 |
|
You are here: Wiki>SensorWeb Web>SensorObservationService>SecuringSOS (28 Jul 2014, EikeJuerrens)Edit Attach
Securing a Sensor Observation Service
Overview
This page describes how to secure a transactional SOS with the 52°North WSS. This tutorial does not describe how to install a SOS but requires an existing installation (see SensorObservationService for help with installing one).Installing the WSS
Download the here, unzip it and deploy the web applicationwss.war to your application server.
Configuring the WSS
Open the web application directory of your application server with your file manager and enter the directorywss/WEB-INF/classes.
Creating Users
Open the fileusers.xml. The content should look like the following:
<?xml version="1.0" encoding="UTF-8"?> <UserRepository xmlns="http://www.52north.org/users" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.52north.org/users http://incubator.52north.org/maven/schemas/users/1.0/users.xsd"> <User username="alice" password="alice" realname="Alice"> <Role name="alice"/> <Role name="admin"/> </User> <User username="bob" password="bob" realname="Bob"> <Role name="bob"/> <Role name="main"/> </User> <User username="guest" password="guest" realname="Guest"> <Role name="guest"/> </User> </UserRepository>Now remove the users alice and bob and create a new user called
t-sos instead. This user has to be in the group t-sos. Eventually the file should look like this:
<?xml version="1.0" encoding="UTF-8"?>
<UserRepository xmlns="http://www.52north.org/users" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.52north.org/users http://incubator.52north.org/maven/schemas/users/1.0/users.xsd">
<User username="guest" password="guest" realname="Guest">
<Role name="guest"/>
</User>
<User username="t-sos" password="t-sos" realname="transactional_sos_user">
<Role name="t-sos"/>
</User>
</UserRepository>
You may create more users who should have access to the transactional profile, they simply must have the role t-sos attached to them.
Creating appropriate permissions
Open the filepermissions.xml and replace it's contents with the following XML. You have to replace all occurrences of $WSS_URL with the WSS base URL (e.g. http://localhost:8080/wss).
<SimplePermissions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.52north.org/security/simple-permission/1.0">
<PermissionSet name="sos">
<ResourceDomain value="$WSS_URL/service/sos/*"/>
<ActionDomain value="$WSS_URL/service/sos/*"/>
<SubjectDomain value="urn:n52:security:subject:role"/>
<Permission name="full_access">
<Resource value="offerings/*"/>
<Resource value="procedures/*"/>
<Resource value="observedProperties/*"/>
<Resource value="featureOfInterests/*"/>
<Resource value="allowedOperations/*"/>
<Action value="operations/*"/>
<Subject value="t-sos"/>
</Permission>
<Permission name="read_only_access">
<Resource value="offerings/*"/>
<Resource value="procedures/*"/>
<Resource value="observedProperties/*"/>
<Resource value="featureOfInterests/*"/>
<Resource value="allowedOperations/GetCapabilities"/>
<Resource value="allowedOperations/GetResult"/>
<Resource value="allowedOperations/GetObservation"/>
<Resource value="allowedOperations/GetFeatureOfInterest"/>
<Resource value="allowedOperations/GetFeatureOfInterestTime"/>
<Resource value="allowedOperations/DescribeSensor"/>
<Resource value="allowedOperations/DescribeFeatureType"/>
<Action value="operations/GetCapabilities"/>
<Action value="operations/GetResult"/>
<Action value="operations/GetObservation"/>
<Action value="operations/GetFeatureOfInterest"/>
<Action value="operations/GetFeatureOfInterestTime"/>
<Action value="operations/DescribeSensor"/>
<Action value="operations/DescribeFeatureType"/>
<Subject value="guest" />
</Permission>
</PermissionSet>
</SimplePermissions>
These permissions allow members of the group t-sos to use the transactional profile while all other users can only use the non-transactional methods.
Configuring the SOS
The WSS webapp is restricted to tomcat users with the rolemanager. If you do not have such a role/user create it by adding the following XML snippet to your tomcat-users.xml file. Please note that changes to the file require a tomcat restart.
