Logo of 52°North
Home Communities Security User Guide... 3. Defining Policies

Chapter 3: Defining Policies

General

The core task of the WSS is to guarantee that users can only access (request) resources they are allowed to by policies that were defined by an administrator. To achieve this the WSS analyzes every request and response by matching the requested resources against the defined policies. Policies for the WSS can be expressed in various formats. If the installation is conducted in the way described in the Quick Start section, policies are stored in files using the 52°North Simple Permissions XML format.

Simple Permissions Format

52°North Simple Permissions define triples of information that specify who is allowed to access what resource with a certain operation.

This is a permission in the Simple Permissions format:

...
<Permission name="bobAndGuest_most_GetMap_GetCaps">
   <Resource value="layers/Cities" />
   <Action value="operations/GetMap" />
   <Subject value="guest" />
</Permission>
...

As you can see, a permission consists of

  • The resources governed by this permission.
  • The operations ("actions") a policy applies to.
  • The roles ("subjects") to which a policy applies.

The above WMS permission allows users, who are assigned to the role guest, to access the layer Cities with the operation GetMap, thus to view that layer.

Using the Simple Permissions File

By default, the policies are defined in <WSS_DIR>/WEB-INF/classes/permissions.xml.

This is an extract of the permissions.xml file delivered by the standard WSS application.

<?xml version="1.0" encoding="UTF-8"?>
<SimplePermissions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://www.52north.org/security/simple-permission/1.0">
    <PermissionSet name="WMS1 Permission">
        <ResourceDomain value="http://localhost:8080/wss/service/wms_demis/*" />    <!-- Prefix for all resources -->
        <ActionDomain value="http://localhost:8080/wss/service/wms_demis/*" />      <!-- Prefix for all actions -->
        <SubjectDomain value="urn:n52:security:subject:role" />                     <!-- Qualifier for all subjects -->
        <Permission name="alice_all">
            <Resource value="layers/*" />     <!-- Any layers -->
            <Action value="operations/*" />   <!-- Any operations -->
            <Subject value="alice" />
        </Permission>
        <Permission name="bobAndGuest_most_GetMap_GetCaps">
            <Resource value="layers/Cities" />
            <Resource value="layers/Builtup%20areas" />
            <Resource value="layers/Hillshading" />
            <Resource value="layers/Borders" />
            <Resource value="layers/Countries" />
            <Action value="operations/GetCapabilities" />
            <Action value="operations/GetMap" />
            <Subject value="bob" />
            <Subject value="guest" />
        </Permission>
        <Permission name="bob_Countries_GetFeatureInfo">
            <Resource value="layers/Countries" />
            <Action value="operations/GetFeatureInfo" />
            <Subject value="bob" />
        </Permission>
        <Permission name="guest_countries_GetFeatureInfo_obliged">
            <Resource value="layers/Countries" />
            <Action value="operations/GetFeatureInfo" />
            <Subject value="guest" />
            <Obligation name="obligation:wms:extent:boundingbox">
                <Attribute name="srs">EPSG:4326</Attribute>
                <Attribute name="box">-170,-56,-36,83</Attribute>
            </Obligation>
        </Permission>
    </PermissionSet>
    ...
</SimplePermissions>

It is important to understand that every missing resource/action/role combination is equal to a denial.

Every file using the Simple Permissions format contains a list of PermissionsSet elements, one for each protected service.

An instance of a resource or an action is generally defined in a REST-style URL built of EnforcementPointURL+[resource_type]+[resource_id]. Thus, e.g. a layer is identified by its fully qualified ID http://localhost:8080/wss/service/mywms/httpauth/layers/countries.

With <ResourceDomain> or <ActionDomain> we can define default domain identifiers that are prepended to all <Resource> or <Action> identifiers of that single <PermissionSet>.

These domain identifiers as well as the Resource and Action identifiers may contain the wild card character '*' as part of the URL path. This, for example, allows you to bundle the ResourceDomains http://localhost:8080/wss/service/mywms/WSS and http://localhost:8080/wss/service/mywms/httpauth in the single entry http://localhost:8080/wss/service/mywms/*.

A permission may contain one or more Obligations, each in a separate Obligation element. Obligations are implemented and used to define additional tasks that have to be performed, if a policy applies. The above example defines an obligation of the type obligation:wms:extent:boundingbox that instructs the Enforcement Point to limit GetFeaureInfo access to the layer "Countries" to a certain spatial area.