Logo of 52°North

Exisiting PDP Implementations

Permission Collection PDP

General Information

  • Factory class: org.n52.security.extensions.service.enforcement.basic.pdp.PermissionCollectionPDPFactory
  • Implementation class: org.n52.security.extensions.service.enforcement.basic.pdp.PermissionCollectionPDP

Parameters

Parameter Description Default
fileLocation classpath-relative path to the XML file that stores the permissions /users.xml

Permission Repository

The permission repository is an XML file that contains one <PermissionCollection> element for every type of resource to protect. Every <Permission> element inside this collection is specified as a combination of

  • <Resource>: protectable object covered by this permission
  • <Action>: the access mode covered by this permission
  • <Subject>: the user covered by this permission. Subjects themselves have type identifier as subject can be identified by roles, username, email addresses and so on. Currently the only possible type is urn:n52:authentication:subject:principal:role.

Example:

<Rights version="1.2" xmlns="http://www.52north.org/rights" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.52north.org/rights ../rights.xsd ">
   <PermissionCollection type="target:wms:service">
      <Permission>
         <Resource>http://intergeo.sdisuite.de/wmsconnector/gdi/brd</Resource>
         <Action>*</Action>
         <Subject type="urn:n52:authentication:subject:principal:role">*</Subject>
      </Permission>
   </PermissionCollection>

   <PermissionCollection type="target:wms:layer">
      <Permission>
         <Resource>*</Resource>
         <Action>GetCapabilities</Action>
         <Subject type="urn:n52:authentication:subject:principal:role">Alice</Subject>
      </Permission>
   </PermissionCollection>
</Rights>

Note: Everything that is not explicitly expressed as a Permission is a denial.

An asterisk ("*") as the value of <Resource>, <Action>, or <Subject> has the meaning of "any".

The meaning of resource and action depends on the type of PermissionCollection. The available types are defined by the PDP/Interceptor implementation.

Currently available PermissionCollection types are:

  • target:wms:service: Denotes the service on the whole.
    Resource service URL that must exctly match the SecuredService defined in the pesConfig.xml file of the WSS
    Action No special action; use "*"
  • target:wms:layer: The layer of a WMS
    Resource Name of a named layer as defined in the capabilities document of the WMS
    Action GetCapabilities, GetMap, GetFeatureInfo
    • an absent permission to a access a layer by GetCapabilities means, that the layer will not be inside capabilities document
    • an absent permission for GetMap means, that the requested layer will be wiped off the incoming GetMap request.
    • an absent permission to access a layer with GetFeatureInfo will result in a denial of a GetFeatureInfo request and switching off the queryable attribute in the protected services capabilities document.

Example <PDP> element in a WSS' pesConfig.xml file

<PDP id="FilePDP" factoryClass="org.n52.security.extensions.service.enforcement.basic.pdp.PermissionCollectionPDPFactory">
   <ParameterList>
      <Parameter name="fileLocation">/conf/pes/rights.xml</Parameter>
   </ParameterList>
</PDP>