Management of Security |
SuperMap GIS server provides security control functions to ensure management security and service security. The service manager manages the entire GIS. The portal of the system is related to the normal operation of the server, and only the administrator can access the service management server. For a protected GIS service that only the specified user can access, only authorized users can access its service resources.
All configuration information of the "security config" page will be recorded in the System Config file iserver-system.xml, so in addition to interface operations, the administrator can directly modify the system config file.
Refer to: Configure Token Shared Key .
SuperMap GIS server stores user information in SQLite database by default, and supports storing user information in MySQL/Oracle/PostgreSQL databases, and other custom storage locations.
For detailed configuration instructions, please refer to Security Info Storage .
The SuperMap GIS server supports the configuration of centralized sessions. Centralized session means that the session information is saved to a third-party database, and when the same session needs to be established again, it can be obtained directly from the database.
For GIS servers, opening a centralized session means that users can directly access multiple GIS servers with different addresses using the same browser with just one login, without the need for repeated logins. Relatively speaking, not opening a centralized session, i.e. using a single session mode, means that users need to log in once every time they access a GIS server, even if it is the same user, which increases repetitive work.
SuperMap GIS server supports the storage of centralized session information through Redis database. For detailed configuration, please refer to Session Info Management .
The SuperMap GIS server supports setting the number of consecutive password errors allowed in a period to prevent brute force. At the same time, it is supported to set that the modified new password cannot be repeated with any of the previous passwords, and it is supported for the administrator to customize the number of non-repeatable times.
For detailed configuration instructions, please refer to User Password Security Setting .
The SuperMap service management server provides a security module to implement access control to services through authentication and authorization based on user identity. No matter SuperMap service managers, service publishers, and service users can all be managed through the security module, and support the authorization of a single service instance to a specified role and the restriction of its operation authority. When the security module is enabled, the service is protected, and only the user corresponding to the authorized role can access the resources of the service.
Role-based access control includes the following aspects of management:
After the service security is enabled, the system will jump to the login interface when the user accesses the service instance. If the user has not obtained the service authorization, the authorization verification cannot be passed, and the user cannot access the service resource even after logging in. In this case, the user needs to be associated with an authorized role, or perform Role Authorization for the associated role.
The SuperMap GIS server supports CAS based single login, enabling direct access to multiple GIS products and server nodes in the system with just one login.
SuperMap GIS server support using Keycloak is used for authentication and authorization to realize the unified account management of SuperMap iServer/iPortal/iEdge and the single sign-on between them.
SuperMap GIS server supports LDAP Authorization Login Method enables users in the LDAP server to log in and access the iServer directly.
SuperMap GIS server supports the use of third-party login ways such as QQ and Sina Weibo to log in. The implementation of third-party login ways can reduce the difficulty for users to remember user names/passwords and bring better user experience.
In addition to QQ and Sina Weibo, iServer supports the use of other third-party login ways through extensions. For specific usage, please refer to: Follow Third-party Login Ways Extensions to the OAuth2 Protocol.
The SuperMap GIS server supports the connection with a third-party authentication server, which can be developed and configured by extension. For details, please refer to Extension iServer Supports Third-party Authentication .
When the client browses the 3D service, the 3D data will be cached to the local client by default. In order to ensure the security of the 3D service and the cached data, iServer provides an encryption mechanism for the cached data after the 3D client browses.
Through this encryption mechanism, the 3D cache downloaded by the client can only be used directly by the iClient, and the password must be provided when loading data in other ways. For specific usage, please refer to: 3D Client Cache Encryption .