Logo of 52°North

Exisiting Interceptors

WMS GetCapabilities Interceptor

Class: org.n52.security.enforcement.interceptors.DefaultGetCapabilitiesInterceptor

This interceptor replaces all occurances of the URL of the protected service (the 'endpoint') inside the response document by the facade URL as given by the according DoService operation parameter.

Example <Interceptor> element of a security-config.xml file

<Interceptor class="org.n52.security.enforcement.interceptors.DefaultGetCapabilitiesInterceptor"/>

WMS Layers Filter Interceptor

Class: org.n52.security.enforcement.interceptors.FilterLayerFromCapabilitiesInterceptor

This interceptor cycles through all layers declared in the capabilities response and asks the decision service whether a user is allowed to access the layer or not. If not the layer is removed from the capabilities document.

Parameters

Parameter Default Description
insufficientRightsMessage None Message that is part of the exception report returned, when the user request (or the response) was blocked.
decisionService None An instance of DecisionService used to evaluate policy decision requests.

Example <Interceptor> element of a security-config.xml file

<Interceptor class="org.n52.security.enforcement.interceptors.FilterLayerFromCapabilitiesInterceptor">
  
   <!-- Reference to an Decision Service entry defined above
   <Property name="decisionService" idRef="defaultDecisionPoint"/>

   <!-- Reference to an Environment property defined above
   <Property name="insufficientRightsMessage" idRef="insufficientRightsMessage"/>
</Interceptor>

WMS GetMap Interceptor

This interceptor checks, if all layers requested by a GetMap request are accessible for the requesting user. All denied layers are removed from the request silently. If no permitted layer remains, the interceptor block the request and returns a service exception.

Parameters

Parameter Default Description
insufficientRightsMessage None Message that is part of the exception report returned, when the user request (or the response) was blocked.
decisionService None An instance of DecisionService used to evaluate policy decision requests.

Example <Interceptor> element of a security-config.xml file

<Interceptor class="org.n52.security.enforcement.interceptors.DefaultWMSGetMapInterceptor">
   <Property name="decisionService" idRef="defaultDecisionPoint"/>
   <Property name="insufficientRightsMessage" idRef="insufficientRightsMessage"/>
</Interceptor>

WMS GetFeatureInfo Interceptor

This interceptor blocks all requests that try to access layers with GetFeatureInfo that are not permitted for the user. The interceptor supports the enforcement of spatial obligations/restrictions per layer, where the geometry is a simple box. All requests pointing outside the box are blocked.

Parameters

Parameter Default Description
insufficientRightsMessage None Message that is part of the exception report returned, when the user request (or the response) was blocked.
decisionService None An instance of DecisionService used to evaluate policy decision requests.
catchbox.delta.x and .y 0 Defines number of pixels that will be used to internally buffer an eventually defined spatial restriction (bounding box) for the GetFeatureInfo request. The number of pixels are used to calculate the buffer in the proper coordinate system, which depends on the actual map extent. The intention of this parameter is to prevent that a catch box, applied by the WMS implementation, may allow to identify features, that are outside of the defined spatial restriction.

Example <Interceptor> element of a security-config.xml file

<Interceptor class="org.n52.security.enforcement.interceptors.DefaultWMSGetFeatureInfoInterceptor">
   <Property name="decisionService" idRef="defaultDecisionPoint"/>
   <Property name="insufficientRightsMessage" idRef="insufficientRightsMessage"/>
   <Property name="catchbox.delta.x" value="2"/>
   <Property name="catchbox.delta.y" value="2"/>
</Interceptor>

Logging Interceptor

This parameter is able to log information of processed service requests and responses. It creates two files, one for request log information and one for response log information.

Parameters

Parameter Default Description
request.log.get.enabled None if set to true, the interceptor will log HTTP GET requests; they are not logged if set to false.
request.log.post.enabled None if set to true, the interceptor will log HTTP POST requests; they are not logged if set to false. POST request may contain big amounts of data, that lets the log file grow rapidly.
request|response.logfile.path None Path of the request|response log file.
request|response.logfile.maxKBytes None Defines the maximum size of the request|response log file. As soon as the specified size is exceeded, the log file is renamed by adding a consecuritive number
response.log.enabled None If set to true, the interceptor will log responsed; they are not logged if set to false.
response.log.mimetypes None Contains a space separated list of mime types that are supposed to be logged. This allows e.g. to only log textual data but omit image data. When logged, all white space characters like tab an new line are stripped.

Example <Interceptor> element of a security-config.xml file

<Interceptor class="org.n52.security.enforcement.interceptors.AccessLogInterceptor">
   <Parameter name="request.log.get.enabled" value="true"/>
   <Parameter name="request.log.post.enabled" value="false"/>
   <Parameter name="request.logfile.path" value="c:/access_req.log"/>
   <Parameter name="request.logfile.maxKBytes" value="40"/>
   <Parameter name="response.log.enabled" value="false"/>
   <Parameter name="response.log.mimetypes" value="text/xml text/html application/vnd.ogc.wms_xml"/>
   <Parameter name="response.logfile.path" value="c:/access_res.log"/>
   <Parameter name="response.logfile.maxKBytes" value="40"/>
</Interceptor>