Securing a Sensor Observation Service


Overview

This page describes how to secure a transactional SOS with the 52°North WSS. This tutorial does not describe how to install a SOS but requires an existing installation (see SensorObservationService for help with installing one).

Installing the WSS

Download the here, unzip it and deploy the web application wss.war to your application server.

Configuring the WSS

Open the web application directory of your application server with your file manager and enter the directory wss/WEB-INF/classes.

Creating Users

Open the file users.xml. The content should look like the following:
<?xml version="1.0" encoding="UTF-8"?>
<UserRepository xmlns="http://www.52north.org/users" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
   xsi:schemaLocation="http://www.52north.org/users http://incubator.52north.org/maven/schemas/users/1.0/users.xsd">
  <User  username="alice" password="alice" realname="Alice">
   <Role name="alice"/>
   <Role name="admin"/>
  </User>
  <User  username="bob" password="bob" realname="Bob">
   <Role name="bob"/>
   <Role name="main"/>
  </User>
  <User  username="guest" password="guest" realname="Guest">
   <Role name="guest"/>
  </User>
</UserRepository>

Now remove the users alice and bob and create a new user called t-sos instead. This user has to be in the group t-sos. Eventually the file should look like this:
<?xml version="1.0" encoding="UTF-8"?>
<UserRepository xmlns="http://www.52north.org/users" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
   xsi:schemaLocation="http://www.52north.org/users http://incubator.52north.org/maven/schemas/users/1.0/users.xsd">
   <User  username="guest" password="guest" realname="Guest">
      <Role name="guest"/>
   </User>
   <User  username="t-sos" password="t-sos" realname="transactional_sos_user">
      <Role name="t-sos"/>
   </User>
</UserRepository>

You may create more users who should have access to the transactional profile, they simply must have the role t-sos attached to them.

Creating appropriate permissions

Open the file permissions.xml and replace it's contents with the following XML. You have to replace all occurrences of $WSS_URL with the WSS base URL (e.g. http://localhost:8080/wss).
<SimplePermissions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
      xmlns="http://www.52north.org/security/simple-permission/1.0">
    <PermissionSet name="sos">
        <ResourceDomain value="$WSS_URL/service/sos/*"/>
        <ActionDomain value="$WSS_URL/service/sos/*"/>
        <SubjectDomain value="urn:n52:security:subject:role"/>
        <Permission name="full_access">
            <Resource value="offerings/*"/>
            <Resource value="procedures/*"/>
            <Resource value="observedProperties/*"/>
            <Resource value="featureOfInterests/*"/>
            <Resource value="allowedOperations/*"/>
            <Action value="operations/*"/>
            <Subject value="t-sos"/>
        </Permission>
        <Permission name="read_only_access">
            <Resource value="offerings/*"/>
            <Resource value="procedures/*"/>
            <Resource value="observedProperties/*"/>
            <Resource value="featureOfInterests/*"/>
            <Resource value="allowedOperations/GetCapabilities"/>
            <Resource value="allowedOperations/GetResult"/>
            <Resource value="allowedOperations/GetObservation"/>
            <Resource value="allowedOperations/GetFeatureOfInterest"/>
            <Resource value="allowedOperations/GetFeatureOfInterestTime"/>
            <Resource value="allowedOperations/DescribeSensor"/>
            <Resource value="allowedOperations/DescribeFeatureType"/>
            <Action value="operations/GetCapabilities"/>
            <Action value="operations/GetResult"/>
            <Action value="operations/GetObservation"/>
            <Action value="operations/GetFeatureOfInterest"/>
            <Action value="operations/GetFeatureOfInterestTime"/>
            <Action value="operations/DescribeSensor"/>
            <Action value="operations/DescribeFeatureType"/>
            <Subject value="guest" />
        </Permission>
    </PermissionSet>
</SimplePermissions>

These permissions allow members of the group t-sos to use the transactional profile while all other users can only use the non-transactional methods.

Configuring the SOS

The WSS webapp is restricted to tomcat users with the role manager. If you do not have such a role/user create it by adding the following XML snippet to your tomcat-users.xml file. Please note that changes to the file require a tomcat restart.
<tomcat-users>
  <role rolename="manager" />
  <user username="wss" password="wss" roles="manager" />
</tomcat-users>

Navigate your browser to to $WSS_URL/site/manage.html (where $WSS_URL is the base url of th WSS installation, e.g. http://localhost:8080/wss) and login in with the just created tomcat user. Remove all Enforcement Points by clicking on Delete in each row. Now click on the Create tab. Enter sos as ID and enter the URL of the SOS as the Protected Service URL. Select SOS as Type and enable the HTTP Basic and "noauth" Authentication Schemes. Click on Create and leave the website.

