Logo of 52°North
Home Communities Security Policy Formats

52°North Policy Formats

Policies for the WSS can be defined in various ways. 52°North directly provides support for the following policy formats/sources

  • Policies stored in files using the 52n-proprietary Simple Permissions XML format. This is the format that is used by a default WSS installation.
  • Policies stored in XACML files using the XACML 1.0/1.1 format.
  • Policies stored in a dedicated Policy Decision Service (PDP) that supports the XACML 1.0/1.1 Context "protocol" over SOAP.

Independent from the format used to express policies, 52°North defines a general policy model. According to this model, the fundamental information of every policy is:

  • the resource(s) governed by this policy, e.g. a layer,
  • the operation(s), also called "action", a policy applies to, e.g. the GetMap operation, and
  • the subject(s) to which the policy applies, e.g. the role "anonymous".

    Thus every policy is a triple of resource/action/subject. The actual encoding of resources, actions, and roles may be different, but in 52°North we mainly use REST-style identifiers to specify an instance of a resource or an action. Thus, a layer might be identified by http://localhost:8080/wss/httpauth/mywms/layers/countries, an action may be http://localhost:8080/wss/httpauth/mywms/operations/GetMap, and the subject may be anonymous.

Simple Permissions

Format

Let's see, how policies are defined using the Simple Permissions file format.

By default, the policies are defined in <WSS_DIR>/WEB-INF/classes/permissions.xml.

This is the permissions.xml file delivered by the standard WSS application.

<?xml version="1.0" encoding="UTF-8"?>
<SimplePermissions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://www.52north.org/security/simple-permission/1.0">
    <PermissionSet name="WMS1 Permission">
        <ResourceDomain value="http://localhost:8080/wss/*/demiswms/" />
        <ActionDomain value="http://localhost:8080/wss/*/demiswms/" />
        <SubjectDomain value="urn:n52:security:subject:role" />
        <Permission name="alice_all">
            <Resource value="layers/*" />     <!-- Any layers -->
            <Action value="operations/*" />   <!-- Any operations -->
            <Subject value="alice" />
        </Permission>
        <Permission name="bobAndGuest_most_GetMap_GetCaps">
            <Resource value="layers/Cities" />
            <Resource value="layers/Builtup%20areas" />
            <Resource value="layers/Hillshading" />
            <Resource value="layers/Borders" />
            <Resource value="layers/Countries" />
            <Action value="operations/GetCapabilities" />
            <Action value="operations/GetMap" />
            <Subject value="bob" />
            <Subject value="guest" />
        </Permission>
        <Permission name="bob_Countries_GetFeatureInfo">
            <Resource value="layers/Countries" />
            <Action value="operations/GetFeatureInfo" />
            <Subject value="bob" />
        </Permission>
        <Permission name="guest_countries_GetFeatureInfo_obliged">
            <Resource value="layers/Countries" />
            <Action value="operations/GetFeatureInfo" />
            <Subject value="guest" />
            <Obligation name="obligation:wms:extent:boundingbox">
                <Attribute name="srs">EPSG:4326</Attribute>
                <Attribute name="box">-170,-56,-36,83</Attribute>
            </Obligation>
        </Permission>
    </PermissionSet>
</SimplePermissions>

Every file using the Simple Permissions format contains a list of PermissionsSet elements, one for each protected service. In each PermissionSet you have to define at least one ResourceDomain, ActionDomain, and SubjectDomain. These are used as prefixes that are prepended to every actual identifier in the following Permission elements. Regarding ResourceDomain and ActionDomain these prefixes are the base URL of the protected service, or more precisely the "Enforcement Point" of a protected service. These domain identifiers as well as the Resource and Action identifiers may contain the wild card character '*' as part of the URL path. This, for example, allows you to bundle the ResourceDomains http://localhost:8080/wss/WSS/mywms and http://localhost:8080/wss/httpauth/mywms in the single entry http://localhost:8080/wss/*/mywms.

XACML Policy Files

[to be done]