Logo of 52°North
52North Security Tutorials...

Protecting OGC Web Services with the 52°North Security System

Note
This tutorial was held at the FOSS4G 2009.

The slides shown in the FOSS4G tutorial in advance to this tutorial are available here.

Summary

This tutorial will guide you to set up and configure the necessary access control service to protect an OGC Web Map Service and load it into an OGC WMS client.

You will install the 52°North WSS. For demonstration purposes, the "protected" WMS will be the famous Demis WMS. The uDig client will be used to visualize the results.

Security issues
For the sake of simplicity this tutorial omits the configuration of some important security-relevant feature like:
  • using HTTPS instead of plain HTTP for service communication
  • sealing off the protected service, so that only the WSS has access to it

Architecture Overview

Overview of the Security System Architecture

Requirements

  1. General
    • Internet connection
  2. Software

    The following software has to be installed on your system, to walk through this tutorial:

Basic Installation of the 52°North Application

WSS

The WSS web application is part of the Jetty Web Server bundle and is configured as follows:

  • It is pre-configured to protect the Demis WMS.
  • It comes with a basic permission data file specifying that users with role "alice" are allowed to access the Demis WMS with no restrictions.
  • It allows to access the protected service via HTTP Basic Authentication. (Endpoint URL: http://localhost:8080/wss/httpauth/demiswms)

Task 0: Check Installation: Access protected service with uDig

  • Start the Jetty Web Server
    • In the command shell, switch enter cd [SERVER_HOME].
    • Run java -jar start.jar (Press Ctrl-C to shutdown the server if necessary)
  • Start uDig and create an empty map

    File > New > New Map

  • Rename map to "Alice's Map" or alike
  • Add the protected WMS to the map

    > [right-click "Alice's Map"] > Add... > Web Map Server

    > [paste URL http://localhost:8080/wss/httpauth/demiswms/] > Next > [log in as alice/alice]

    > [select all layers] > Finish

  • Rearrange the layers to get a reasonable map until you are satisfied :-).

    You should at least be able to see country borders and airports (large scale!)

  • Zoom down to Sydney, Australia (somewhere in the lower right corner of the world....), click the info button (i), and query information about the Countries layer, to see in which country we are. You might need to authenticate again. Try to identify Sydney's International Airport.

As you can see, for Alice everything works as if she had loaded the WMS directly.

Task 1: Add another user with less permissions

Summary
Within this task we will create a new user "Bob" who just has access to a selection of layers. Bob shall only be allowed to query feature information on the Countries layer.
  • Create the new user "Bob"
    • Open the file [SERVER_HOME]/webapps/wss/WEB-INF/classes/users.xml with a text editor.
    • Add the following XML element to the <UserRepository> element
        <User  username="bob" password="bob" realname="Bob">
        <Role name="bob"/>
        <Role name="main"/>
  </User>
    • Save the file
  • Create permissions for Bob
    • Open the file [SERVER_HOME]/webapps/wss/WEB-INF/classes/permissions.xml with a text editor
    • Add the following XML elements to the <PermissionSet name="Demis WMS Permissions"> element, right below the existing <Permission> element.
      <!--  Users of role 'bob' can view Cities, Builtup areas, Hillshading, Borders, Countries, Airports
        GetFeatureInfo only on Contries  -->
<Permission name="most_GetMap_GetCaps">
    <Resource value="layers/Cities" />
    <Resource value="layers/Builtup%20areas" />
    <Resource value="layers/Hillshading" />
    <Resource value="layers/Borders" />
    <Resource value="layers/Countries" />
    <Resource value="layers/Airports" />
    <Action value="operations/GetCapabilities" />
    <Action value="operations/GetMap" />
    <Subject value="bob" />
</Permission>
<Permission name="bob_Countries_GetFeatureInfo">
    <Resource value="layers/Countries" />
    <Action value="operations/GetFeatureInfo" />
    <Subject value="bob" />
</Permission>
    • Save the file and reload the WSS (stop-start Jetty Web Server)
  • Delete Alice's map in uDig and restart uDig (otherwise you cannot access the proteced service as another user) .
  • Add a new map named "Bob's Map" to the uDig project and add the WMS http://localhost:8080/wss/httpauth/demiswms/.
  • This time log in as bob/bob
  • Again, rearrange the layers to get a fancy map with airports and borders
  • When you try to identify Sydney Intl. Airport, you should not get any information but the message "No rights".

Task 2: Add guest user with spatial constraints

Summary
Within this task we will create a new user "Guest" who just has access to a selection of layers. Guest shall only be allowed to query feature information on the Countries layer in the area of the American Continent.
  • Create a new user "Guest" with username/password/role guest/guest/guest in the users.xml file of the WSS.
  • In the permissions.xml file, add a second <Subject> element to the Permission with name="most_GetMap_GetCaps" to allow users with role guest to view the same layers as role bob:
        <Subject value="guest" />
  • In the permissions.xml file, add the following XML elements to the <PermissionSet name="Demis WMS Permissions"> element, right below last <Permission> element.
    <!--  users with role guest can request GetFeatureInfo on Countries only within american continent -->
<Permission name="guest_countries_GetFeatureInfo_obliged">
    <Resource value="layers/Countries" />
    <Action value="operations/GetFeatureInfo" />
    <Subject value="guest" />
    <Obligation name="obligation:wms:extent:boundingbox">
        <Attribute name="srs">EPSG:4326</Attribute>
        <Attribute name="box">-170,-56,-36,83</Attribute>
    </Obligation>
</Permission>
  • Save the file and reload the WSS (stop-start Jetty Web Server)
  • Delete Bob's map in uDig and restart uDig (otherwise you cannot access the proteced service as another user) .
  • Add a new map named "Guest's Map" to the uDig project and add the WMS http://localhost:8080/wss/httpauth/demiswms/.
  • Again, rearrange the layers to get a fancy map
  • Try to identify Countries inside and outside the Americas. You should not get information but the message "no rights" outside the Americas.

Advanced: Create new Enforcement Point for a local GeoServer WMS

Go to the advanced Tutorial...