Logo of 52°North

WSS Configuration

Before the WSS is ready to work, you have to perform the following steps

  1. General configuration (security-config.xml)
  2. Permission repository configuration

General Configuration

The WSS is configured by the entries of the WEB-INF/classes/security-config.xml file of the web application.

Below you see the security-config.xml file as delivered.

<?xml version="1.0" encoding="utf-8"?>
<SecurityConfig xmlns="http://www.52north.org/security/config/1.1">
        <Property id="sessionService">
            <Object class="org.n52.security.service.session.DefaultSessionService">
                <Property name="sessionTimeOut" value="3600"/>
                <Property name="issuerName" value="www.52North.org"/>
                <Property name="issuerURL" value="www.52North.org"/>
        <Property id="interceptorInfoProvider">
            <Object class="org.n52.security.enforcement.chain.DefaultInterceptorInfoProvider"/>
        <Property id="interceptorSpecTemplateProvider">
            <Object class="org.n52.security.service.config.support.mgmt.spec.DefaultInterceptorSpecTemplateProvider"/>
        <Property id="enforcementPointSpecTemplateProvider">
            <Object class="org.n52.security.service.config.support.mgmt.spec.DefaultEnfPointSpecTemplateProvider"/>
        <Property id="exceptionHandlerInfoProvider">
            <Object class="org.n52.security.enforcement.exception.DefaultExceptionHandlerInfoProvider"/>
        <Property id="insufficientRightsMessage" value="no rights"/>
        <Provider id="jksProvider"
            <Property name="keystoreType" value="JKS"/>
            <Property name="fileName" value=".keystore"/>
            <Property name="password" value="52nwas"/>
        <PPKPair id="defaultKeyPair" alias="was" passwd="52nwas" providerRef="jksProvider"/>
        <Service id="WSS">
                <!-- Comment this in if you will see the session urn in the capabilities,
                     but this is not necessary because the GetSession and CloseSession methods are
                     part of the service interface.
                <AuthenticationMethod class="org.n52.security.authentication.SessionAuthenticationMethod"/>-->
                <!-- Says that username/password combinations are accepted
                     You have to define a login module wich are able to validate this.
                <AuthenticationMethod class="org.n52.security.authentication.PasswordAuthenticationMethod"/>
                <!-- Says that saml responses (tickets e.g from a was) are accepted.
                     You have to define a login module wich are able to validate this.
                     <AuthenticationMethod class="org.n52.security.authentication.SAMLResponseAuthenticationMethod"/>
                <!-- Says that saml responses (tickets e.g from a was) are accepted.
                     You have to define a login module wich are able to validate this.
                     The difference is, that this method carries the url of the authentication point (was)
                     // you can repeat it to support more methods
                <AuthenticationMethod class="org.n52.security.authentication.WASAuthenticationMethod">
                    <Property name="url" value="http://localhost:9090/was/WAS"/>
                <LoginModule class="org.n52.security.authentication.loginmodule.SingleUserLoginModule"
                    <Property name="allowedUsername" value="test"/>
                    <Property name="allowedPassword" value="testpw"/>
                    <Property name="pwdEncAlg" value="plain"/>
                    <Property name="userRoles" value="Alice"/>
                <LoginModule class="org.n52.security.authentication.loginmodule.SAMLTicketLoginModule"
                    <Property name="validationKeyPair" idRef="defaultKeyPair"/>
                    <Property name="noValidation" value="false"/>
                    <Property name="SAMLRoleAttributeName" value="urn:n52:authentication:subject:principal:role"/>
                <DecisionPoint id="defaultDecisionPoint"
                    <Property name="fileLocation" value="rights.xml"/>
                <EnforcementPoint id="demis"
                    <Property name="sessionService" idRef="sessionService"/>
                    <Property name="capabilitiesFileName" value="WSSv1_1_01Capabilities.xml"/>
                        <Property name="decisionService" idRef="defaultDecisionPoint"/>
                        <Property name="insufficientRightsMessage" idRef="insufficientRightsMessage"/>
                    <Interceptor class="org.n52.security.enforcement.interceptors.DefaultWMSGetMapInterceptor">
                        <Property name="decisionService" idRef="defaultDecisionPoint"/>
                        <Property name="insufficientRightsMessage" idRef="insufficientRightsMessage"/>
                    <Interceptor class="org.n52.security.enforcement.interceptors.DefaultWMSGetFeatureInfoInterceptor">
                        <Property name="decisionService" idRef="defaultDecisionPoint"/>
                        <Property name="insufficientRightsMessage" idRef="insufficientRightsMessage"/>
                        <Property name="catchbox.delta.x" value="2"/>
                        <Property name="catchbox.delta.y" value="2"/>
                    <Interceptor class="org.n52.security.enforcement.interceptors.DefaultGetCapabilitiesInterceptor"/>
                    <ExceptionHandler class="org.n52.security.enforcement.interceptors.DefaultWMSErrorHandler"/>

