Workspace use
The flexibility provided by workspaces can be daunting when setting up a new GeoCat Live instance. This article presents two recommended configurations as a starting point for your own mapping policies.
Naming policy
Defining a clear policy is vital for GIS Professionals and Programming teams that depend on having a stable and clear API to use to access information. Doing something as simple as changing a layer name can interrupt service for anyone with maps defined using your services.
-
It is important to keep the machine readable layer name and workspace prefix stable once created.
- prefix:name
- example:river
This information provides a distinct URL used to access geospatial content.
-
In many cases the layer name is also restricted by intended use, with layer name being used as an XML Element when published as XML content.
Recommendation: Use simple lower-case alphanumeric name, starting with a letter.
-
The workspace namespace is used for XML content and document validation, and is intended to be unique in the world.
- https://instance.geocat.live/geoserver/prefix]{.title-ref
- https://instance.geocat.live/geoserver/river]{.title-ref
A useful convention is to construct a URL from service location and workspace prefix.
Public use of mapping services is primarily through the catalogue service portal and client applications listing title and abstract information. If your name and prefix conventions results in ugly or verbose URLs this will not be noticed by visitors seeking to find and download information. You are free to update the human readable title and abstract information displayed to visitors any time.
Single workspace policy
Setting up a GeoCat Live instance with a single workspace is a great option for project group or municipality that wishes publish information to the public in an easy and direct manner.
Recommendation:
-
Turn on global services.
-
Create a single workspace with your organization name
Use your company website as the namespace URI.
Set this as the default workspace.
-
Customize the configuration for each virtual workspace service, and disable.
This will prevent the virtual workspace services from being used.
Using this approach you can safely ignore the concept of a workspace, your content will be available directly using the global WMS, WFS and WCS services.
While each layer name must be unique, GeoServer can comfortably scale up to publishing thousands of layers using this approach.
Distinct workspace policy
Setting up a shared GeoServer for individual working groups or project teams is a good option for large organizations that have distinct working groups. This approach can also be beneficial for application development providing each project its own resources to work with.
-
Turn off global services.
While this makes the GeoServer welcome screen harder to work with (you can no longer use the URLs directly) it is an important step for providing independence between workspaces.
-
Configure global services with sensible defaults:
-
WMS Settings: Always include Root Layer in Capabilities disable.
A root layer is not necessary when a service has a single layer.
-
Reduce SRS list to the projections commonly used by your organization
-
-
Define a role for editing:
edit
-
Set global service security to require:
wfs.CreateStoredQueryroles:GROUP_ADMIN,ADMINwfs.DropStoredQueryroles:GROUP_ADMIN,ADMINwfs.Transactionroles:edit
-
Set global data security to:
*.*.rroles:AUTHENTICATED
This will prevent newly published data from being immediately available.
-
Setup each workspace with the name of the working group or project.
- prefix:
project - namespace URI:
http://instance.geocat.live/geoserver/project
This convention forms a unique namespace URI from service url and workspace preix.
- prefix:
-
Customize the configuration for each virtual workspace service with the team\'s contact information and details.
-
Define a roles for project team:
project_accessproject_editextending roleeditproject_admin
By extending role
editaccess is granted towfs.Transaction. -
Apply these roles to workspace security:
project.*.rrole:project_access,ADMINproject.*.wrole:project_edit,ADMINproject.*.xrole:project_admin,ADMIN
As shown above it is useful to allow
ADMINrole access for troubleshooting. -
Define a group
project_teamto setup each team member roles:- Grant
project_access,project_edit,project_admin
This allows team members manage the workspace (and publish information using bridge) and edit content using WFS-T.
- Grant
-
Set up one user as team project lead, if appropriate
- group:
project_team(grantsproject_access,project_edit,project_admin) - roles:
GROUP_ADMIN
The individual can now manage their staff, and has responsibility for managing wfs stored queries for their project.
- group:
-
When publishing maps (as a LayerGroup):
-
Use mode
SINGLEwhere possible as the resulting layer is easy to manage and allows the use of layer group styles. -
Use mode
Named Treeonly if you are comfortable with layers being present children in table of contents structure. -
Use Layer Group mode
Opaque Containerto only offer a visual map, and avoid sharing any of the contained layers at all.This is a very powerful restriction, overriding any data security control of layer accessibility.
-
If using bridge consider Bridge Preview Workspace workflow.
-
-
When creating folders in WMS table of contents structure:
-
Defining a table of contents structure is completely optional, but can be beneficial to GIS Professionals browsing your web service.
Defining a table of contents structure should not be viewed as a replacement for full SDI experience (registering web services and layers in a catalogue provides the best user experience for GIS Professionals).
-
Recommend use layer WMS Path setting as a quick method of defining folder structure.
This is a quick way to group data by topic.
-
Use Layer Group mode
Container Treeif human readable title / abstract is required for folder.This can also be used to group published maps.
-
Use Layer Group mode
Earth Observation Treeif your folder contains hundreds of layers, and you would like to nominate one layer as offering a visual overview for the folder.
-
-
When project is ready to be shared with the public change data permissions to allow both authenticated and anonymous access:
project.*.rrole:AUTHENTICATED,ANONYMOUS
If the project is not intended for public use:
- Continue to keep workspace restricted
- Explore other authorization options (such as
/security/appkey).