Authorize the WSS against the SOS

If your SOS is globally accessible but secured by HTTP authorization go to the directory enforcement_points and open the file ep_SOS….

It should look similar to this:
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.7.0_07" class="java.beans.XMLDecoder">
 <object class="org.n52.security.service.enforcement.mgmt.EnforcementPoint">
  <void id="HashSet0" property="authenticationSchemes">
   <void method="add">
    <string>httpauth</string>
   </void>
   <void method="add">
    <string>noauth</string>
   </void>
  </void>
  <void property="authenticationSchemes">
   <object idref="HashSet0"/>
  </void>
  <void property="changedAt">
   <object class="java.util.Date">
    <long>1349879889254</long>
   </object>
  </void>
  <void property="createdAt">
   <object class="java.util.Date">
    <long>1349879889254</long>
   </object>
  </void>
  <void property="endpoint">
   <string>http://localhost:8080/sos/sos</string>
  </void>
  <void property="id">
   <string>sos</string>
  </void>
  <void property="module">
   <string>SOS</string>
  </void>
  <void id="HashMap0" property="properties">
   <void method="put">
    <string>redirectionAuthenticationScheme</string>
    <string>noauth</string>
   </void>
  </void>
  <void property="properties">
   <object idref="HashMap0"/>
  </void>
 </object>
</java>

Add this snippet to the file and replace $USERNAME and $PASSWORD to allow the WSS to access the SOS:
<void method="put">
   <string>basicAuthUser</string>
   <string>$USERNAME</string>
</void>
<void method="put">
   <string>basicAuthPassword</string>
   <string>$PASSWORD</string>
</void>

The File should now look similar to this:
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.7.0_07" class="java.beans.XMLDecoder">
 <object class="org.n52.security.service.enforcement.mgmt.EnforcementPoint">
  <void id="HashSet0" property="authenticationSchemes">
   <void method="add">
    <string>httpauth</string>
   </void>
   <void method="add">
    <string>noauth</string>
   </void>
  </void>
  <void property="authenticationSchemes">
   <object idref="HashSet0"/>
  </void>
  <void property="changedAt">
   <object class="java.util.Date">
    <long>1349879889254</long>
   </object>
  </void>
  <void property="createdAt">
   <object class="java.util.Date">
    <long>1349879889254</long>
   </object>
  </void>
  <void property="endpoint">
   <string>http://localhost:8080/sos/sos</string>
  </void>
  <void property="id">
   <string>sos</string>
  </void>
  <void property="module">
   <string>SOS</string>
  </void>
  <void id="HashMap0" property="properties">
   <void method="put">
    <string>redirectionAuthenticationScheme</string>
    <string>noauth</string>
   </void>
   <void method="put">
    <string>basicAuthUser</string>
    <string>$USERNAME</string>
   </void>
   <void method="put">
    <string>basicAuthPassword</string>
    <string>$PASSWORD</string>
   </void>
  </void>
  <void property="properties">
   <object idref="HashMap0"/>
  </void>
 </object>
</java>

Accessing the SOS

After reloading the WSS application the SOS is accessible under two URL's, where $WSS_URL is the base URL of the WSS (e.g. http://localhost:8080/wss).
  • $WSS_URL/service/sos/httpauth
  • $WSS_URL/service/sos/noauth
The first URL allows access to the transactional profile and needs authorization (more specifically a user of the t-sos group). The latter requires no authorization and prohibits the access to the transactional profile.

You can test it by entering some of the following URL's in the browser:
  • $WSS_URL/service/sos/noauth?service=SOS&request=GetCapabilities&acceptVersions=1.0.0 should give you the Capabilities document.
  • $WSS_URL/service/sos/noauth?service=SOS&request=InsertObservation&version=1.0.0 should give you a WSS exception report, because you are not allowed to access this resource.
  • $WSS_URL/service/sos/httpauth?service=SOS&request=GetCapabilities&acceptVersions=1.0.0 should ask for username/password (try t-sos:t-sos) and give you the SOS Capabilities document.
  • $WSS_URL/service/sos/httpauth?service=SOS&request=InsertObservation&version=1.0.0 should ask you for credentials ( t-sos:t-sos) and give you a SOS exception report, that GET is not supported.

