Dashboards
API Service	Scoped token access, rate-limited, machine-to-machine	Automation, ETL Pipelines
Custom	Granular: workspace, layer, operation, IP, time	Compliance-specific workflows

Workspace Isolation

Roles can be scoped to specific workspaces, preventing cross-project data leakage.

Layer-Level Restrictions

Restrict access to sensitive geometries, attributes, or bounding boxes per role.

Operation Filtering

Allow GET but block DELETE, or restrict WCS download to Editors only.

Authentication Methods

GeoServer supports industry-standard authentication protocols to integrate seamlessly with your existing identity providers.

OAuth 2.0 / OIDC: Google, Microsoft Entra, Auth0, Keycloak
SAML 2.0: Enterprise SSO for large organizations
LDAP / Active Directory: On-premise directory sync & group mapping
API Keys & JWT: Stateless token authentication for services
Multi-Factor Authentication (MFA): TOTP & WebAuthn enforcement for admin roles

⚠️

Basic Auth is deprecated for public endpoints. Use OAuth2 or API keys with short-lived tokens instead.

Encryption & Compliance

Data protection is enforced both in transit and at rest, ensuring alignment with global regulatory standards.

Feature	Implementation	Compliance
TLS Encryption	TLS 1.3 enforced, custom certificates supported	GDPR, CCPA, HIPAA
At-Rest Encryption	AES-256 for vector/raster stores & backups	SOC 2 Type II
Key Management	HSM integration, AWS KMS / Azure Key Vault	FIPS 140-2 Ready
Data Masking	Dynamic attribute filtering per role	PII Protection

Audit & Logging

Track every interaction with your geospatial infrastructure. Immutable logs are stored securely and can be exported for compliance reporting.

Activity Tracking

User logins, layer publishes, style changes, and role assignments.

Request Logging

WMS/WFS/WCS endpoint hits, IP origins, response times, and cache status.

Alerting & SIEM

Real-time webhook alerts, JSON export, Splunk/Datadog/Sentry integration.

Retention Policies

Configurable log retention (30d to 7y) with automatic archival to S3/GCS.

                    JSON Log Sample
                    // Audit event: layer publication
                    {
                      "timestamp": "2025-04-12T14:22:08Z",
                      "user": "analyst_jdoe",
                      "action": "LAYER_PUBLISH",
                      "workspace": "us_census",
                      "layer": "block_groups_2020",
                      "ip": "192.168.10.44",
                      "status": "SUCCESS"
                    }
                

API & Integration Security

Machine-to-machine communication is secured through scoped tokens, rate limiting, and signature verification.

Scoped JWT Tokens: Limit API keys to specific workspaces or read-only operations
Rate Limiting: Configurable thresholds per IP, role, or API key (e.g., 1,000 req/min)
Request Signing: HMAC-SHA256 for critical write operations
Webhook Security: Signature verification for audit & event callbacks

✅

GeoServer's REST API supports CORS configuration, request whitelisting, and automatic token rotation for CI/CD pipelines.

Setup Guide

Creating a Custom Role via CLI

Define granular permissions directly from your terminal or automation scripts.

                    bash
                    geoctl role create "env_analyst" \
                      --workspace "climate_data" \
                      --permissions "read,write_style" \
                      --scope "bbox:-180,23.5,-50,50" \
                      --token-expiry "8h"
                

Enforcing MFA for Admins

                    yaml
                    # geoconfig/security.yaml
                    authentication:
                      mfa:
                        enabled: true
                        enforce_roles:
                          - "Administrator"
                        providers:
                          - "totp"
                          - "webauthn"
                

Changes take effect immediately. Roles sync within 30 seconds across all cluster nodes.

Frequently Asked Questions

Can I assign multiple roles to a user?

Yes. Permissions are aggregated. Conflicting policies default to the most restrictive rule.

How do I rotate API keys without downtime?

Use dual-key rotation. Generate a new key, deploy it to consumers, then revoke the old key.

Is IP restriction supported?

Yes. Bind roles to CIDR ranges or allowlists via the security dashboard or REST API.

Do audit logs include deleted data?

Deleted layer events are logged with timestamps and user context. Raw data snapshots require backup integration.

Security & Roles Management