Logo of 52°North

SWE Interceptors

The SWE Interceptors of 52°North enforce permissions for OGC SWE service requests and responses, e.g. for Sensor Observation Services (SOS).

General

  • Support for SOS 1.0
  • Supports SOS Core Operations + GetFeatureOfInterest
    • GetCapabilities: KVP and XML
    • DescribeSensor: POST/XML
    • GetObservation: POST/XML
    • GetFeatureOfInterest: POST/XML

Intercepted Operations

GetCapabilities

Action identifier: /operations/GetCapabilities

Affected resources:

  • /offerings/[OFFERINGID]
  • /procedures/[PROCEDUREID]
  • /observedProperties/[PROPERTIESID]
  • /featureOfInterests/[FOIID]
  • If the SOSAllowedOperationsInterceptor is activated, with a resource /operations/[SOS_OPERATION_NAME] one can restrict general access to the SOS with the specified operation.

Interceptor actions:

  • Identify all offerings/procedures/observedProperties/featuresOfInterest inside the Capabilities response document
  • Check permission for every of the above resources
    • If no permission exists, the resource is removed from the capabilities. More precise: the value of the resource is removed from the list of "allowedValues" for that resource type and from every "ObservationOffering" they are referenced in.

DescribeSensor

Action identifier: /operations/DescribeSensor

Affected resources: /procedures/[PROCEDUREID]

Interceptor actions:

  • Identify the requested procedure in the request.
  • if no permission exists for the requested procedure the request is blocked.

GetObservation

Action identifier: /operations/GetObservation

Affected resources:

  • /offerings/[OFFERINGID]
  • /procedures/[PROCEDUREID]
  • /observedProperties/[PROPERTIESID]
  • /featureOfInterests/[FOIID]

Interceptor actions:

  • Identify all offerings/procedures/observedProperties/featuresOfInterest inside the request document
  • Check permission for every of the above resources
    • remove unauthorized resources from request
    • if for one of the resource types no resource is left, an exception is returned.

GetFeatureOfInterest

Action identifier: /operations/GetFeatureOfInterest

Affected resources: /featureOfInterests/[FOIID]

Interceptor actions:

  • Identify all requested featureOfInterest references in the request ()
  • Check permission for every requested feature of interest
    • remove unauthorized featureOfInterest references from request
    • if no featureOfInterest remains in the request, an exception is returned.

Obligations

BoundingBox Obligation

Restricts access to observations by bounding box.

Identifier: obligation:sos:extent:boundingbox

Obligation effects:

  • In the SOS capabilities the bounding box of the ObservationOffering element is trimmed to the bounding box of the obligation.
  • Only those features are returned in a GetFeatureOfInterest or GetObservation request that lie inside the bounding box.

Example of a BoundingBox obligation

<Obligation name="obligation:sos:extent:boundingbox">
    <Attribute name="srs">urn:ogc:def:crs:EPSG:31467</Attribute>
    <Attribute name="lowerCorner">5707809.0 3329136.0</Attribute>
    <Attribute name="upperCorner">5786799.0 3540176.0</Attribute>
</Obligation>

Time Obligation

Restricts access to observations by time.

Identifier: obligation:sos:time

Obligation effects:

  • In the SOS capabilities the time element of the ObservationOffering element is trimmed to the time period as specified in the obligation.
  • If observations are requested outside the time period specified in the obligation, an exception is returned.

Example of a time obligation

<Obligation name="obligation:sos:time">
    <Attribute name="beginTime">2009-08-30T07:00:00+02:00</Attribute>
    <Attribute name="endTime">2010-09-13T19:00:00+02:00</Attribute>
</Obligation>

Example Permission

This example permission

  • grants full permissions for users with role alice
  • users in role bob can access a subset of FOI's and procedures
  • users in role guest have the same access permissions as users with role bob but are obliged with additional spatial and temporal restrictions.
<PermissionSet name="SOS Rhein">
    <ResourceDomain value="http://localhost:8080/wss/service/sos_rhein/*"/>
    <ActionDomain value="http://localhost:8080/wss/service/sos_rhein/*"/>
    <SubjectDomain value="urn:n52:security:subject:role"/>
    <Permission name="alice_all">
        <Resource value="/offerings/*"/>
        <!-- Any offerings -->
        <Resource value="/procedures/*"/>
        <!-- Any procedures -->
        <Resource value="/observedProperties/*"/>
        <!-- Any observed properties -->
        <Resource value="/featureOfInterests/*"/>
        <!-- Any features of interest -->
        <Resource value="/allowedOperations/*"/>
        <!-- Any operations allowed -->
        <Action value="/operations/*"/>
        <!-- Any operations -->
        <Subject value="alice"/>
    </Permission>
    <Permission name="bob_rheinpegel_waterlevel_emmer_wesel">
        <Resource value="/offerings/RheinpegelNord"/>
        <Resource value="/procedures/urn:ogc:object:sensor:BFG:bfg-sensor-emmer"/>
        <Resource value="/procedures/urn:ogc:object:sensor:BFG:bfg-sensor-wesel"/>
        <Resource value="/observedProperties/urn:ogc:def:phenomenon:OGC:1.0.30:waterlevel"/>
        <Resource value="/featureOfInterests/foi_emmer"/>
        <Resource value="/featureOfInterests/foi_wesel"/>
        <Resource value="/allowedOperations/*"/>
        <Action value="/operations/GetCapabilities"/>
        <Action value="/operations/DescribeSensor"/>
        <Action value="/operations/GetFeatureOfInterest"/>
        <Action value="/operations/GetObservation"/>
        <Subject value="bob"/>
    </Permission>
    <Permission name="guest_rheinpegel_waterlevel_emmer_wesel_obliged">
        <Resource value="/offerings/RheinpegelNord"/>
        <Resource value="/procedures/urn:ogc:object:sensor:BFG:bfg-sensor-emmer"/>
        <Resource value="/procedures/urn:ogc:object:sensor:BFG:bfg-sensor-wesel"/>
        <Resource value="/observedProperties/urn:ogc:def:phenomenon:OGC:1.0.30:waterlevel"/>
        <Resource value="/featureOfInterests/foi_emmer"/>
        <Resource value="/featureOfInterests/foi_wesel"/>
        <Resource value="/allowedOperations/*"/>
        <Action value="/operations/GetCapabilities"/>
        <Action value="/operations/DescribeSensor"/>
        <Action value="/operations/GetFeatureOfInterest"/>
        <Action value="/operations/GetObservation"/>
        <Subject value="guest"/>
        <Obligation name="obligation:sos:extent:boundingbox">
            <Attribute name="srs">urn:ogc:def:crs:EPSG:31467</Attribute>
            <Attribute name="lowerCorner">5707809.0 3329136.0</Attribute>
            <Attribute name="upperCorner">5786799.0 3540176.0</Attribute>
        </Obligation>
        <Obligation name="obligation:sos:time">
            <Attribute name="beginTime">2009-08-30T07:00:00+02:00</Attribute>
            <Attribute name="endTime">2010-09-13T19:00:00+02:00</Attribute>
        </Obligation>
    </Permission>
</PermissionSet>