WSS Configuration
Before the WSS is ready to work, you have to perform the following steps
- General configuration (pesConfig.xml)
- Permission repository configuration
General Configuration
The WSS is configured by the entries of the WEB-INF/classes/pes/pesConfig.xml file of the web application.
Below you see the pesConfig.xml file as delivered.
<EnforcementPointConfig xmlns="http://www.52north.org/enforcementservice" xmlns:auth="http://www.52north.org/authentication" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.52north.org/enforcementservice ../pesConfig.xsd">
<InterceptorChain>
<Interceptor id="GetMap IC -- 1" factoryClass="org.n52.security.extensions.service.enforcement.basic.interceptor.FilterLayerFromCapabilitiesInterceptorFactory">
<ParameterList>
<Parameter name="insufficientRightsMessage">Insufficient rights.</Parameter>
</ParameterList>
<PDP id="FilePDP" factoryClass="org.n52.security.extensions.service.enforcement.basic.pdp.PermissionCollectionPDPFactory">
<ParameterList>
<Parameter name="fileLocation">/conf/pes/rights.xml</Parameter>
</ParameterList>
</PDP>
</Interceptor>
<Interceptor id="GetMap IC -- 2" factoryClass="org.n52.security.extensions.service.enforcement.basic.interceptor.DefaultWMSGetMapInterceptorFactory">
<ParameterList>
<Parameter name="insufficientRightsMessage">Insufficient rights.</Parameter>
</ParameterList>
<PDP id="FilePDP" factoryClass="org.n52.security.extensions.service.enforcement.basic.pdp.PermissionCollectionPDPFactory">
<ParameterList>
<Parameter name="fileLocation">/conf/pes/rights.xml</Parameter>
</ParameterList>
</PDP>
</Interceptor>
<Interceptor id="GetMap IC -- 3" factoryClass="org.n52.security.extensions.service.enforcement.basic.interceptor.DefaultWMSGetFeatureInfoInterceptorFactory">
<ParameterList>
<Parameter name="insufficientRightsMessage">Insufficient rights.</Parameter>
<Parameter name="catchbox.delta.x">2</Parameter>
<Parameter name="catchbox.delta.y">2</Parameter>
</ParameterList>
<PDP id="FilePDP" factoryClass="org.n52.security.extensions.service.enforcement.basic.pdp.PermissionCollectionPDPFactory">
<ParameterList>
<Parameter name="fileLocation">/conf/pes/rights.xml</Parameter>
</ParameterList>
</PDP>
</Interceptor>
<Interceptor id="GetMap IC -- 4" factoryClass="org.n52.security.extensions.service.enforcement.basic.interceptor.DefaultGetCapabilitiesInterceptorFactory">
</Interceptor>
<Interceptor id="Log IC -- 5" factoryClass="org.n52.security.extensions.service.enforcement.basic.interceptor.AccessLogInterceptorFactory">
<ParameterList>
<Parameter name="request.log.enabled">true</Parameter>
<Parameter name="request.log.get.enabled">true</Parameter>
<Parameter name="request.log.post.enabled">false</Parameter>
<Parameter name="request.logfile.path">c:/access_req.log</Parameter>
<Parameter name="request.logfile.maxKBytes">40</Parameter>
<Parameter name="response.log.enabled">true</Parameter>
<Parameter name="response.log.mimetypes">text/xml text/html application/vnd.ogc.wms_xml</Parameter>
<Parameter name="response.logfile.path">c:/access_res.log</Parameter>
<Parameter name="response.logfile.maxKBytes">40</Parameter>
</ParameterList>
</Interceptor>
</InterceptorChain>
<ExceptionHandler factoryClass="org.n52.security.extensions.service.enforcement.basic.exception.DefaultWMSExceptionHandlerFactory"/>
<auth:AuthenticationMethodList>
<auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.SAMLTicketLoginModule" id="WASBernModule">
<auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:wauthns</auth:URI>
<auth:ParameterList>
<auth:Parameter name="was.url">https://localhost:8443/was/WAS</auth:Parameter>
<auth:Parameter name="was.name">Local WAS</auth:Parameter>
<auth:Parameter name="was.version">1.1</auth:Parameter>
<auth:Parameter name="was.methods">urn:opengeospatial:authNMethod:OWS:1.0:password</auth:Parameter>
<auth:Parameter name="was.cert.keystore.path">file:///c:/Tomcat4.1/conf/.keystore</auth:Parameter>
<auth:Parameter name="was.cert.keystore.password">changeit</auth:Parameter>
<auth:Parameter name="was.cert.alias">tomcat</auth:Parameter>
</auth:ParameterList>
</auth:AuthenticationMethod>
<auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.SessionLoginModule" id="SessionModule">
<auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:session</auth:URI>
<auth:ParameterList>
<auth:Parameter name="session.timeout">6000</auth:Parameter>
</auth:ParameterList>
</auth:AuthenticationMethod>
<auth:AuthenticationMethod class="org.n52.security.extensions.service.common.loginmodule.FileLoginModule" id="DefaultFileModule">
<auth:URI>urn:opengeospatial:authNMethod:OWS:1.0:password</auth:URI>
<auth:ParameterList>
