L-11: Protecting OGC Web Services with the 52°North Security System
The Open Source Software Initiative 52°North provides services and applications that enable OGC Web Service providers to protect their services from unrestricted access. The building blocks of this security system are Web Authentication Service (WAS) and Web Security Service (WSS). On success authentication by username and password a WAS issues an identity token compliant to the OASIS Security Assertions Markup Language (SAML). The WSS acts as a gateway to the protected OGC Web Service and receives the initial service request (e. g. GetMap) together with the SAML token. Based on this information the WSS performs access control by looking up the user.s rights and reacting accordingly: If the user has sufficient rights, it forwards the request to the protected service, otherwise the service request is rejected or modified to fit the user permissions.
Because the WSS defines a new protocol, standard OGC Web Service clients are not able to interact with the protected service via the WSS. To overcome this issue, we introduced a proxy component, the Web Security Client (WSC), that provides the interface of the protected service plus the capability to enter authentication information (e.g. username & password) as well as the desired WSS gateway URL. With this information the WSC handles the security communication with WAS and WSS transparently for the client, which just uses a WSC-provided specific proxy URL.
After a brief introduction into the basic concepts of the 52°North security system solution, the participants will set up a scenario installation of the system to restrict access to an example Web Map Service.
Setting up the scenario implies:
- Deployment and configuration of the WAS web application on an Apache Tomcat server
- Deployment and configuration of the WSS web application on an Apache Tomcat server
- Installation and configuration of the WSC desktop application
As part of the service configuration the participants will add users to the user repository for the WAS as well as define access policies for layers and/or operations of the protected WMS for the WSS.
After successful deployment and installation the protected service will be loaded into a web map client using different user profiles to visualize the effect of policy enforcement.
From March 2003 until October 2005 Jan Drewnak worked as a research associate at the Institute for Geoinformatics, Muenster, Germany. He is engaged in the German regional initiative .Spatial Data Infrustructure North Rhine-Westfalia. (GDI NRW) as a security architect and engineer. Since May 2005 he works as software consultant and engineer for the con terra GmbH, Muenster, with focus on security in spatial data infrastrructures. He also heads the 52°North Open Source Initiative's "Security Community".