GeoServer : GeoXACML-Integration
This page last changed on Mar 19, 2009 by firstname.lastname@example.org.
Security and access control is a very complex theme. Many systems have their own, non standard implementations to handle this requirement.
Access control for spatial data causes an additional requirement, protecting data and services based on geometries.
Supporting spatial authorization decisions in a standard, yet powerful manner is the target of this component.
Look at the following picture taken from the GeoXACML specification
The challenge is:
Allow a user (call her Alice) access to spatial data within the green polygon, but deny access to the rest of the world.
Additionally to spatial access decisions, authorization based on a feature type (allow or deny access to the cities) or on a feature itself (allow/deny access to London) should be possible.
GeoXACML is an extension to the OASIS XACML specification. If you follow this link you will see that we are not talking about a trivial component. XACML handles access control for common services and allows extensions.
Components used for the implementation
The following picture (again taken from the GeoXACML specification) shows a very simplified architecture.
The PDP looks for a proper XACML policy, computes an access decision and sends back a XACML response. If the response is DENY, the PEP sends back the negative answer to Alice. If the response is PERMIT, the PEP forwards the WMS request to the WMS Server, doing business as usual.
The XML schema files can be found at the OASIS XACML page.
If PEP and PDP are within the same virtual machine , the xml encoding is not needed.
There is another component in XACML, called PAP (Policy Administration Point).In my opinion, it would not make much sense to succeed with points 1,2 and 3 without having a tool to manage GeoXACML policies.
These policies are powerfull, but quite complex. There exist some XACML policy editors (e.g http://xacml.dif.um.es/ ), but remember, we need a tool also supporting the spatial extensions. Some investigation is necessary.
Doing an own implementation for managing policies is heavy stuff, perhaps there are some volunteers.
|Document generated by Confluence on May 14, 2014 23:00|