The configuration in devided into the sections Environment, PrivatePublicKeys, and Services. They are described below.

Global Definitions: <Environment>

This section contains global definitions that may be referenced in other sections, especially the <Services> section. The defined properties (or beans) are referenced using the idref attribute in subsequent sections.

Properties you might want to change are:

defines the session parameters for session-based WSS communications as done by the WSC.Web for example. sessionTimmeout defines the time period of time a session is valid if not used in between. If a session is invalid the client has to re-authenticate, e.g. using a SAML ticket.
the value is used by most Interceptor to create a human-readable message, that is part of the "access denied" error in case of insufficient permissions.

Keystore Specification: <PrivatePublicKeys>

This section specifies the public keys (i.e. certificates) a WSS might use to verify the signature of SAML tickets issued by a trusted WAS.

Keys are retrieved using an instance implementing org.n52.security.common.crypto.KeyPairProvider. The Provider elements specifies an instance of org.n52.security.common.crypto.KeyPairProvider which is either created directly if the implemeting type is specified within a class attribute or returned by the factory class specified within a factoryClass and its respctive factory method specified within a factoryMethod attribute.

Known implementations (see their JavaDoc pages for parameter details):

The PPKKeyPair element is used to assign one public/private key pair to a unique id that can be referenced inside this configuration document, e.g. to specify which key should be used to sign the SAML Assertion issued by the WAS. The alias attribute specifies the key's name inside the keystore configured here and referenced by the providerRef attribute. The password element specifies the passwort that might be necessary to access the private key.

WSS Configuration: <Service(s)>

Until version 1.2 a single WSS installation was only capable of protecting a single service (e.g. a WMS), which made it necessary to have as many WSS installations as services you wanted to protect. Since version 1.3 a single WSS installation is able to protect any number of services. Each protected service is assigned to a so called "enforcement point" managed by the WSS. A WSS enforcement point is identified by the endpoint id, that is appended to the WSS base URL.

This section contains a <Service> element for each WSS configured by this file. This is typically exactly one element but not limited to it. In a web deployment scenario, the id attibute of a service must correspond to the WSS's servlet name, which is "WSS" by default.

A single Service section defines authentication methods, login modules, and enforcement points supported or provided by the WSS.

Declare imlpementation classes of the supported authentication methods. Classes must implement org.n52.security.authentication.AuthenticationMethod.
Define the JAAS compliant login modules that are available for authentication. A LoginModule element may contain a set of Property elements whose values are passed to the LoginModules initialize() method as a Map of properties. The controlFlag attribute is equivalent to the JAAS' control flag property as described here. For a list of login modules provided by 52North and their properties, please please go here.
Define the available instances of Policy Decision Points, which have to be implementations of org.n52.security.decision.DecisionService. Decision Points are components that answer permission questions ("Is user Alice allowed to access layer 'countries'?) and are part of the interceptor framework. For a list of available implemetations, please go here.
You need to define an Enforcement Point for every service you want to protect with a WSS instance. The id attribute defines the identifier of the Enforcement Point is part of the Enforcement Point URL. The endpoint attribute specifies the service that is protected by this instance and thus receives all (authorized) requests directed to this endpoint. The endpointType attribute defines the type of the protected service. This type is part of the capabilities document issued by the endpoint. Define an Interceptor element for each interceptor that should be invoked before and after the protected service is requested. The interceptors are processed in the order declared in this file. Most interceptors require a Decision Service instance to be asked for policy decisions. An instance defined in the DecisionPoints section is referenced using the idRef attribute.

Get a list of available interceptors and their properties here.

Permission repository configuration

The permission repository is the data source for the Decision Point (a.k.a PDP) implementations . The actual configuration of the permission repository is depending on the Decision Point implementation. Check the list of all available Decision Point implementations provided by 52�North