The SOS Interceptor

Function mode of the SOS-interceptors:

SOSAllowedOperationInterceptor

  • Interceptor for any SOS requests
  • Decides whether the operation (in general) is allowed for a user or not
  • Resource: /allowedOperations/NameOfAllowedOperation
  • Action: /operations/* (Interceptor should be called for every request)
  • If the operation is not allowed an EnforcementServiceException is thrown "Operation is not permitted!"

SOSFilterCapabilitiesInterceptor

  • Interceptor for SOS GetCapabilities request
  • Filters unauthorized content from the capabilities (offerings, procedures, observed properties, fois, time restriction, bounding box restriction)
  • Resources:
    • /offerings/AllowedOffering
    • /procedures/AllowedProcedure
    • /observedProperties/AllowedObservedProperty
    • /featureOfInterests/AllowedFOI
  • Action: /operations/GetCapabilities
  • For time restriction an obligation can be added which defines the time period in which an offering can be requested for observations (example beneath)
    • Parameters: beginTime, endTime (e.g. 2009-08-30T07:00:00+02:00)
  • For bounding box restriction an obligation can be added which defines the bounding box in which an offering can be requested for observations (example beneath)
    • Parameters: srs (e.g. urn:ogc:def:crs:EPSG:4326); lowerCorner, upperCorner (e.g. 6.24560488374974 50.3587094784933)
  • If the user has no rights for to request any offering, an InterceptorException is thrown "You are not allowed to access at least one offering!"

SOSGetFeatureOfInterestInterceptor

  • Interceptor for SOS GetFeatureOfInterest requests
  • Requests the rights for every requested feature
  • Only if the user has the permission, the feature is added to the service request
  • If a spatial obligation (bounding box) exists, it will be applied to the request, so that the "GetFeatureOfInterestId"-tag is replaced with a "location"-tag involving the envelope defined in the obligation
  • Resource: /featureOfInterests/AllowedFOI
  • Action: /operations/GetFeatureOfInterest
  • If the user has no rights for the requested Feature an EnforcementServiceException is thrown "Feature of interest(s) denied!"

SOSDescribeSensorInterceptor

  • Interceptor for SOS DescribeSensor requests
  • Requests the rights the for requested sensor
  • Resource: /procedures/AllowedProcedure(Sensor)
  • Action: /operations/DescribeSensor
  • If the user has no rights for the requested Sensor an EnforcementServiceException is thrown "Sensor denied!"

SOSGetObservationInterceptor

  • Interceptor for SOS GetObservation requests
  • Requests the rights for all parameters (offerings, eventTime, procedure, opservedProperty, featureOfInterest)
  • 5 Steps:
    • Checks if offering is allowed, else EnforcementServiceException is thrown "Offering denied!"
    • Checks/restricts procedures, else EnforcementServiceException is thrown "Procedure(s) denied!"
    • Checks/restricts fois and applies spatial obligation (if necessary). If all requested features were denied an EnforcementServiceException is thrown "Feature(s) of interest denied!"
    • Checks/restricts observed properties. If all requested properties were denied an EnforcementServiceException is thrown "All requested observed properties denied!"
    • Checks/restricts event time if a temporal obligation exists. Several cases have to be considered:
      • (request-begin-time before obligation-begin-time) && (request-end-time before obligation-end-time): returned time series goes from obligation-begin-time till request-end-time
      • (request-begin-time after obligation-begin-time) && (request-end-time before obligation-end-time): returned time series is as requested
      • (request-begin-time after obligation-begin-time) && (request-end-time after obligation-end-time): returned time series goes from request-begin-time till obligation-end-time
      • (request-begin-time before obligation-begin-time) && (request-end-time after obligation-end-time): returned time series goes from obligation-begin-time till obligation-end-time
      • In all other cases, no data is returned
  • Resources:
    • /offerings/AllowedOffering
    • /procedures/AllowedProcedure
    • /observedProperties/AllowedObservedProperty
    • /featureOfInterests/AllowedFOI
  • Action: /operations/GetObservation

Example Permissions

A.
<Permission name="alice_all">
   <Resource value="/offerings/*" /> <!-- Any offerings -->
   <Resource value="/procedures/*" /> <!-- Any procedures -->
   <Resource value="/observedProperties/*" /> <!-- Any observed properties -->
   <Resource value="/featureOfInterests/*" /> <!-- Any features of interest -->
   <Resource value="/allowedOperations/*" /> <!-- Any operations allowed -->
   <Action value="/operations/*" /> <!-- Any operations -->
   <Subject value="alice" />
</Permission>

B.
<Permission name="bob_rheinpegel_waterlevel_emmer_wesel">
   <Resource value="/offerings/Rheinpegel"/>
   <Resource value="/procedures/urn:ogc:object:sensor:BFG:bfg-sensor-emmer"/>
   <Resource value="/procedures/urn:ogc:object:sensor:BFG:bfg-sensor-wesel"/>
   <Resource value="/observedProperties/urn:ogc:def:phenomenon:OGC:1.0.30:waterlevel"/>
   <Resource value="/featureOfInterests/foi_emmer"/>
   <Resource value="/featureOfInterests/foi_wesel"/>
   <Resource value="/allowedOperations/*"/>
   <Action value="/operations/GetCapabilities"/>
   <Action value="/operations/DescribeSensor"/>
   <Action value="/operations/GetFeatureOfInterest"/>
   <Action value="/operations/GetObservation"/>
   <Subject value="bob"/>
</Permission>

C.
 <Permission name="guest_rheinpegel_waterlevel_emmer_wesel_obliged">
   <Resource value="/offerings/Rheinpegel"/>
   <Resource value="/procedures/urn:ogc:object:sensor:BFG:bfg-sensor-emmer"/>
   <Resource value="/procedures/urn:ogc:object:sensor:BFG:bfg-sensor-wesel"/>
   <Resource value="/observedProperties/urn:ogc:def:phenomenon:OGC:1.0.30:waterlevel"/>
   <Resource value="/featureOfInterests/foi_emmer"/>
   <Resource value="/featureOfInterests/foi_wesel"/>
   <Resource value="/allowedOperations/*"/>
   <Action value="/operations/GetCapabilities"/>
   <Action value="/operations/DescribeSensor"/>
   <Action value="/operations/GetFeatureOfInterest"/>
   <Action value="/operations/GetObservation"/>
   <Subject value="guest"/>
   <Obligation name="obligation:sos:extent:boundingbox">
      <Attribute name="srs">urn:ogc:def:crs:EPSG:4326</Attribute>
      <Attribute name="lowerCorner">6.24560488374974 50.3587094784933</Attribute>
      <Attribute name="upperCorner">7.60722652854772 51.8292137232477</Attribute>
   </Obligation>
   <Obligation name="obligation:sos:time">
      <Attribute name="beginTime">2009-08-30T07:00:00+02:00</Attribute>
      <Attribute name="endTime">2009-09-13T19:00:00+02:00</Attribute>
   </Obligation>
</Permission>

This topic: Security > WebHome > SecurityDocs > SOSInterceptor
Topic revision: 05 Oct 2009, JanDrewnak
Legal Notice | Privacy Statement


This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Wiki? Send feedback