Security & GeoRM
User Documentation
Technical Documentation
Components
Resources
Contact
Misc
Exisiting PDP Implementations
This page provides a list of 52°North's implementations of the DecisionService Interface}.
These implementations are mainly used by Interceptors to query for authorizations decisions such as: "Is user with role 'internal' allowed to access layer 'Countries'?".
They are usually configured as part of a security-config.xml file that sets up a WSS.
The following implementations are provided and currently supported by 52°North:
- Making decisions based on the powerful XACML policy model
- Permission Collection PDP A simple, proprietary policy model
XACML_1.1_PDP_Client
General Information
- Class: org.n52.security.service.pdp.xacml.XACML1PDPClient
This DecisionService implementation internally uses XACML policies to process decision requests.
The XACML1PDPClient sends XACML Policy Requests using a specified requester that is responsible for connecting to an actual XACMLDecisionService via SOAP, in-process, or any other means.
Bean Properties
| Property | Description |
|---|---|
| requester | Instance of XACML1PDPRequester that determins the way of connecting to an XACML decision service |
| roleId | Attribute name of the subject's principal that is interpreted as role information |
Usage in security-config.xml
Using the in-memory requester
The following example shows how to set up an in-memory requestor that connects to XACML decision service configured to look for policies using the SimplePermissionsPolicyFinderModule.
...
<Environment>
...
<Property id="decisionServiceAdapter">
<Object
class="org.n52.security.service.pdp.xacml.BeanXACML1SOAPDecisionServiceAdapter">
<Property name="XACML1DecisionService">
<Object class="org.n52.security.service.pdp.xacml.XACML1DecisionServiceImpl">
<Property name="pdpConfig">
<Object factoryClass="org.n52.security.service.pdp.xacml.PDPConfigBeanFactory"
factoryMethod="createPDPConfig">
<Property name="attributeFinderModules">
<List>
<Entry>
<Object class="com.sun.xacml.finder.impl.CurrentEnvModule"/>
</Entry>
<Entry>
<Object class="com.sun.xacml.finder.impl.SelectorModule"/>
</Entry>
</List>
</Property>
<Property name="policyFinderModules">
<Set>
<Entry>
<Object class="org.n52.security.service.pdp.xacml.policyfinder.SelectFirstApplicablePolicyFinderModule">
<Property name="childPolicyFinderModules">
<List>
<Entry>
<Object class="org.n52.security.service.pdp.xacml.policyfinder.SimplePermissionsPolicyFinderModule">
<Property name="provider">
<Object class="org.n52.security.service.pdp.simplepermission.SimplePermissionFileProvider" initMethod="init">
<Property name="path" value="permissions.xml"/>
</Object>
</Property>
</Object>
</Entry>
</List>
</Property>
</Object>
</Entry>
</Set>
</Property>
</Object>
</Property>
</Object>
</Property>
</Object>
</Property>
...
<Services>
...
<Service>
...
<DecisionPoint>
<DecisionPoint id="defaultDecisionPoint"
class="org.n52.security.service.pdp.xacml.XACML1PDPClient">
<Property name="roleId" value="urn:n52:security:subject:role"/>
<Property name="requester">
<Object class="org.n52.security.service.pdp.xacml.XACML1PDPInMemoryRequestor">
<Property name="decisionServiceAdapter" idRef="decisionServiceAdapter"/>
</Object>
</Property>
</DecisionPoint>
</DecisionPoints>
Permission Collection PDP
General Information
- Factory class: org.n52.security.extensions.service.enforcement.basic.pdp.PermissionCollectionPDPFactory
- Implementation class: org.n52.security.extensions.service.enforcement.basic.pdp.PermissionCollectionPDP
Parameters
| Parameter | Description |
|---|---|
| fileLocation | classpath-relative path to the XML file that stores the permissions |
Permission Repository
The permission repository is an XML file that contains one <PermissionCollection> element for every type of resource to protect. Every <Permission> element inside this collection is specified as a combination of
- <Resource>: protectable object covered by this permission
- <Action>: the access mode covered by this permission
- <Subject>: the user covered by this permission. Subjects themselves have type identifier as subject can be identified by roles, username, email addresses and so on. Currently the only possible type is urn:n52:authentication:subject:principal:role.
Example:
<Rights version="1.2" xmlns="http://www.52north.org/rights" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.52north.org/rights ../rights.xsd ">
<PermissionCollection type="target:wms:service">
<Permission>
<Resource>http://intergeo.sdisuite.de/wmsconnector/gdi/brd</Resource>
<Action>*</Action>
<Subject type="urn:n52:authentication:subject:principal:role">*</Subject>
</Permission>
</PermissionCollection>
<PermissionCollection type="target:wms:layer">
<Permission>
<Resource>*</Resource>
<Action>GetCapabilities</Action>
<Subject type="urn:n52:authentication:subject:principal:role">Alice</Subject>
</Permission>
</PermissionCollection>
</Rights>
Note: Everything that is not explicitly expressed as a Permission is a denial.
An asterisk ("*") as the value of <Resource>, <Action>, or <Subject> has the meaning of "any".
The meaning of resource and action depends on the type of PermissionCollection. The available types are defined by the PDP/Interceptor implementation.
Currently available PermissionCollection types are:
- target:wms:service: Denotes the service on the whole.
Resource service URL that must exctly match the SecuredService defined in the pesConfig.xml file of the WSS Action No special action; use "*" - target:wms:layer: The layer of a WMS
Resource Name of a named layer as defined in the capabilities document of the WMS Action GetCapabilities, GetMap, GetFeatureInfo - an absent permission to a access a layer by GetCapabilities means, that the layer will not be inside capabilities document
- an absent permission for GetMap means, that the requested layer will be wiped off the incoming GetMap request.
- an absent permission to access a layer with GetFeatureInfo will result in a denial of a GetFeatureInfo request and switching off the queryable attribute in the protected services capabilities document.
