52N Security Community Site

Tutorial for setting up and using the components from the OWS-6 testbed

This tutorial will guide you to set up the components (developed during the OWS-6 testbed) to protect an OGC Web Map Servive and load it into an OGC WMS client.

You will install the 52North WSC.Web, Gatekeeper and STS. For demonstration purposes, the "protected" WMS will be the ArcIMS 9.2.0 brd Web Map Service. The uDig client will be used to visualize the results.

System requirements
The components are delivered as web archive files ("war") to be easily deployed in a servlet container.
- Apache Tomcat 6.x
- Java Development Kit (JDK) 1.4.x, 1.5., 1.6
Installation
- Stop Tomcat
- Download the WSC.Web (Facade Webapp), Gatekeeper and STS
- Save the archive files to TOMCAT_HOME/webapps
- Start Tomcat
Test the default Installation (with uDig)
- Create a facade for Alice
  - In a browser open http://localhost:8080/52n-security-facade-webapp-2.1-M1-200905061400/Start.do
  - Enter the Gatekeeper URL (WebSecurity Service URL) http://localhost:8080/52n-security-gatekeeper-webapp-0.1/services/gatekeeper
  - Choose whether the facade access should be restricted to one IP
  - Choose whether the created facade should be permanent or not
  - Click Login
  - Enter Alice's Username and Password (alice/alice)
  - Click Login
  - Copy the URL presented on the web page to the clipboard
- Start uDig and create an empty map
  File > New > New Map
- Rename the map to "Alice's Map" or alike
- Add the protected service to the map
  [right-click "Alice's Map] > Add... > Web Map Server > [paste URL from clipboard] > Next > [select all layers] > Finish

Restrict GetMap access

The user Alice should only be able to load the layer "Bundeslaender":

Stop Tomcat
Go to TOMCAT_HOME/webapps/52n-security-gatekeeper-webapp-0.1\WEB-INF\classes and open the rights.xml with an editor of your choice

Look for the XML element <PermissionCollection> with the type atribute value target:wms:layer

<rights:PermissionCollection type="target:wms:layer">
                <rights:Permission>
                        <rights:Resource>*</rights:Resource>
                        <rights:Action>GetCapabilities</rights:Action>
                        <rights:Subject type="urn:n52:authentication:subject:principal:role">alice</rights:Subject>
                </rights:Permission>
                <rights:Permission>
                        <rights:Resource>*</rights:Resource>
                        <rights:Action>GetMap</rights:Action>
                        <rights:Subject type="urn:n52:authentication:subject:principal:role">alice</rights:Subject>
                </rights:Permission>
                <rights:Permission>
                        <rights:Resource>Bundeslaender</rights:Resource>
                        <rights:Action>GetFeatureInfo</rights:Action>
                        <rights:Subject type="urn:n52:authentication:subject:principal:role">alice</rights:Subject>
                        <rights:Obligation type="obligation:wms:extent:boundingbox">
                                <rights:Attribute id="srs">EPSG:31467</rights:Attribute>
                                <!-- Only North Rhine-Westfalia -->
                                <rights:Attribute id="box">3276171,5573465,3534133,5821553</rights:Attribute>
                        </rights:Obligation>
                </rights:Permission>
                <rights:Permission>
                        <rights:Resource>*</rights:Resource>
                        <rights:Action>GetCapabilities</rights:Action>
                        <rights:Subject type="urn:n52:authentication:subject:principal:role">main</rights:Subject>
                </rights:Permission>
                <rights:Permission>
                        <rights:Resource>*</rights:Resource>
                        <rights:Action>GetMap</rights:Action>
                        <rights:Subject type="urn:n52:authentication:subject:principal:role">main</rights:Subject>
                </rights:Permission>
                <rights:Permission>
                        <rights:Resource>Bundeslaender</rights:Resource>
                        <rights:Action>GetFeatureInfo</rights:Action>
                        <rights:Subject type="urn:n52:authentication:subject:principal:role">main</rights:Subject>
                        <rights:Obligation type="obligation:wms:extent:boundingbox">
                                <rights:Attribute id="srs">EPSG:31467</rights:Attribute>
                                <!-- Only North Rhine-Westfalia -->
                                <rights:Attribute id="box">3276171,5573465,3534133,5821553</rights:Attribute>
                        </rights:Obligation>
                </rights:Permission>
                <rights:Permission>
                        <rights:Resource>Bundeslaender</rights:Resource>
                        <rights:Action>GetMap</rights:Action>
                        <rights:Subject type="urn:n52:authentication:subject:principal:role">guest</rights:Subject>
                </rights:Permission>
                <rights:Permission>
                        <rights:Resource>Bundeslaender</rights:Resource>
                        <rights:Action>GetCapabilities</rights:Action>
                        <rights:Subject type="urn:n52:authentication:subject:principal:role">guest</rights:Subject>
                </rights:Permission>

        </rights:PermissionCollection>

Look for the following <Permission>

<rights:Permission>
        <rights:Resource>*</rights:Resource>
        <rights:Action>GetMap</rights:Action>
        <rights:Subject type="urn:n52:authentication:subject:principal:role">alice</rights:Subject>
</rights:Permission>

Change the value of the XML element <Resource> to Bundeslaender

<rights:Permission>
        <rights:Resource>Bundeslaender</rights:Resource>
        <rights:Action>GetMap</rights:Action>
        <rights:Subject type="urn:n52:authentication:subject:principal:role">alice</rights:Subject>
</rights:Permission>

Start Tomcat and repeat Step 3
You will only see the layer "Bundeslaender"