Logo of 52°North

WSS Configuration

Before the WSS is ready to work, you have to perform the following steps

  1. General configuration (pesConfig.xml)
  2. Permission repository configuration

General Configuration

The WSS is configured by the entries of the WEB-INF/classes/pes/pesConfig.xml file of the web application.

Below you see the pesConfig.xml file as delivered.

<EnforcementPointConfig xmlns="http://www.52north.org/enforcementservice" xmlns:auth="http://www.52north.org/authentication" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.52north.org/enforcementservice ../pesConfig.xsd">
   <InterceptorChain>
      <Interceptor id="GetMap IC -- 1" factoryClass="org.n52.security.extensions.service.enforcement.basic.interceptor.FilterLayerFromCapabilitiesInterceptorFactory">
         <ParameterList>
            <Parameter name="insufficientRightsMessage">Insufficient rights.</Parameter>
         </ParameterList>
         <PDP id="FilePDP" factoryClass="org.n52.security.extensions.service.enforcement.basic.pdp.PermissionCollectionPDPFactory">
            <ParameterList>
               <Parameter name="fileLocation">/conf/pes/rights.xml</Parameter>
            </ParameterList>
         </PDP>
      </Interceptor>
      <Interceptor id="GetMap IC -- 2" factoryClass="org.n52.security.extensions.service.enforcement.basic.interceptor.DefaultWMSGetMapInterceptorFactory">
         <ParameterList>
            <Parameter name="insufficientRightsMessage">Insufficient rights.</Parameter>
         </ParameterList>
         <PDP id="FilePDP" factoryClass="org.n52.security.extensions.service.enforcement.basic.pdp.PermissionCollectionPDPFactory">
            <ParameterList>
               <Parameter name="fileLocation">/conf/pes/rights.xml</Parameter>
            </ParameterList>
         </PDP>
      </Interceptor>
      <Interceptor id="GetMap IC -- 3" factoryClass="org.n52.security.extensions.service.enforcement.basic.interceptor.DefaultWMSGetFeatureInfoInterceptorFactory">
         <ParameterList>
            <Parameter name="insufficientRightsMessage">Insufficient rights.</Parameter>
            <Parameter name="catchbox.delta.x">2</Parameter>
            <Parameter name="catchbox.delta.y">2</Parameter>
         </ParameterList>
         <PDP id="FilePDP" factoryClass="org.n52.security.extensions.service.enforcement.basic.pdp.PermissionCollectionPDPFactory">
            <ParameterList>
               <Parameter name="fileLocation">/conf/pes/rights.xml</Parameter>
            </ParameterList>
         </PDP>
      </Interceptor>
      <Interceptor id="GetMap IC -- 4" factoryClass="org.n52.security.extensions.service.enforcement.basic.interceptor.DefaultGetCapabilitiesInterceptorFactory">      
      </Interceptor>
      <Interceptor id="Log IC -- 5" factoryClass="org.n52.security.extensions.service.enforcement.basic.interceptor.AccessLogInterceptorFactory">      
         <ParameterList>
            <Parameter name="request.log.enabled">true</Parameter>
            <Parameter name="request.log.get.enabled">true</Parameter>
            <Parameter name="request.log.post.enabled">false</Parameter>
            <Parameter name="request.logfile.path">c:/access_req.log</Parameter>
            <Parameter name="request.logfile.maxKBytes">40</Parameter>
            <Parameter name="response.log.enabled">true</Parameter>
            <Parameter name="response.log.mimetypes">text/xml text/html application/vnd.ogc.wms_xml</Parameter>
            <Parameter name="response.logfile.path">c:/access_res.log</Parameter>
            <Parameter name="response.logfile.maxKBytes">40</Parameter>
         </ParameterList>
      </Interceptor>
   </InterceptorChain>
   <ExceptionHandler factoryClass="org.n52.security.extensions.service.enforcement.basic.exception.DefaultWMSExceptionHandlerFactory"/>
   <auth:AuthenticationMethodList>
      <auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.SAMLTicketLoginModule" id="WASBernModule">
         <auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:wauthns</auth:URI>
         <auth:ParameterList>
            <auth:Parameter name="was.url">https://localhost:8443/was/WAS</auth:Parameter>
            <auth:Parameter name="was.name">Local WAS</auth:Parameter>
            <auth:Parameter name="was.version">1.1</auth:Parameter>
            <auth:Parameter name="was.methods">urn:opengeospatial:authNMethod:OWS:1.0:password</auth:Parameter>
            <auth:Parameter name="was.cert.keystore.path">file:///c:/Tomcat4.1/conf/.keystore</auth:Parameter>
            <auth:Parameter name="was.cert.keystore.password">changeit</auth:Parameter>
            <auth:Parameter name="was.cert.alias">tomcat</auth:Parameter>
                        <auth:Parameter name="was.ticket.timeout.tolerance.notbefore">120</auth:Parameter>
         </auth:ParameterList>
      </auth:AuthenticationMethod>
      <auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.SessionLoginModule" id="SessionModule">
         <auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:session</auth:URI>
         <auth:ParameterList>
            <auth:Parameter name="session.timeout">6000</auth:Parameter>
         </auth:ParameterList>
      </auth:AuthenticationMethod>
      <auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.FileLoginModule" id="DefaultFileModule">
         <auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:password</auth:URI>
         <auth:ParameterList>
            <auth:Parameter name="users.file.path">file:///c:/users.xml</auth:Parameter>
            <auth:Parameter name="users.cache">false</auth:Parameter>
            <auth:Parameter name="credential.isBase64Encoded">false</auth:Parameter>
         </auth:ParameterList>
      </auth:AuthenticationMethod>
   </auth:AuthenticationMethodList>
   <SecuredService serviceType="WMS">
      <ServiceEndpoint>http://intergeo.sdisuite.de:80/wmsconnector/gdi/brd</ServiceEndpoint>
   </SecuredService>
   <Binding>
      <ParameterList>
         <Parameter name="wss.url">https://localhost:8443/wss/WSS</Parameter>
      </ParameterList>
   </Binding>
</EnforcementPointConfig>