Working with disabled global services
-
When working with global services disabled:
-
The welcome page links to services are no longer accessable, producing errors such as:
No workspace specified -
The embedded geowebcache is no longer accessable, producing errors such as:
No such workspace 'gwc/service'
-
-
Use the resource browser to add a
www/project.htmllanding page for the project workspace.project.html<!DOCTYPE html> <html> <body> <h1>Project Services</h1> <p>Geospatial web services for use with Desktop GIS and Web Mapping software:</p> <ul> <li><a href="/geoserver/project/ows?Service=WMS&Request=GetCapabilities"> OGC Web Map Service </a><br/> Visualize and explore geospatial information, WMS publishes layers for data visualization. </li> <li><a href="/geoserver/project/ows?Service=WFS&Request=GetCapabilities"> OGC Web Feature Service</a> <br/> Download and query feature data, WFS lists FeatureTypes of vector data. </li> <li><a href="/geoserver/project/ows?Service=WCS&Request=GetCapabilities"> OGC Web Coverage Service </a><br/> Download and sample raster data and imagery, WCS lists CoverageTypes of raster data. </li> <li><a href="/geoserver/project/ows?Service=WPS&Request=GetCapabilities"> OGC Web Processing Service </a><br/> Perform analysis and processing, WPS lists processes available for synchronous or asynchronies execution. </li> </ul> <p>Web services for web mapping and mobile use:</p> <ul> <li><a href="/geoserver/project/gwc/service/wmts?REQUEST=GetCapabilities"> OGC Web Map Tile Service </a><br/> Access imagery for for client use, WMTS publishes TileSets of imagery prepared by GridSet. </li> <li><a href="/geoserver/project/gwc/service/tms/1.0.0"> Tile Map Service </a><br/> TMS presents TileSets prepared into a folder structure by zoom level.</li> </ul> </body> </html> -
Workspace \"virtual\" web services are available using path
/geoserver/{workspace}/ows?:WMS: GetCapabilities lists layer with name
layer(no prefix)https://instance.geocat.live/geoserver/project/ows?service=WMS&request=GetCapabilities
<Layer queryable="1" opaque="0"> <Name>geographic_lines</Name> <Title>Geographic lines</Title> <Abstract /> <KeywordList> <Keyword>ne_10m_geographic_lines</Keyword> </KeywordList> <!--Limited list of EPSG projections:--> <CRS>EPSG:4326</CRS> <CRS>EPSG:3857</CRS> <CRS>EPSG:900913</CRS> <CRS>EPSG:4490</CRS> <CRS>CRS:84</CRS> <EX_GeographicBoundingBox></EX_GeographicBoundingBox> <BoundingBox CRS="CRS:84" minx="-180" miny="-90" maxx="180" maxy="90" /> <BoundingBox CRS="EPSG:4326" minx="-90" miny="-180" maxx="90" maxy="180" /> <Style></Style> </Layer>WFS: GetCapabilities lists feature types with name
project:layerhttps://instance.geocat.live/geoserver/project/ows?service=WFS&request=GetCapabilities
<FeatureType> <Name>project:geographic_lines</Name> <Title>Geographic lines</Title> <Abstract /> <ows:Keywords> <ows:Keyword>ne_10m_geographic_lines</ows:Keyword> </ows:Keywords> <DefaultCRS>urn:ogc:def:crs:EPSG::4326</DefaultCRS> <ows:WGS84BoundingBox> <ows:LowerCorner>-180.00000000000006 -89.99999550842358</ows:LowerCorner> <ows:UpperCorner>180.0033129137219 89.99999550842358</ows:UpperCorner> </ows:WGS84BoundingBox> </FeatureType>WCS: GetCapabilities lists coverage with coverage id
geoserver/project__layerhttps://instance.geocat.live/geoserver/project/ows?service=WCS&request=GetCapabilities
<wcs:CoverageSummary> <ows:Title>Elevation</ows:Title> <ows:Keywords> <ows:Keyword>alwdgg</ows:Keyword> <ows:Keyword>WCS</ows:Keyword> <ows:Keyword>GeoTIFF</ows:Keyword> </ows:Keywords> <wcs:CoverageId>project__dem</wcs:CoverageId> <wcs:CoverageSubtype>RectifiedGridCoverage</wcs:CoverageSubtype> <ows:WGS84BoundingBox> <ows:LowerCorner>-180.0 -90.0</ows:LowerCorner> <ows:UpperCorner>180.0 90.0</ows:UpperCorner> </ows:WGS84BoundingBox> <ows:BoundingBox crs="http://www.opengis.net/def/crs/EPSG/0/EPSG:4326"> <ows:LowerCorner>-180.0 -90.0</ows:LowerCorner> <ows:UpperCorner>180.0 90.0</ows:UpperCorner> </ows:BoundingBox> </wcs:CoverageSummary>WMTS: GetCapabilities lists layer with name
layer(no prefix)https://instance.geocat.live/geoserver/project/gwc/service/wmts?REQUEST=GetCapabilities
-
Web services for individual layers are available using path
geoserver/{workspace}/{layer}/ows?:WFS: GetCapabilities lists feature types with name
project:layerhttps://instance.geocat.live/geoserver/project/layer/ows?service=WFS&request=GetCapabilities
WMS: GetCapabilities lists layer with name
layer(no prefix)https://instance.geocat.live/geoserver/project/layer/ows?service=WMS&request=GetCapabilities
WCS: GetCapabilities lists coverage with coverage id
project__layerhttps://instance.geocat.live/geoserver/project/layer/ows?service=WCS&request=GetCapabilities
WMTS: GetCapabilities lists layer with name
layer(no prefix)https://instance.geocat.live/geoserver/project/layer/gwc/service/wmts?REQUEST=GetCapabilities
These per-layer services are often used in mobile or web mapping when only a single layer of the published content is required.
The approach is also efficient in a spatial data infrastructure, with catalogue records being used for data discovery, and each record linking to the web services used to access the requested content.