GeoShield Project @ Swiss Geoscience Meeting 2011

671 views
634 views

Published on

GeoShield is an Open Source solution for authentication and authorization management to OGC services

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
671
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

GeoShield Project @ Swiss Geoscience Meeting 2011

  1. 1. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 1GeoShield projectManaging authentication and permissions to OGC servicesPresenting the new GeoServer Resource Access Manager plug-in and theSensor Observation Service protectionMilan P. Antonovic, Institute of Earth science - SUPSIMassimiliano Cannata , Institute of Earth science - SUPSI12 November 2011
  2. 2. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 2Presentation outline• Introduction to the Institute of earth science – SUPSI – OGC implementations used – The need of data protection• Presenting GeoShield – GeoShield’s protection strategies – Web administration interface – OGC Services covered by GeoShield – The Sensor Observation Service protection – The GeoServer Resource Access Manager plug-in • Access rule application process • Data access rule application – GeoServer Resource Access Manager plug-in demo – Next improvements12 November 2011
  3. 3. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 3Introduction to the Institute of earth science – SUPSIFields of activity: Focused on:• Land Planning • Government mandates• Hydrogeology – Geo databases maintenance• Hydrology – Web applications for decision making• Geology • Natural hazard• Geomatics • Water protection • Wells / Springs / Boreholes • Hydrological monitoring network • Interregional projects (EU, World Bank) • Training courses • Research projects12 November 2011
  4. 4. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 4OGC implementations used Geografical data serving Monitoring data Data processing service12 November 2011
  5. 5. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 5The need of data protection How to protect in a centralized way all the services?? Web application WMS Web Sensible data SOS Mixed data Public data WFS WPS12 November 2011
  6. 6. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 6Presenting GeoShield• GeoShield is an Open Source solution for • Web administration interface authentication and authorization • Desktop like user interface management to OGC services • Sencha - Ext JS• Written in Java • OGC standards protected • WMS• Relies on: • WFS • Apache Commons • SOS • GeoTools • EclipseLink [Persistence API] • GeoServer plug-in: • PostgreSQL • Resource Access Manager • Flexjson (JSON parser)12 November 2011
  7. 7. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 7GeoShield’s protection strategy HTTP basic authentication HTTPS Web GeoShield Security Proxy Compatibility with: • Web browsers • Desktop applications • Udig, QGIS, ArcGIS12 November 2011 Web administration interface
  8. 8. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 8GeoShield’s PRE-processing protection strategy User GeoShield WFS service GetFeature Loading CQL for each layer GetFeature + OGC Filter The data Forwarding the data
  9. 9. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 9GeoShield’s POST-processing protection strategy User GeoShield OGC service GetCapabilities GetCapabilities Capabilities document 1. Parsing response 2. Adapt response according to user Capabilities document filter
  10. 10. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 10Web graphical user interface• Password protected• User friendly (Desktop-like Graphical User Iinterface)• Managing authorization for: – Users – Groups – Services – Permissions – Permitted requests12 November 2011
  11. 11. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 11OGC Services covered by GeoShieldWeb Map Service 1.1.1: Standard protocol for serving georeferenced map images over the Internet• GeoServer (tested): – Filtering capability CQL (Common Query Language)• Others (not tested) – INCLUDE/EXCLUDE filters only• Requests: – GetCapabilities – GetMap – GetFeatureInfo – GetLegendGraphic12 November 2011
  12. 12. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 12OGC Services covered by GeoShieldWeb Feature Service 1.1.0: Standard protocol allowing requests for geographical raw data over the Internet• Permissions definition: – Filtering capability CQL (Common Query Language)• Requests (Basic profile): – GetCapabilities – DescribeFeatureType – GetFeature• OutPutFormat: GML12 November 2011
  13. 13. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 13OGC Services covered by GeoShieldSensor Observation Service 1.0.0: Standard protocol allowing requests for retrieving sensor observation data• Permissions definition: – Excluding / Including Offerings• Requests (Basic profile): – GetCapabilities – GetObservation – DescribeSensor• Response format: – text/xml;subtype=sensorML/1.0.012 November 2011