The configuration is devided into the sections <InterceptorChain>, <AuthenticationMethodList>, <SecuredService>, and <Binding>

InterceptorChain

This element contains an ordered list of <Interceptor> elements, each describing an element of the "authorization processing chain". A client request and service response is processed by each interceptor in the order defined in the InterceptorChain.

&lt;Interceptor&gt; element
Node Description
factoryClass specifies an implementation of org.n52.security.service.enforcement.interceptor.InterceptorFactory which instantiates an interceptor
id unique identifier (for internal usage)
ParameterList List of parameters that is passed to the Interceptor implementation; values are dependending on the actual Interceptor implementation
PDP defines the PDP implementation that is used to obtain policy decisions (permit/deny), see below

An Interceptor uses a Policy Decision Point (PDP) to obtain a decision whether a user (user with role "guest") is allowed to access a resource (e.g. "Layer A") in a certain mode (e.g. "GetMap"). The PDP has access to some kind of policy repository (and XML file, a database, a web service etc.) and returns the policy decision (permit/deny).

&lt;PDP&gt; element
Node Description
factoryClass specifies an implementation of org.n52.security.service.enforcement.pdp.PDPProxyFactory which instantiates a PDP
id unique identifier (for internal usage)
ParameterList List of parameters that is passed to the PDP implementation; values are dependending on the actual PDP implementation

AuthenticationMethodList

This element contains the description of authentication methods supported by this WSS instance. Every <AuthenticationMethod> element represents a combination of a LoginModule implementation that has access to some kind of user repository and an authentication method identifier that specifies the authentication method (password, signature, ...) that is used by the LoginModule. Every entry in the AuthenticationMethodList will be converted into an entry of the SupportedAuthenticationMethodList of the WSS capabilities as soon as the WSS is started.

Node Description
class specifies a subclass of javax.security.auth.LoginModule which performs the authentication (List of available Login Modules)
id unique identifier (for internal usage)
URI URN of the authentication method to be used
ParameterList List of parameters that is passed to the LoginModule implementation; values are dependending on the actual LoginModule implementation

A WSS instance should always provide the method designated by urn:opengeospatial:authNMethod:OWS:1.0:session to allow clients using a session identifier to avoid repeated transmission of user credentials. So you should never need to remove the according <AuthenticationMethod> element. To allow useres actually login and perform requests the WSS must at least support one other authentication method. Besides session authentication, the WSS specifications defines URNs for two further authentication methods which are

  • urn:opengeospatial:authNMethod:OWS:1.0:password (username/password authentication)
  • urn:opengeospatial:authNMethod:OWS:1.0:wauthns (SAML/WAS authentication)

SecuredService

The <SecuredService> element specifies the protected service.

&lt;SecuredService&gt; element
Node Description
serviceType Type of service to protect. The type is published in the capabilities document
ServiceEndpoint URL of the service to protect.

Binding

The <Binding> element in general contains information by means of a <ParameterList> that is passed to the WSS servlet. The parameter with name wss.url is needed for the capabilities document the WSS provides. As clients may rely on the URL informaitonen inside the capabilities it is necessary to enter the URL of WSS as seen by clients.

Permission repository configuration

The permission repository is the data source for the PDP implementations . The actual configuration of the permission repository is depending on the PDP implementation. Check the list of all available PDP implementations provided by 52°North