52N Security Community Site - FOSS4G 2007 Tutorial

Protecting OGC Web Services with the 52°North Security System

Note: This tutorial was be held at the FOSS4G 2007.
The slides shown in the FOSS4G lab in advance to this tutorial are available here .

Summary

This tutorial will guide you to set up and configure the necessary access control services to protect an OGC Web Map Service and load it into an OGC WMS client.

You will install the 52°North WAS, WSS and WSC.Web. For demonstration purposes, the "protected" WMS will be the famous Demis WMS . The uDig client will be used to visualize the results.

Security issues

For the sake of simplicity this tutorial omits the configuration of some important security-relevant feature like:

using HTTPS instead of plain HTTP for service communication
sealing off the protected service, so that only the WSS has access to it

Architecture Overview

Overview of the Security System Architecture

Requirements

General
- Internet connection
Software
The following software has to be installed on your system, to walk through this tutorial:
- Java SDK 1.5+
- Tomcat 5.5.x
  - listening on port 9090
  - installed at c:\Program Files\Apache Software Foundation\Tomcat 5.5
- uDig 1.1 RC11
- Notepad++ text editor
- Internet Browser

Basic Installation of the 52°North Applications

Pre-Installation step

Make sure the Tomcat 5.5 service is not running
Start > Control Panel > Administrative Tools > Services -> Apache Tomcat [Stop the service]
Install the endorsed libraries for Apache Xerces, Xalan and the JAXP 1.3 API. Download (Right-click and select Save link as... ) and save the following libraries to c:\Program Files\Apache Software Foundation\Tomcat 5.5\common\endorsed

WAS

Download the WAS FOSS4G Edition and save it to c:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps
The WAS comes with a basic user data file defining a user "Alice" with username/password alice /alice , who has the role "alice" attached. Additionally, the WAS uses a demo keystore containing a private key and certificate to be able to sign the SAML ticket. A WAS in a productive envirionment should be configured to use its own really "private" key and according certificate.

WSS

Download the WSS FOSS4G Edition and save it to c:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\wss.war
The WSS is pre-configured to protect the Demis WMS. The WSS comes with a basic permission data file specifying that users with role "alice" are allowed to access the Demis WMS with no restrictions. Additionally, the WSS uses a demo keystore containing the WAS' certificate to be able to verify SAML tickets issued by the WAS.

WSC.Web

Download the WSC.Web FOSS4G Edition and save it to c:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\wscweb.war

Task 0: Check Installation: Access protected service with uDig

Start the Tomcat Server
Create a facade for Alice
- In a browser open http://localhost:9090/wscweb
- Enter the Web Security Service URL http://localhost:9090/wss/WSS
- Enter Alice's Username and Password (alice /alice )
- Click Log in
- Copy the URL presented on the web page to the clipboard
Start uDig and create an empty map
File > New > New Map
Rename map to "Alice's Map" or alike
Add the protected WMS to the map
[right-click "Alice's Map] > Add... > Web Map Server > [paste URL from clipboard] > Next > [select all layers] > Finish
Rearrange the layers to get a reasonable map until you are satisfied :-). You should at least be able to see country borders and airports (large scale!)
Zoom down to Vancouver Island (somewhere in the upper left corner of the world....), click the info button (i), and query information about the Countries layer, to see in which country we are. Try to identify Victoria International Airport.

As you can see, for Alice everything works as if she had loaded the WMS directly.

Task 1: Add another user with less permissions

Summary: Within this task we will create a facade for a new user "Bob" who just has access to a selection of layers. Bob shall only be allowed to query feature information on the Countries layer.

Create the new user "Bob"
- Open the file c:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\was\WEB-INF\classes\conf\as\users.xml with Notepad++
- Add the following XML element to the <UserRepository> element
```
  <User  username="bob" password="bob" realname="Bob">
        <Role name="bob"/>
        <Role name="main"/>
  </User>
```
- Save the file

Create permissions for Bob

Open the file c:\Program Files\Apache Software Foundation\Tomcat 5.5\webapps\wss\WEB-INF\classes\conf\pes\rights.xml with Notepad++

Add the following XML elements to the <PermissionCollection> element with type atribute value target:wms:layer

<!--  Bob can view Cities, Builtup areas, Hillshading, Borders, Countries, Airports
        GetFeatureInfo only on Contries  -->
        <!-- GetMap -->
        <Permission>
            <Resource>Cities</Resource>
            <Action>GetMap</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">bob</Subject>
        </Permission>
        <Permission>
            <Resource>Builtup areas</Resource>
            <Action>GetMap</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">bob</Subject>
        </Permission>
        <Permission>
            <Resource>Hillshading</Resource>
            <Action>GetMap</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">bob</Subject>
        </Permission>
        <Permission>
            <Resource>Borders</Resource>
            <Action>GetMap</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">bob</Subject>
        </Permission>
        <Permission>
            <Resource>Airports</Resource>
            <Action>GetMap</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">bob</Subject>
        </Permission>

        <!-- GetCaps -->
        <Permission>
            <Resource>Cities</Resource>
            <Action>GetCapabilities</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">bob</Subject>
        </Permission>
        <Permission>
            <Resource>Builtup areas</Resource>
            <Action>GetCapabilities</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">bob</Subject>
        </Permission>
        <Permission>
            <Resource>Hillshading</Resource>
            <Action>GetCapabilities</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">bob</Subject>
        </Permission>
        <Permission>
            <Resource>Borders</Resource>
            <Action>GetCapabilities</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">bob</Subject>
        </Permission>
        <Permission>
            <Resource>Airports</Resource>
            <Action>GetCapabilities</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">bob</Subject>
        </Permission>

        <!-- GetFeatureInfo and anything else for Countries-->
        <Permission>
            <Resource>Countries</Resource>
            <Action>*</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">bob</Subject>
        </Permission>

Save the file
Reload the WSS web application to commit the new permissions by calling the following URL in a browser:
http://localhost:9090/manager/html/reload?path=/wss (username: admin, no password)

Create a facade for Bob in the same way you did for Alice
Add a new map named "Bob's Map" to the uDig project and load the facade created a moment ago.
Again, rearrange the layers to get a fancy map with airports and borders
When you try to identify Victoria Intl. Airport, you should not get any information but the message "Insufficient rights".