  14. 14. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 14The Sensor Observation Service protection• This is the latest part of GeoShield improvement• Handle the basic implementation (core profile)• Permissions are based on the sos:ObservationOffering grouping of the sos:Capabilities document, GeoShield can exclude the access to: • Features • Procedures • ObservedProperties• Caching permissions in memory for better performance12 November 2011
  15. 15. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 15<sos:Capabilities> [...] <sos:Contents> <sos:ObservationOfferingList> <sos:ObservationOffering gml:id="aaaa"> <gml:name>urn:x-ist::offering:aaaa</gml:name> <gml:boundedBy>[…]</gml:boundedBy> <sos:eventTime>[…]</sos:eventTime> <sos:procedure xlink:href="B_TRE" /> <sos:procedure xlink:href="H_TRE" /> <sos:procedure xlink:href="P_TRE" /> <sos:procedure xlink:href="T_TRE" /> <sos:observedProperty xlink:href="urn:ogc:def:property:x-ist::meteo:air:humidity"/> <sos:observedProperty xlink:href="urn:ogc:def:property:x-ist::meteo:air:pressure"/> <sos:observedProperty xlink:href="urn:ogc:def:property:x-ist::meteo:air:radiation"/> <sos:observedProperty xlink:href="urn:ogc:def:property:x-ist::meteo:air:rainfall"/> <sos:featureOfInterest xlink:href="urn:ogc:object:feature:x-ist::station:Trevano"/> </sos:ObservationOffering> <sos:ObservationOffering gml:id=“bbbb"> […] </sos:ObservationOffering> <sos:responseFormat>text/xml;subtype=sensorML/1.0.0</sos:responseFormat> <sos:responseMode>inline</sos:responseMode> <sos:resultModel>om:Observation</sos:resultModel> </sos:ObservationOfferingList> </sos:Contents></sos:Capabilities>
  16. 16. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 16GeoShield’s Sensor Observation Service protection strategyObservationOffering 1:• Sensor 1 S1• Sensor 2 S2ObservationOffering 2: Group 1 S5• Sensor 3 S4• Sensor 4 (private)• Sensor 5 S3ObservationOffering 3: S6• Sensor 1• Sensor 2 Group 2• Sensor 5• Sensor 6
  17. 17. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 17GeoServer Resource Access Manager plug-in• This year, GeoServer 2.1 version has introduced support for data filtering with an improved security framework: – The main feature is the availability to extend the internal Resource Access Manager with a plug-in• Benefits: – No more limited permission (yes/no definition) for each layer – Extended capabilities to implement granular data access rules • Filters based on geographical functions (BBOX, INTERSETC…) • Filters based on attributes • Include / Exclude filters • Workspace permissions – Integration with external users database – More reliable and stronger protection at data abstraction level12 November 2011
  18. 18. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 18Access rule application process User GeoServer GeoShield 1. GetMap 2. Authentication 3. Authorization object 5. Error 401 - Unauthorized 4. User is authorized? User: foo.bar 5. Caching Password: xxxxxxx 6. Get Access Rule Ok Cancel 7. Rule Object 9. Map 8. Apply rule / Caching rule
  19. 19. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 19Benchmarking WMS GetMap• Tests are going to be run using JMeter on my Workstation: – Ubuntu 10.04, Intel Core Duo 2.4 GHz E4600, 4Gb RAM• Using a progression of 1, 2, 4, 8, 16 and 32 threads, each thread group doing 100, 200, 200, 400, 400, 800 requests respectively• Layer: topp:tasmania_water_bodies threads/requests 1/100 2/200 4/200 8/400 16/400 GeoServer* 79 71 79 102 316 GeoShield 291 315 653 3346 7837 (PROXY) GeoServer 134 151 190 332 1320 (PLUGIN) * without authentication12 November 2011
  20. 20. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 20Installing the plug-in When GeoServer and GeoShield are installed, adding the Resource Access Manager plug-in is quite simple:1. Copy the geoshield-1.0.jar file into the GeoServer’s WEB-INF/lib directory2. Modify the web.xml file adding a Filter definition3. Create the GEOSHIELD_USER4. Configure the permissions on GeoShield12 November 2011
  21. 21. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 21 GeoServer Resource Access Manager plug-in Demo12 November 2011
  22. 22. DACD / IST / Managing authentication and permissions to OGC services with GeoShield 22Next improvements• Extending security: – Web Processing Service – Web Applications• Web administration interface – Integration with GeoServer Web Interface – OpenLayers integration (Real Time Permission definition and test)• Release of the GeoShield stable version 1.0 (end of 2011) – Code refactoring – Better performance12 November 2011
  23. 23. DACD / IST / Managing authentication and permissions to OGC services with GeoShield Thank you Institute of Earth science http://www.ist.supsi.ch GeoShield project http://sites.google.com/site/geoshieldprojectMilan P. Antonovic, Institute of Earth science - SUPSIMassimiliano Cannata, Institute of Earth science - SUPSI12 November 2011

×