Logo of 52°North

WSS Quick Start Guide

Intro

This Quick Start Guide shows how to configure a standard installation of a WSS, version 2.0. Following this guide you will

  • enable WAS-based authentication
  • protect layers of a WMS service

Steps

  1. Install the WAS web application as described in the WAS Quick Start Guide.

    The WAS will be used to authenticate users who want to access the protected service through the WSS.

  2. Install the WSS web application as described here

    Within the scope of this guide, the WSS should be installed on the same machine as the WAS.

  3. Make sure your Tomcat is stopped
  4. Open the <WSS_INSTALL_DIR>/WEB-INF/classes/security-config.xml file with a text or XML editor
  5. Configure the trusted WAS that issues accepted authentication tickets (i.e. SAML assertions)

    Find the lines

        <AuthenticationMethod class="org.n52.security.authentication.WASAuthenticationMethod">
            <Property name="url" value="http://localhost:9090/was/WAS"/>
        </AuthenticationMethod>

    and enter the WAS URL of the previously installed WAS.

  6. Enter the URL of the protected service

    Find the line

        <EnforcementPoint id="demis"
            endpoint="http://www2.demis.nl/mapserver/wms.asp"
            endpointType="WMS"
            class="org.n52.security.service.wss.PolicyEnforcementServiceImpl">

    and replace the exisiting URL by the URL of a WMS you want to protect. Also replace the id attribute by an appropriate identifier. Caution: The identifier will be part of the WSS URL!

    Alternatively you can also use the new WSS configuration tool, available under http://<host>:<port>/<context>/WSS

  7. Restart your Tomcat

    Unfortunately, there is no simple client to check the success of the installation. To be able to access the protected service with standard WMS clients and requests you can install the 52n WSC.Web application

  8. The missing step...

    Of course, just by installing a WSS your protected service is not safe from being requested directly, bypassing the WSS security measures. It lies in your responsibility to make sure that only the WSS can access the protected service. This can be achieved by IP filtering mechanisms that are depending on the system environment, application container etc.

When you finished the last step, your WSS should be ready to operate under the following URL:

http://<host>:<port>/<context>/WSS/<endpoint_id> e.g. http://localhost:8080/wss/WSS/demis

Setting up Permissions

The user permissions are defined in the file <WSS_INSTALL_DIR>/WEB-INF/classes/rights.xml. The default permissions are:

  • User "Alice" (username/password for WAS: alice/alice) is allowed to view/access all layers.
  • User "Bob" (bob/bob) is allowed to view only a subset of layers, GetFeatureInfo is only allowed on the "Countries" layer.
  • User "Guest" (guest/guest) has the same permissions like "Bob", except that Guest can only query GetFeatureInfo on the "Countries" layer in the area of the Americas.