Use Cases

This section describes different use cases how to secure a SOS instance

Restrict on operation level only

In the case of having the requirement to restrict the access to the SOS instance on operation level only one interceptor needs to be activated in the SOS-module.xml. The org.n52.security.enforcement.interceptors.sos.simplepermission.SOSAllowedOperationInterceptor. In addition, the permissions need to only naarow the operation names but not any other resource like feature or properties. Filtering these will be covered by different use cases.

  • SOS-module.xml:

    1	<?xml version="1.0" encoding="utf-8"?>
    2	            <!-- This is a SOS enforcement point template file,
    3	            responsible to assemble valid SOS EnforcementPoints.
    4	            You can reference all ids defined in the parent security-config.xml and
    5	            all enforcment point properties via ${enforcementpoint.<propname>}.
    6	            -->
    7	        <SecurityConfig xmlns="http://www.52north.org/security/config/1.1">
    8	            <Services>
    9	                <Service id="Enforcement-Point-SOS-Template">
   10	                    <EnforcementPoints>
   11	                        <EnforcementPoint id="${enforcementpoint.id}" endpoint="${enforcementpoint.endpoint}"
   12	                                endpointType="SOS"
   13	                                class="org.n52.security.service.wss.PolicyEnforcementServiceImpl">
   14	                            <Property name="endpointPolicyId" value="${enforcementpoint.endpointPolicyId}" />
   15	                            <Property name="redirectionAuthenticationScheme" value="${enforcementpoint.properties.redirectionAuthenticationScheme}" />
   16	                            <Property name="endpointHttpBasicUsername" value="${enforcementpoint.properties.basicAuthUser}" />
   17	                            <Property name="endpointHttpBasicPassword" value="${enforcementpoint.properties.basicAuthPassword}" />
   18	                            <Interceptor
   19	                                class="org.n52.security.enforcement.interceptors.sos.simplepermission.SOSAllowedOperationInterceptor">
   20	                                <Property name="decisionService" idRef="defaultDecisionPoint" />
   21	                                <Property name="insufficientRightsMessage" idRef="insufficientRightsMessage" />
   22	                            </Interceptor>
   23	                            <Interceptor class="org.n52.security.enforcement.interceptors.DefaultGetCapabilitiesInterceptor" />
   24	                            <ExceptionHandler class="org.n52.security.enforcement.interceptors.DefaultWMSErrorHandler" />
   25	                        </EnforcementPoint>
   26	                    </EnforcementPoints>
   27	                </Service>
   28	            </Services>
   29	        </SecurityConfig>

  • permissions.xml:

    1	<?xml version="1.0" encoding="UTF-8"?>
    2	        <SimplePermissions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    3	                xmlns="http://www.52north.org/security/simple-permission/1.0">
    4	            <PermissionSet name="sos">
    5	                <ResourceDomain value="http://localhost:8080/52n-security-wss-webapp/service/sos_kvp/*"/>
    6	                <ActionDomain value="http://localhost:8080/52n-security-wss-webapp/service/sos_kvp/*"/>
    7	                <SubjectDomain value="urn:n52:security:subject:role"/>
    8	                <Permission name="full_access">
    9	                    <Resource value="offerings/*"/>
   10	                    <Resource value="procedures/*"/>
   11	                    <Resource value="observedProperties/*"/>
   12	                    <Resource value="featureOfInterests/*"/>
   13	                    <Resource value="allowedOperations/*"/>
   14	                    <Action value="operations/*"/>
   15	                    <Subject value="t-sos"/>
   16	                </Permission>
   17	                <Permission name="insert_observation">
   18	                    <Resource value="offerings/*"/>
   19	                    <Resource value="procedures/*"/>
   20	                    <Resource value="observedProperties/*"/>
   21	                    <Resource value="featureOfInterests/*"/>
   22	                    <Resource value="allowedOperations/InsertObservation"/>
   23	                    <Action value="operations/InsertObservation"/>
   24	                    <Subject value="data-provider"/>
   25	                </Permission>
   26	                <Permission name="sensor-management">
   27	                    <Resource value="offerings/*"/>
   28	                    <Resource value="procedures/*"/>
   29	                    <Resource value="observedProperties/*"/>
   30	                    <Resource value="featureOfInterests/*"/>
   31	                    <Resource value="allowedOperations/InsertSensor"/>
   32	                    <Resource value="allowedOperations/DeleteSensor"/>
   33	                    <Resource value="allowedOperations/UpdateSensorDescription"/>
   34	                    <Action value="operations/InsertSensor"/>
   35	                    <Action value="operations/DeleteSensor"/>
   36	                    <Action value="operations/UpdateSensorDescription"/>
   37	                    <Subject value="sensorManager"/>
   38	                </Permission>
   39	                <Permission name="read_only_access">
   40	                    <Resource value="offerings/*"/>
   41	                    <Resource value="procedures/*"/>
   42	                    <Resource value="observedProperties/*"/>
   43	                    <Resource value="featureOfInterests/*"/>
   44	                    <Resource value="allowedOperations/GetCapabilities"/>
   45	                    <Resource value="allowedOperations/GetResult"/>
   46	                    <Resource value="allowedOperations/GetObservation"/>
   47	                    <Resource value="allowedOperations/GetFeatureOfInterest"/>
   48	                    <Resource value="allowedOperations/GetFeatureOfInterestTime"/>
   49	                    <Resource value="allowedOperations/DescribeSensor"/>
   50	                    <Resource value="allowedOperations/DescribeFeatureType"/>
   51	                    <Action value="operations/GetCapabilities"/>
   52	                    <Action value="operations/GetResult"/>
   53	                    <Action value="operations/GetObservation"/>
   54	                    <Action value="operations/GetFeatureOfInterest"/>
   55	                    <Action value="operations/GetFeatureOfInterestTime"/>
   56	                    <Action value="operations/DescribeSensor"/>
   57	                    <Action value="operations/DescribeFeatureType"/>
   58	                    <Subject value="guest" />
   59	                </Permission>
   60	            </PermissionSet>
   61	        </SimplePermissions>