<tomcat-users> <role rolename="manager" /> <user username="wss" password="wss" roles="manager" /> </tomcat-users>Navigate your browser to to
$WSS_URL/site/manage.html (where $WSS_URL is the base url of th WSS installation, e.g. http://localhost:8080/wss) and login in with the just created tomcat user. Remove all Enforcement Points by clicking on Delete in each row. Now click on the Create tab. Enter sos as ID and enter the URL of the SOS as the Protected Service URL. Select SOS as Type and enable the HTTP Basic and "noauth" Authentication Schemes. Click on Create and leave the website.
Authorize the WSS against the SOS
If your SOS is globally accessible but secured by HTTP authorization go to the directoryenforcement_points and open the file ep_SOS….
It should look similar to this:
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.7.0_07" class="java.beans.XMLDecoder">
<object class="org.n52.security.service.enforcement.mgmt.EnforcementPoint">
<void id="HashSet0" property="authenticationSchemes">
<void method="add">
<string>httpauth</string>
</void>
<void method="add">
<string>noauth</string>
</void>
</void>
<void property="authenticationSchemes">
<object idref="HashSet0"/>
</void>
<void property="changedAt">
<object class="java.util.Date">
<long>1349879889254</long>
</object>
</void>
<void property="createdAt">
<object class="java.util.Date">
<long>1349879889254</long>
</object>
</void>
<void property="endpoint">
<string>http://localhost:8080/sos/sos</string>
</void>
<void property="id">
<string>sos</string>
</void>
<void property="module">
<string>SOS</string>
</void>
<void id="HashMap0" property="properties">
<void method="put">
<string>redirectionAuthenticationScheme</string>
<string>noauth</string>
</void>
</void>
<void property="properties">
<object idref="HashMap0"/>
</void>
</object>
</java>
Add this snippet to the file and replace $USERNAME and $PASSWORD to allow the WSS to access the SOS:
<void method="put"> <string>basicAuthUser</string> <string>$USERNAME</string> </void> <void method="put"> <string>basicAuthPassword</string> <string>$PASSWORD</string> </void>The File should now look similar to this:
<?xml version="1.0" encoding="UTF-8"?>
<java version="1.7.0_07" class="java.beans.XMLDecoder">
<object class="org.n52.security.service.enforcement.mgmt.EnforcementPoint">
<void id="HashSet0" property="authenticationSchemes">
<void method="add">
<string>httpauth</string>
</void>
<void method="add">
<string>noauth</string>
</void>
</void>
<void property="authenticationSchemes">
<object idref="HashSet0"/>
</void>
<void property="changedAt">
<object class="java.util.Date">
<long>1349879889254</long>
</object>
</void>
<void property="createdAt">
<object class="java.util.Date">
<long>1349879889254</long>
</object>
</void>
<void property="endpoint">
<string>http://localhost:8080/sos/sos</string>
</void>
<void property="id">
<string>sos</string>
</void>
<void property="module">
<string>SOS</string>
</void>
<void id="HashMap0" property="properties">
<void method="put">
<string>redirectionAuthenticationScheme</string>
<string>noauth</string>
</void>
<void method="put">
<string>basicAuthUser</string>
<string>$USERNAME</string>
</void>
<void method="put">
<string>basicAuthPassword</string>
<string>$PASSWORD</string>
</void>
</void>
<void property="properties">
<object idref="HashMap0"/>
</void>
</object>
</java>
Accessing the SOS
After reloading the WSS application the SOS is accessible under two URL's, where$WSS_URL is the base URL of the WSS (e.g. http://localhost:8080/wss). -
$WSS_URL/service/sos/httpauth -
$WSS_URL/service/sos/noauth
t-sos group). The latter requires no authorization and prohibits the access to the transactional profile.
You can test it by entering some of the following URL's in the browser: -
$WSS_URL/service/sos/noauth?service=SOS&request=GetCapabilities&acceptVersions=1.0.0should give you the Capabilities document. -
$WSS_URL/service/sos/noauth?service=SOS&request=InsertObservation&version=1.0.0should give you a WSS exception report, because you are not allowed to access this resource. -
$WSS_URL/service/sos/httpauth?service=SOS&request=GetCapabilities&acceptVersions=1.0.0should ask for username/password (try t-sos:t-sos) and give you the SOS Capabilities document. -
$WSS_URL/service/sos/httpauth?service=SOS&request=InsertObservation&version=1.0.0should ask you for credentials ( t-sos:t-sos) and give you a SOS exception report, thatGETis not supported.
