14 Copyright © 2009 Open Geospatial Consortium, Inc. forwarded to the OWS. A ‘Permit’ decision can include obligations which have to be fulfilled by the PEP. Whenever the PEP is unable to fulfill an obligation it has to deny access to the OWS, as it is required by a ‘Deny’ decision from the PDP. A PDP may also respond with ‘Indeterminate’ or ‘NotApplicable’, both of them also resulting in a denial of access due to the denial biased characteristics of the PEPs used in this testbed. .

9.3 Dynamic View: Security Workflows

Requesting a secured service typically requires one to get information about the service’s security requirements. Usually a service would at least require an authentication in order to apply policies to a certain request. Figure 2 shows an initial request for the service’s preconditions. This step can be omitted if the client already knows the service’s security requirements, or if the information was already received from a different source, e.g. a catalog. Alternatively, the client could also try to access the service without any special preparation and try to derive the security requirements from the error message. This strategy, however, may not lead to the desired result, since an error message not always indicates the real reason for the exception see discussion in section 15.2, or the service handles a request without any security information as an anonymous request without producing an exception. In this case, the client would not be informed that a potentially richer result would be available for an authenticated request. In this testbed, the complexity of issues surrounding the exchange of security metadata for different types of services was discovered, without being able to resolve these issues broadly. So further work on this problem seems to be necessary. If the client is informed about the service’s preconditions it can try to prepare the required information e. g. an authentication, and submit this information together with the request. Figure 2 does not explicitly indicate a PEP nor a PDP or PAP, since from the client perspective there is only one service endpoint, which may be a separate PEP service, or a security-enabled service with built-in policy decision and enforcement capabilities. In addition, this diagram also abstractly represents all pre- and post-processing that may be performed by the PEP service. Such actions might include: • Preparing an XACML authorization decision request • Processing of the XACML authorization decision response • Preparing a native service request based on the authorization decision response • Processing of the native service response • Forwarding of final result to the requestor Cop sd Abstract_Security_Interactions Client Secured Service RequestPreconditions ExposePreconditions PrepareRequiredInformation AccessServiceRequiredInformation ServiceResponse Figure 2, Abstract Security Interactions 10 SOAP Binding For OGC services, SOAP is one possible binding, which must be specified for every new service specification. Moreover, SOAP is the basis for most SOA infrastructures in the mainstream IT world. OWS-6 testbed placed a strong focus on security for SOAP-based services.

10.1 Relevant Standards