Logo of 52°North

WFS Interceptor

The WFS Interceptor of 52°North enforces permissions for OGC Web Feature Service requests and responses. It allows to restrict access down to the level of feature types. Using obligations, it is also possible to control access to single features or properties.

General

  • Support WMS version 1.0 to 1.1
  • Supports HTTP GET/POST KVP requests with limitiations regarding obligations
  • in the Simple Permissions file, feature type resources have do be specified without any namespace or namespace prefix defined by the WFS, e.g. /featuretype/Airports. All feature type references in WFS requests and responses are evaluated disregarding the namespace, thus "local:Airports" == "Airports" == "http://local:Airports".

Intercepted Operations

GetCapabilites

Action identifier: /operations/GetCapabilities

Affected resources: /featuretype/[TYPENAME] (type name without namespace prefix)

Interceptor actions:

  • Identify all feature types inside the Capabilities response document
  • Check permission for every feature type
    • If no permission exists, the feature type is removed from the feature type list.

DescribeFeatureType

Action identifier: /operations/DescribeFeatureTyes

Affected resources: /featuretype/[TYPENAME]

Interceptor actions:

  • Identify all requested feature types names (&TYPENAME=T1,T2,... or //DescribeFeatureType/TypeName)
  • Check for permission for every requested type name
    • If no permission exists, the typename is removed from the request
    • If no type name remains in the request, an exception is returned

GetFeature

Action identifier: /operations/GetFeature

Affected resources: /featuretype/[TYPENAME]

Interceptor actions:

  • Identify the requested type name (&TYPENAME=L1 or //GetFeature/Operation/@typeName)
  • Check permission for requested type name
    • If no permission exists, an exception is returned.

Obligations

Obligation: OGC Filter expression + GetFeature

This obligation affects GetFeature requests and applies to the feature type defines by the "featuretype" attribute of the obligation. The obligation makes the interceptor add the OGC Filter expression to the WFS GetFeature request. If the request already contains a filter expresssion, the obligation's filter expression is appended using the "AND" operator. If the original request contains a BBOX element that one is translated into an according filter expression before the obligation's expression is appended by "AND".

Example

<!-- Limit GetFeatureInfo access to the area of the Americas -->
<Obligation name="obligation:wfs:filter">
    <Attribute attributeDataType="http://www.opengis.net/ogc" name="filter">
        <![CDATA[<ogc:Filter xmlns:ogc="http://www.opengis.net/ogc" xmlns:gml="http://www.opengis.net/gml" xmlns:topp="http://www.openplans.org/topp">
            <ogc:PropertyIsLike wildCard="*" singleChar="#" escapeChar="!">
                <ogc:PropertyName>STATE_NAME</ogc:PropertyName>
                <ogc:Literal>Texas</ogc:Literal>
            </ogc:PropertyIsLike>
        </ogc:Filter>]]>
    </Attribute>
    <Attribute attributeDataType="xs:string" name="featuretype">states</Attribute>
</Obligation>

Example Permission

<PermissionSet name="WFS giv">
    <ResourceDomain value="http://localhost:8080/wss/service/wfs_giv/*"></ResourceDomain>
    <ActionDomain value="http://localhost:8080/wss/service/wfs_giv/*"/>
    <SubjectDomain value="urn:n52:security:subject:role"/>
    <Permission name="alice_all">
        <Resource value="/featuretype/*"/>
        <!-- Any operations allowed -->
        <Action value="/operations/*"/>
        <!-- Any operations -->
        <Subject value="alice"/>
    </Permission>
    <Permission name="bob_Capabilities">
        <Resource value="/featuretype/states"/>
        <Resource value="/featuretype/poly_landmarks"/>
        <Resource value="/featuretype/tasmania_state_boundaries"/>
        <Action value="/operations/GetCapabilities"/>
        <Subject value="bob"/>
    </Permission>
    <Permission name="bob_GetFeature">
        <Action value="/operations/getfeature"/>
        <Resource value="/featuretpye/tasmania_water_bodies"/>
        <Resource value="/featuretype/tasmania_state_boundaries"/>
        <Subject value="bob"/>
    </Permission>
    <Permission name="bob_DescribeFeatureType">
        <Action value="/operations/DescribeFeatureType"/>
        <Resource value="/featuretype/tasmania_water_bodies"/>
        <Resource value="/featuretype/tasmania_state_boundaries"/>
        <Resource value="/featuretype/states"/>
        <Subject value="bob"/>
    </Permission>
    <Permission name="bob_GetFeature_topp_states">
        <Action value="/operations/GetFeature"/>
        <Resource value="/featuretype/states"/>
            <Resource value="/featuretype/pois"/>
        <Subject value="bob"/>
        <Obligation name="obligation:wfs:filter">
            <Attribute attributeDataType="http://www.opengis.net/ogc" name="filter>
                <![CDATA[
                    <ogc:Filter xmlns:ogc="http://www.opengis.net/ogc" xmlns:gml="http://www.opengis.net/gml" xmlns:topp="http://www.openplans.org/topp">
                        <ogc:PropertyIsLike wildCard="*" singleChar="#" escapeChar="!">
                            <ogc:PropertyName>STATE_NAME</ogc:PropertyName>
                            <ogc:Literal>Texas</ogc:Literal>
                        </ogc:PropertyIsLike>
                    </ogc:Filter>
                ]]>
            </Attribute>
            <Attribute attributeDataType="xs:string" name="featuretype">states</Attribute>
        </Obligation>
    </Permission>
</PermissionSet>