Geospatial CMS


How to protect your data

In an GIS environment it is often needed to protect the data provided by the map server, restricting some clients to certain regions or certain kinds of vector/raster data. As a consequence, clients must authenticate themselves to have access to protected resources.

Drupal has fine-grained built-in protection for content types. The same protection must apply to the geodata within Cartaro, but with Cartaro, data can be accessed not only through the Drupal GUI. With its integration with GeoServer, Cartaro can expose OGC webservices that are accessed through direct HTTP requests according to the OGC standards.

When accessing webservices with maps within Cartaro, stateful authentication is shared between Drupal and GeoServer by means of a commonly used cookie. Access to the OGC services is possible from other clients, e.g. desktop GIS. As this access is stateless, we have to make sure that data are also protected.

Step by step HowTo

Let's start creating a spatially-enabled content type. Drupal content are naturally stored and shown in nodes. Within Cartaro, the GeoServer module allows grouping nodes in layers that will be delivered by GeoServer. Based on the geodata in Drupal stored in our new content type, we can create now a layer that will be provided via WMS or WFS.

This new layer will be automatically available in GeoServer, so their access rules can be set as in any normal layer through the GeoServer GUI. Anyway, to simplify data security management and avoid mistakes, all access rules can be defined inside Cartaro. In the Cartaro People → Permissions page, node content type permissions can be set as usual but, additionally, under the Geoserver permissions group, layer permissions can also be defined.

GeoServer layers permissions

On layer creation, the default permissions are taken from the content type permissions or for the Nodetype access if this module is activated.

Layer permissions in Drupal will be promoted to GeoServer's security settings. In this way, the same access rules will be applied to a layer accessed directly in the Drupal GUI or though an OGC service from GeoServer.


This permission synchronization only works if the GeoServer extension to share users and roles with Drupal is installed.

A transactional Web Feature Service (WFS-T) allows creation, deletion, and updating of features. Data may be written by means of WFS-T with write privileges defined in Drupal being applied.

GeoServer also supports access control at the service level. There are two main categories of services in GeoServer: OWS services, such as WMS and WFS, and RESTful services. Service access rules can be defined using the Geoserver GUI.

Usage of protected service from other clients than Drupal

Protected layers can be also loaded from other clients, e.g. desktop GIS though OGC services. In the image, a protected layer is accessed using QGis asking for the required authentication.

Load protected layer into QGis

« Back to Documentation index