52° North Security Web Security Service

Exisiting PDP Implementations

Permission Collection PDP file based access
Default PDP Proxy database access

Permission Collection PDP

General Information

Factory class: org.n52.security.extensions.service.enforcement.basic.pdp.PermissionCollectionPDPFactory
Implementation class: org.n52.security.extensions.service.enforcement.basic.pdp.PermissionCollectionPDP

Parameters

Parameter	Description
`fileLocation`	classpath-relative path to the XML file that stores the permissions. Default value is `/conf/pes/rights.xml`

Permission Repository

The permission repository is an XML file that contains one <PermissionCollection> element for every type of resource to protect. Every <Permission> element inside this collection is specified as a combination of

<Resource>: protectable object covered by this permission
<Action>: the access mode covered by this permission
<Subject>: the user covered by this permission. Subjects themselves have type identifier as subject can be identified by roles, username, email addresses and so on. Currently the only possible type is urn:n52:authentication:subject:principal:role.

Example:

<Rights version="1.2" xmlns="http://www.52north.org/rights" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.52north.org/rights ../rights.xsd ">
   <PermissionCollection type="target:wms:service">
      <Permission>
         <Resource>http://intergeo.sdisuite.de/wmsconnector/gdi/brd</Resource>
         <Action>*</Action>
         <Subject type="urn:n52:authentication:subject:principal:role">*</Subject>
      </Permission>
   </PermissionCollection>

   <PermissionCollection type="target:wms:layer">
      <Permission>
         <Resource>*</Resource>
         <Action>GetCapabilities</Action>
         <Subject type="urn:n52:authentication:subject:principal:role">Alice</Subject>
      </Permission>
   </PermissionCollection>
</Rights>

Note: Everything that is not explicitly expressed as a Permission is a denial.

An asterisk ("*") as the value of <Resource>, <Action>, or <Subject> has the meaning of "any".

The meaning of resource and action depends on the type of PermissionCollection. The available types are defined by the PDP/Interceptor implementation.

Currently available PermissionCollection types are:

target:wms:service: Denotes the service on the whole.
Resource service URL that must exctly match the SecuredService defined in the pesConfig.xml file of the WSS
Action No special action; use "*"
target:wms:layer: The layer of a WMS
Resource Name of a named layer as defined in the capabilities document of the WMS
Action GetCapabilities, GetMap, GetFeatureInfo
- an absent permission to a access a layer by GetCapabilities means, that the layer will not be inside capabilities document
- an absent permission for GetMap means, that the requested layer will be wiped off the incoming GetMap request.
- an absent permission to access a layer with GetFeatureInfo will result in a denial of a GetFeatureInfo request and switching off the queryable attribute in the protected services capabilities document.

`<PDP>` element

<PDP id="FilePDP" factoryClass="org.n52.security.extensions.service.enforcement.basic.pdp.PermissionCollectionPDPFactory">
   <ParameterList>
      <Parameter name="fileLocation">/conf/pes/rights.xml</Parameter>
   </ParameterList>
</PDP>