Task 2: Add guest user with spatial constraints

Summary: Within this task we will create a new user "Guest" who just has access to a selection of layers. Guest shall only be allowed to query feature information on the Countries layer in the area of the American Continent.

Create a new user "Guest" with username/password/role guest /guest /guest in the users.xml file of the WAS.

In the rights.xml , add the following XML elements to the <PermissionCollection> element with type atribute value target:wms:layer

<!--  guest has only access on Cities, Builtup areas, Hillshading, Borders, and Countries, GetFeatureInfo only allowed on Countries within american continent -->

        <Permission>
            <Resource>Cities</Resource>
            <Action>GetMap</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">guest</Subject>
        </Permission>
        <Permission>
            <Resource>Builtup areas</Resource>
            <Action>GetMap</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">guest</Subject>
        </Permission>
        <Permission>
            <Resource>Hillshading</Resource>
            <Action>GetMap</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">guest</Subject>
        </Permission>
        <Permission>
            <Resource>Borders</Resource>
            <Action>GetMap</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">guest</Subject>
        </Permission>
        <Permission>
            <Resource>Countries</Resource>
            <Action>GetMap</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">guest</Subject>
        </Permission>

        <!-- GetCaps -->
        <Permission>
            <Resource>Cities</Resource>
            <Action>GetCapabilities</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">guest</Subject>
        </Permission>
        <Permission>
            <Resource>Builtup areas</Resource>
            <Action>GetCapabilities</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">guest</Subject>
        </Permission>
        <Permission>
            <Resource>Hillshading</Resource>
            <Action>GetCapabilities</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">guest</Subject>
        </Permission>
        <Permission>
            <Resource>Borders</Resource>
            <Action>GetCapabilities</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">guest</Subject>
        </Permission>
        <Permission>
            <Resource>Countries</Resource>
            <Action>GetCapabilities</Action>
            <Subject type="urn:n52:authentication:subject:principal:role">guest</Subject>
        </Permission>

        <!-- GetFeatureInfo -->
        <Permission>
           <Resource>Countries</Resource>
           <Action>GetFeatureInfo</Action>
           <Subject type="urn:n52:authentication:subject:principal:role">guest</Subject>
           <Obligation type="obligation:wms:extent:boundingbox">
              <Attribute id="srs">EPSG:4326</Attribute>
              <Attribute id="box">-170,-56,-36,83</Attribute>
           </Obligation>
        </Permission>

Save the file and reload the WSS (http://localhost:9090/manager/html/reload?path=/wss )

For guest users, create a facade that does not expire automatically
- In a browser open http://localhost:9090/wscweb/admin/Admin.do (username: admin, no password)
- Click Create new facade
- Enter FacadeName : public
- Enter WebSecurityService : http://localhost:9090/wss/WSS
- Enter Username and Password : guest / guest
- Click OK
- In Authentication methods select the first one
- Click Create new Facade
- In the table of Existing Facades click on guest-public and copy the appearing URL to the clipboard
Add a new map named "Guests's Map" to the uDig project and load the facade created a moment ago.
Again, rearrange the layers to get a fancy map
Try to identify Countries inside and outside the Americas. You should not get information but the message "Insufficient rights" outside the Americas.

Task 3: Activate request logging

Summary

During this task you will enable the Logging Interceptor that logs every request to and response from the protected service received by the WSS.

Open [wss_webapp_dir]/WEB-INF/classes/conf/pes/pesConfig.xml with the text editor
Locate the <Interceptor> element with id="Log IC -- 5"
To activate the Logging Interceptor change the according parameters to true
Restart the WSS web application
Switch to uDig and trigger some requests (zoom in/out, identify, ...)
Open the request and response log files to see the result

Exercise A

Create a new user with custom permissions (probably containing some spatial constraints on the GetFeatureInfo operation). Create an according facade!

Identifying layer resources: References to layers in the Permissions inside a rights.xml files also have to use a layer's name, not title, as specified in the capabilities of the protected WMS.

Exercise B

Install a 2nd WSS to protect another WMS!

Hints

Copy WSS to another directory outside webapps to be able to customize settings, before it gets deployed by the Tomcat
Change the base URL of the WSS in the [wss_webapp_dir]/WEB-INF/classes/conf/pes/pesConfig.xml file
Change the URL of the protected service in the [wss_webapp_dir]/WEB-INF/classes/conf/pes/pesConfig.xml file. Example: http://maps1.intergraph.com/wms/world/request.asp
Customize permissions in the rights.xml file
Copy the modified web application back to the Tomcat webapps directory

Exercise C

(If technically feasible) Use the WAS of your neighbor to authenticate users!

Hints

Change the WAS URL in the [wss_webapp_dir]/WEB-INF/classes/conf/pes/pesConfig.xml file and replace it with a link to your neighbor's instance (using her IP address)