Logo of 52°North

WMS Interceptor

The WMS Interceptor of 52°North enforces permissions defined for OGC Web Mapping Service requests. It allows to restrict access down to the level of layers.

General

  • Support WMS version 1.1.0 to 1.3.0
  • Supports HTTP GET/POST KVP requests

Intercepted Operations

GetCapabilites

Action identifier: /operations/GetCapabilities

Affected resources: /layers/[LAYERNAME]

Interceptor actions:

  • Identify all named layers inside the Capabilities response document
  • Check for permission for every named layer
    • If no permission exists, the named layer, and all its sub-layers are removed from the document.

GetMap

Action identifier: /operations/GetMap

Affected resources: /layers/[LAYERNAME]

Interceptor actions:

  • Identify all requested layers (&LAYERS=L1,L2,...)
  • Check for permission for every requested layer
    • If no permission exists, the layer is removed prom the request
    • If no layer remains in the request, an exception is returned

GetFeatureInfo

Action identifier: /operations/GetFeatureInfo

Affected resources: /layers/[LAYERNAME]

Interceptor actions:

  • Identify the requested layer (&LAYER=L1)
  • Check for permission for requested layer
    • If no permission exists, an exception is returned.

Obligations

Obligation: spatial restriction + GetFeatureInfo

This obligation affects GetFeatureInfo requests and applies to all layers that are part of the permission an obligation belongs to. The obligation makes the interceptor to check if the requested feature info lies within the area defined by the obligation. If so, the request is permitted, otherwise it is rejected. The request must be made in the spatial reference system used by the obligation. Otherwise the request is rejected.

Example:

<!-- Limit GetFeatureInfo access to the area of the Americas -->
<Obligation name="obligation:wms:extent:boundingbox">
    <Attribute name="srs">EPSG:4326</Attribute>
    <Attribute name="box">-170,-56,-36,83</Attribute>
</Obligation>

Example Permission

<PermissionSet name="WMS Demis">
    <ResourceDomain value="http://localhost:8080/wss/service/wms_demis/*"/>
    <ActionDomain value="http://localhost:8080/wss/service/wms_demis/*"/>
    <SubjectDomain value="urn:n52:security:subject:role"/>
    <Permission name="alice_all">
        <Resource value="layers/*"/>
        <!-- Any layers -->
        <Action value="operations/*"/>
        <!-- Any operations -->
        <Subject value="alice"/>
    </Permission>
    <Permission name="bobAndGuest_most_GetMap_GetCaps">
        <Resource value="layers/Cities"/>
        <Resource value="layers/Builtup%20areas"/>
        <Resource value="layers/Hillshading"/>
        <Resource value="layers/Borders"/>
        <Resource value="layers/Countries"/>
        <Action value="operations/GetCapabilities"/>
        <Action value="operations/GetMap"/>
        <Subject value="bob"/>
        <Subject value="guest"/>
    </Permission>
    <Permission name="bob_Countries_GetFeatureInfo">
        <Resource value="layers/Countries"/>
        <Action value="operations/GetFeatureInfo"/>
        <Subject value="bob"/>
    </Permission>
    <Permission name="guest_countries_GetFeatureInfo_obliged">
        <Resource value="layers/Countries"/>
        <Action value="operations/GetFeatureInfo"/>
        <Subject value="guest"/>
        <Obligation name="obligation:wms:extent:boundingbox">
            <Attribute name="srs">EPSG:4326</Attribute>
            <Attribute name="box">-170,-56,-36,83</Attribute>
        </Obligation>
    </Permission>
</PermissionSet>