Use Cases
This section describes different use cases how to secure a SOS instanceRestrict on operation level only
In the case of having the requirement to restrict the access to the SOS instance on operation level only one interceptor needs to be activated in theSOS-module.xml. The org.n52.security.enforcement.interceptors.sos.simplepermission.SOSAllowedOperationInterceptor. In addition, the permissions need to only naarow the operation names but not any other resource like feature or properties. Filtering these will be covered by different use cases.
-
SOS-module.xml:
1 <?xml version="1.0" encoding="utf-8"?>
2 <!-- This is a SOS enforcement point template file,
3 responsible to assemble valid SOS EnforcementPoints.
4 You can reference all ids defined in the parent security-config.xml and
5 all enforcment point properties via ${enforcementpoint.<propname>}.
6 -->
7 <SecurityConfig xmlns="http://www.52north.org/security/config/1.1">
8 <Services>
9 <Service id="Enforcement-Point-SOS-Template">
10 <EnforcementPoints>
11 <EnforcementPoint id="${enforcementpoint.id}" endpoint="${enforcementpoint.endpoint}"
12 endpointType="SOS"
13 class="org.n52.security.service.wss.PolicyEnforcementServiceImpl">
14 <Property name="endpointPolicyId" value="${enforcementpoint.endpointPolicyId}" />
15 <Property name="redirectionAuthenticationScheme" value="${enforcementpoint.properties.redirectionAuthenticationScheme}" />
16 <Property name="endpointHttpBasicUsername" value="${enforcementpoint.properties.basicAuthUser}" />
17 <Property name="endpointHttpBasicPassword" value="${enforcementpoint.properties.basicAuthPassword}" />
18 <Interceptor
19 class="org.n52.security.enforcement.interceptors.sos.simplepermission.SOSAllowedOperationInterceptor">
20 <Property name="decisionService" idRef="defaultDecisionPoint" />
21 <Property name="insufficientRightsMessage" idRef="insufficientRightsMessage" />
22 </Interceptor>
23 <Interceptor class="org.n52.security.enforcement.interceptors.DefaultGetCapabilitiesInterceptor" />
24 <ExceptionHandler class="org.n52.security.enforcement.interceptors.DefaultWMSErrorHandler" />
25 </EnforcementPoint>
26 </EnforcementPoints>
27 </Service>
28 </Services>
29 </SecurityConfig>
-
permissions.xml:
1 <?xml version="1.0" encoding="UTF-8"?>
2 <SimplePermissions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3 xmlns="http://www.52north.org/security/simple-permission/1.0">
4 <PermissionSet name="sos">
5 <ResourceDomain value="http://localhost:8080/52n-security-wss-webapp/service/sos_kvp/*"/>
6 <ActionDomain value="http://localhost:8080/52n-security-wss-webapp/service/sos_kvp/*"/>
7 <SubjectDomain value="urn:n52:security:subject:role"/>
8 <Permission name="full_access">
9 <Resource value="offerings/*"/>
10 <Resource value="procedures/*"/>
11 <Resource value="observedProperties/*"/>
12 <Resource value="featureOfInterests/*"/>
13 <Resource value="allowedOperations/*"/>
14 <Action value="operations/*"/>
15 <Subject value="t-sos"/>
16 </Permission>
17 <Permission name="insert_observation">
18 <Resource value="offerings/*"/>
19 <Resource value="procedures/*"/>
20 <Resource value="observedProperties/*"/>
21 <Resource value="featureOfInterests/*"/>
22 <Resource value="allowedOperations/InsertObservation"/>
23 <Action value="operations/InsertObservation"/>
24 <Subject value="data-provider"/>
25 </Permission>
26 <Permission name="sensor-management">
27 <Resource value="offerings/*"/>
28 <Resource value="procedures/*"/>
29 <Resource value="observedProperties/*"/>
30 <Resource value="featureOfInterests/*"/>
31 <Resource value="allowedOperations/InsertSensor"/>
32 <Resource value="allowedOperations/DeleteSensor"/>
33 <Resource value="allowedOperations/UpdateSensorDescription"/>
34 <Action value="operations/InsertSensor"/>
35 <Action value="operations/DeleteSensor"/>
36 <Action value="operations/UpdateSensorDescription"/>
