bertt
commented
7 years ago see 7.7 'SensorThings API and Security' in the Specs: "SensorThings API does not define specific security capabilities"
Closed justb4 closed 7 years ago
bertt
commented
7 years ago see 7.7 'SensorThings API and Security' in the Specs: "SensorThings API does not define specific security capabilities"
bertt
commented
7 years ago 
justb4
commented
7 years ago Ok, thanks for quick reply, we'll proceed from there!
justb4
commented
7 years ago Tip: GOST (or any STA) can be secured at the HTTP-proxy, e.g. Apache2 or nginx, for example to require basic authentication for modifying requests with Apache2 (our usernames are different):
<Location /gost/v1.0/>
<Limit POST PUT DELETE PATCH>
AuthType Basic
AuthName "GOST Writer"
AuthUserFile "/etc/apache2/thepwfile"
Require user gost
</Limit>
</Location>And to secure the Dashboard (also secures modifying operations within Dashboard):
<Location "/gost/Dashboard/">
AuthType Basic
AuthName "GOST Writer"
AuthUserFile "/etc/apache2/thepwfile"
Require user gost
</Location>thanks, I've put this information here: https://github.com/Geodan/gost/blob/master/docs/gost_security.md
justb4
commented
7 years ago great!
AFAIKS when running GOST with optional MQTT it seems that any client can issue modifying REST operations, e.g. create sensor, send observation. Is there a way in GOST to password-protect modification operations? For example that any client has read-access, but write-access is protected, for example via HTTP(S)-basic auth. Or is it the intention to handle secured access in the frontend-webserver (Nginx, Apache2) level? Thanks for any suggestions.