Exisiting Interceptors
- WMS GetCapabilities Interceptor
- WMS Layers Filter Interceptor
- WMS GetMap Interceptor
- WMS GetFeatureInfo Interceptor
- Logging Interceptor
WMS GetCapabilities Interceptor
Class: org.n52.security.enforcement.interceptors.DefaultGetCapabilitiesInterceptor
This interceptor replaces all occurances of the URL of the protected service (the 'endpoint') inside the response document by the facade URL as given by the according DoService operation parameter.
WMS Layers Filter Interceptor
Class: org.n52.security.enforcement.interceptors.FilterLayerFromCapabilitiesInterceptor
This interceptor cycles through all layers declared in the capabilities response and asks the decision service whether a user is allowed to access the layer or not. If not the layer is removed from the capabilities document.
Parameters
| Parameter | Default | Description |
|---|---|---|
| insufficientRightsMessage | None | Message that is part of the exception report returned, when the user request (or the response) was blocked. |
| decisionService | None | An instance of DecisionService used to evaluate policy decision requests. |
Example <Interceptor> element of a security-config.xml file
<Interceptor class="org.n52.security.enforcement.interceptors.FilterLayerFromCapabilitiesInterceptor"> <!-- Reference to an Decision Service entry defined above <Property name="decisionService" idRef="defaultDecisionPoint"/> <!-- Reference to an Environment property defined above <Property name="insufficientRightsMessage" idRef="insufficientRightsMessage"/> </Interceptor>
WMS GetMap Interceptor
This interceptor checks, if all layers requested by a GetMap request are accessible for the requesting user. All denied layers are removed from the request silently. If no permitted layer remains, the interceptor block the request and returns a service exception.
Parameters
| Parameter | Default | Description |
|---|---|---|
| insufficientRightsMessage | None | Message that is part of the exception report returned, when the user request (or the response) was blocked. |
| decisionService | None | An instance of DecisionService used to evaluate policy decision requests. |
Example <Interceptor> element of a security-config.xml file
<Interceptor class="org.n52.security.enforcement.interceptors.DefaultWMSGetMapInterceptor"> <Property name="decisionService" idRef="defaultDecisionPoint"/> <Property name="insufficientRightsMessage" idRef="insufficientRightsMessage"/> </Interceptor>
WMS GetFeatureInfo Interceptor
This interceptor blocks all requests that try to access layers with GetFeatureInfo that are not permitted for the user. The interceptor supports the enforcement of spatial obligations/restrictions per layer, where the geometry is a simple box. All requests pointing outside the box are blocked.
Parameters
| Parameter | Default | Description |
|---|---|---|
| insufficientRightsMessage | None | Message that is part of the exception report returned, when the user request (or the response) was blocked. |
| decisionService | None | An instance of DecisionService used to evaluate policy decision requests. |
| catchbox.delta.x and .y | 0 | Defines number of pixels that will be used to internally buffer an eventually defined spatial restriction (bounding box) for the GetFeatureInfo request. The number of pixels are used to calculate the buffer in the proper coordinate system, which depends on the actual map extent. The intention of this parameter is to prevent that a catch box, applied by the WMS implementation, may allow to identify features, that are outside of the defined spatial restriction. |
Example <Interceptor> element of a security-config.xml file
<Interceptor class="org.n52.security.enforcement.interceptors.DefaultWMSGetFeatureInfoInterceptor"> <Property name="decisionService" idRef="defaultDecisionPoint"/> <Property name="insufficientRightsMessage" idRef="insufficientRightsMessage"/> <Property name="catchbox.delta.x" value="2"/> <Property name="catchbox.delta.y" value="2"/> </Interceptor>
Logging Interceptor
This parameter is able to log information of processed service requests and responses. It creates two files, one for request log information and one for response log information.
Parameters
| Parameter | Default | Description |
|---|---|---|
| request.log.get.enabled | None | if set to true, the interceptor will log HTTP GET requests; they are not logged if set to false. |
| request.log.post.enabled | None | if set to true, the interceptor will log HTTP POST requests; they are not logged if set to false. POST request may contain big amounts of data, that lets the log file grow rapidly. |
| request u007Cresponse.logfile.path | None | Path of the request u007Cresponse log file. |
| request u007Cresponse.logfile.maxKBytes | None | Defines the maximum size of the request u007Cresponse log file. As soon as the specified size is exceeded, the log file is renamed by adding a consecuritive number |
| response.log.enabled | None | If set to true, the interceptor will log responsed; they are not logged if set to false. |
| response.log.mimetypes | None | Contains a space separated list of mime types that are supposed to be logged. This allows e.g. to only log textual data but omit image data. When logged, all white space characters like tab an new line are stripped. |
Example <Interceptor> element of a security-config.xml file
<Interceptor class="org.n52.security.enforcement.interceptors.AccessLogInterceptor"> <Parameter name="request.log.get.enabled" value="true"/> <Parameter name="request.log.post.enabled" value="false"/> <Parameter name="request.logfile.path" value="c:/access_req.log"/> <Parameter name="request.logfile.maxKBytes" value="40"/> <Parameter name="response.log.enabled" value="false"/> <Parameter name="response.log.mimetypes" value="text/xml text/html application/vnd.ogc.wms_xml"/> <Parameter name="response.logfile.path" value="c:/access_res.log"/> <Parameter name="response.logfile.maxKBytes" value="40"/> </Interceptor>