37 <Subject value="sensorManager"/>
38 </Permission>
39 <Permission name="read_only_access">
40 <Resource value="offerings/*"/>
41 <Resource value="procedures/*"/>
42 <Resource value="observedProperties/*"/>
43 <Resource value="featureOfInterests/*"/>
44 <Resource value="allowedOperations/GetCapabilities"/>
45 <Resource value="allowedOperations/GetResult"/>
46 <Resource value="allowedOperations/GetObservation"/>
47 <Resource value="allowedOperations/GetFeatureOfInterest"/>
48 <Resource value="allowedOperations/GetFeatureOfInterestTime"/>
49 <Resource value="allowedOperations/DescribeSensor"/>
50 <Resource value="allowedOperations/DescribeFeatureType"/>
51 <Action value="operations/GetCapabilities"/>
52 <Action value="operations/GetResult"/>
53 <Action value="operations/GetObservation"/>
54 <Action value="operations/GetFeatureOfInterest"/>
55 <Action value="operations/GetFeatureOfInterestTime"/>
56 <Action value="operations/DescribeSensor"/>
57 <Action value="operations/DescribeFeatureType"/>
58 <Subject value="guest" />
59 </Permission>
60 </PermissionSet>
61 </SimplePermissions>
-
users.xmlwhile usingLoginModuleorg.n52.security.authentication.loginmodule.FileLoginModule:
1 <?xml version="1.0" encoding="UTF-8"?>
2 <UserRepository xmlns="http://www.52north.org/users" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
3 xsi:schemaLocation="http://www.52north.org/users http://incubator.52north.org/maven/schemas/users/1.0/users.xsd">
4 <User username="guest" password="guest" realname="Guest">
5 <Role name="guest"/>
6 </User>
7 <User username="t-sos" password="t-sos" realname="transactional_sos_user">
8 <Role name="t-sos"/>
9 </User>
10 <User username="dataProvider" password="dataProvider" realname="IHaveTheData">
11 <Role name="data-provider"/>
12 </User>
13 <User username="sensorManager" password="sensorManager" realname="IHaveTheData">
14 <Role name="sensor-manager"/>
15 </User>
16 </UserRepository>
SOS Interceptors
This section describes the available interceptors.Related Documentation
AllowedOperationInterceptor
This interceptor decides if the user is allowed to perform the requested operation with the protected SOS instance.SOSFilterCapabilitiesInterceptor
This interceptor filters the GetCapabilities response of the protected services and removes not allowed- procedures,
- observed properties,
- features of interest,
- offerings and,
- temporal and spatial bounding boxes.
SOSDescribeSensorInterceptor
This interceptor filters the DescribeSensor request for not allowed procedure identifier. If temporal obligations are set for the user, anSOSGetObservationInterceptor
This interceptor does not support the KVP encoding, but XML based encodings like POX and SOAP.
Regarding SOS 2.0, this interceptor expects a minimum of - one feature of interest,
- one observed property,
- one procedure and
- one offering
SOSGetFeatureOfInterestInterceptor
This interceptor filters the GetFeatureOfInterest request for not allowed resources. In addition, spatial obligations are applied to existing spatial filters. If none is present, a new spatial filter is added. In addition, in the SOS 2.0 context the response is filtered, too. The response is checked forgml:identifier elements containing not allowed feature ids. Each not allowed element is removed.
SOSGetDataAvailabilityInterceptor
This interceptor filters the GetDataAvailability request and response. The interceptor considers the following resources and obligations:- procedures,
- features of interest,
- observed property and
- temporal obligations.
Edit | Attach | Print version | History: r9 < r8 < r7 < r6 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r8 - 28 Jul 2014, EikeJuerrens
AI_GEOSTATSLegal Notice | Privacy Statement
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Wiki? Send feedback
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding Wiki? Send feedback