Security |
SuperMap GIS server comes with security control module to ensure management security and service security. iServer WebManager is the whole iServer System's portal, related to the normal running of server, so only administrator can access iServer WebManager. For the secured GIS resources, only the authorized users are allowed to access them.
All the configuration items' information on Security tab is stored into the System cofiguration file iserver-system.xml. So besides configuration through the system interface, administrator can also directly modify the iserver-system.xml.
See: Configuring shared key of Token.
The SuperMap GIS server stores user information in the SQLite database by default, also supports storing user information in the MySQL database, as well as other custom storage locations.
For details, see: Security information storage.
The SuperMap GIS server supports configuring a centralized session. Centralized session means that the session information is saved to a third-party database and can be obtained directly from the database when it is necessary to establish the same session again.
For GIS servers, a centralized session means that when users use the same browser to access multiple addresses without having to log in again. Relatively speaking, if it does not open a centralized session, that means that each user needs to log in every time when visiting a GIS server, even for the same user, which will increase the duplication of work.
The SuperMap GIS server supports the storage of session information through the Redis database. For details, see: Session information management .
The SuperMap GIS server supports setting the number of consecutive errors in the password for a period of time to prevent violent cracking. And supports to set new password that can not be repeated with any of the previous passwords, and the number of non-repeatable can also be set.
For details, see: Password security settings.
SuperMap iServer Manager provides security module, which is based on authentication and authorization, to control the access to services. No matter the iServer WebManager, service publisher, or service user, all they can manage through security module. It also supports authorizing a service instance to a specific role and limiting the operation permission. When the security module is enabled, services are secured, only the authorized users are allowed to access the resources.
Role-based access control has following aspects of management:
After enabling service security, when user is accessing service instance, system will jump to login interface. If the user don't have service authorization, he can't pass the verification, so he can't access to service resources even logged in. Here need to connect user with an authorized role, or authorize a connected role.
SuperMap iServer supports based-on-CAS SSO(Single sign-on), only need to sign on once to access multiple GIS products and server nodes.
SuperMap GIS servers support using Keycloak to authenticate and authorize permissions, to realize using the unified account system and single sign-on cross SuperMap iServer/iPortal/iEdge.
SuperMap iServer supports login by LDAP authentication , achieves login and visiting iServer by using user in LDAP server.
SuperMap iServer supports third party login such as QQ and Sina Weibo, which will reduce the difficulty of remembering username/password, and make for a better experience for the user.
Except QQ and Sina Weibo, iServer also supports using third party to login by extension, for the detail please refer to:The third party login extension that compliant to OAuth2 protocol.
SuperMap iServer supports docking third party authentication server,just by extending development and configuration, for detail please refer to:Extends iServer to support third party authentication.
When client is browsing 3D service, 3D data will be cached to client local by default. To ensure the security of 3D service and cache data, iServer provides encryption mechanism for cache data generated after 3D client browses.
By using the encryption mechanism, 3D cache downloaded by client can only be used by iClient directly, and loading data by other methods needs to provide password. For detail please refer to: 3D client cache encryption.