  • users.xml while using LoginModule org.n52.security.authentication.loginmodule.FileLoginModule:

    1	<?xml version="1.0" encoding="UTF-8"?>
    2	        <UserRepository xmlns="http://www.52north.org/users" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    3	            xsi:schemaLocation="http://www.52north.org/users http://incubator.52north.org/maven/schemas/users/1.0/users.xsd">
    4	            <User  username="guest" password="guest" realname="Guest">
    5	                <Role name="guest"/>
    6	            </User>
    7	            <User  username="t-sos" password="t-sos" realname="transactional_sos_user">
    8	                <Role name="t-sos"/>
    9	            </User>
   10	            <User  username="dataProvider" password="dataProvider" realname="IHaveTheData">
   11	                <Role name="data-provider"/>
   12	            </User>
   13	            <User  username="sensorManager" password="sensorManager" realname="IHaveTheData">
   14	                <Role name="sensor-manager"/>
   15	            </User>
   16	        </UserRepository>

SOS Interceptors

This section describes the available interceptors.

AllowedOperationInterceptor

This interceptor decides if the user is allowed to perform the requested operation with the protected SOS instance.

SOSFilterCapabilitiesInterceptor

This interceptor filters the GetCapabilities response of the protected services and removes not allowed
  • procedures,
  • observed properties,
  • features of interest,
  • offerings and,
  • temporal and spatial bounding boxes.
The resources are removed from the = section and offerings. Offerings might be removed because of not allowed procedures, observed properties, or spatial or temporal constraints.

SOSDescribeSensorInterceptor

This interceptor filters the DescribeSensor request for not allowed procedure identifier. If temporal obligations are set for the user, an element is added before sending the request to the protected service. The response is not touched.

SOSGetObservationInterceptor

HELP This interceptor does not support the KVP encoding, but XML based encodings like POX and SOAP.

Regarding SOS 2.0, this interceptor expects a minimum of
  • one feature of interest,
  • one observed property,
  • one procedure and
  • one offering
parameter. If one group of parameters is empty or contains only not allowed entries, than the request is denied by the service. In addition, spatial and temporal obligations are applied if available. Existing matching filters (temporal or spatial) are updated.

SOSGetFeatureOfInterestInterceptor

This interceptor filters the GetFeatureOfInterest request for not allowed resources. In addition, spatial obligations are applied to existing spatial filters. If none is present, a new spatial filter is added.

In addition, in the SOS 2.0 context the response is filtered, too. The response is checked for gml:identifier elements containing not allowed feature ids. Each not allowed element is removed.

SOSGetDataAvailabilityInterceptor

This interceptor filters the GetDataAvailability request and response. The interceptor considers the following resources and obligations:
  • procedures,
  • features of interest,
  • observed property and
  • temporal obligations.
Topic revision: r8 - 28 Jul 2014, EikeJuerrens
Legal Notice | Privacy Statement


This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Wiki? Send feedback