<auth:Parameter name="users.file.path">file:///c:/users.xml</auth:Parameter>
<auth:Parameter name="users.cache">false</auth:Parameter>
<auth:Parameter name="credential.isBase64Encoded">false</auth:Parameter>
</auth:ParameterList>
</auth:AuthenticationMethod>
</auth:AuthenticationMethodList>
<SecuredService serviceType="WMS">
<ServiceEndpoint>http://intergeo.sdisuite.de:80/wmsconnector/gdi/brd</ServiceEndpoint>
</SecuredService>
<Binding>
<ParameterList>
<Parameter name="wss.url">https://localhost:8443/wss/WSS</Parameter>
</ParameterList>
</Binding>
</EnforcementPointConfig>
The configuration is devided into the sections <InterceptorChain>, <AuthenticationMethodList>, <SecuredService>, and <Binding>
InterceptorChain
This element contains an ordered list of <Interceptor> elements, each describing an element of the "authorization processing chain". A client request and service response is processed by each interceptor in the order defined in the InterceptorChain.
| Node | Description |
| factoryClass | specifies an implementation of org.n52.security.service.enforcement.interceptor.InterceptorFactory which instantiates an interceptor |
| id | unique identifier (for internal usage) |
| ParameterList | List of parameters that is passed to the Interceptor implementation; values are dependending on the actual Interceptor implementation |
| PDP | defines the PDP implementation that is used to obtain policy decisions (permit/deny), see below |
An Interceptor uses a Policy Decision Point (PDP) to obtain a decision whether a user (user with role "guest") is allowed to access a resource (e.g. "Layer A") in a certain mode (e.g. "GetMap"). The PDP has access to some kind of policy repository (and XML file, a database, a web service etc.) and returns the policy decision (permit/deny).
| Node | Description |
| factoryClass | specifies an implementation of org.n52.security.service.enforcement.pdp.PDPProxyFactory which instantiates a PDP |
| id | unique identifier (for internal usage) |
| ParameterList | List of parameters that is passed to the PDP implementation; values are dependending on the actual PDP implementation |
AuthenticationMethodList
This element contains the description of authentication methods supported by this WSS instance. Every <AuthenticationMethod> element represents a combination of a LoginModule implementation that has access to some kind of user repository and an authentication method identifier that specifies the authentication method (password, signature, ...) that is used by the LoginModule. Every entry in the AuthenticationMethodList will be converted into an entry of the SupportedAuthenticationMethodList of the WSS capabilities as soon as the WSS is started.
| Node | Description |
| class | specifies a subclass of javax.security.auth.LoginModule which performs the authentication (List of available Login Modules) |
| id | unique identifier (for internal usage) |
| URI | URN of the authentication method to be used |
| ParameterList | List of parameters that is passed to the LoginModule implementation; values are dependending on the actual LoginModule implementation |
A WSS instance should always provide the method designated by urn:opengeospatial:authNMethod:OWS:1.0:session to allow clients using a session identifier to avoid repeated transmission of user credentials. So you should never need to remove the according <AuthenticationMethod> element. To allow useres actually login and perform requests the WSS must at least support one other authentication method. Besides session authentication, the WSS specifications defines URNs for two further authentication methods which are
- urn:opengeospatial:authNMethod:OWS:1.0:password (username/password authentication)
- urn:opengeospatial:authNMethod:OWS:1.0:wauthns (SAML/WAS authentication)
SecuredService
The <SecuredService> element specifies the protected service.
| Node | Description |
| serviceType | Type of service to protect. The type is published in the capabilities document |
| ServiceEndpoint | URL of the service to protect. |
Binding
The <Binding> element in general contains information by means of a <ParameterList> that is passed to the WSS servlet. The parameter with name wss.url is needed for the capabilities document the WSS provides. As clients may rely on the URL informaitonen inside the capabilities it is necessary to enter the URL of WSS as seen by clients.
Permission repository configuration
The permission repository is the data source for the PDP implementations . The actual configuration of the permission repository is depending on the PDP implementation. Check the list of all available PDP implementations provided by 52°North
