Role source and role calculation

Different authentication mechanisms provide different possibilities where to look for the roles of a principal/user. The role source is the base for the calculation of the roles assigned to the authenticated principal.

Using a user/group Service

During configuration of an authentication mechanism, the name of a user group service has to be specified. The used role service is always the role service configured as active role service. The role calculation itself is described here Interaction between user/group and role services

Using a role service directly

During configuration of an authentication mechanism, the name of a role service has to be specified. The calculation of the roles works as follows:

  1. Fetch all roles for the user.

  2. For each role in the result set, fetch all ancestor roles and add those roles to the result set.

  3. If the result set contains the local admin role, add the role ROLE_ADMINISTRATOR.

  4. If the result set contains the local group admin role, add the role ROLE_GROUP_ADMIN.

This algorithm does not offer the possibility to have personalized roles and it does not consider group memberships.

Using an HTTP header attribute

The roles for a principal are sent by the client in an HTTP header attribute (Proxy authentication). GeoServer itself does no role calculation and extracts the roles from the header attribute. During configuration, the name of the header attribute must be specified. An example with a header attribute named “roles”:

roles: role_a;role_b;role_c

An example for roles with role parameters:

roles: role_a;role_b(pnr=123,nick=max);role_c

The default syntax is

  • roles are delimited by ;

  • a role parameter list starts with ( and ends with )

  • a role parameter is a key value pair delimited by =

  • role parameters are delimited by ,