14
Copyright © 2009 Open Geospatial Consortium, Inc.
forwarded to the OWS. A ‘Permit’ decision can include obligations which have to be fulfilled by the PEP. Whenever the PEP is unable to fulfill an obligation it has to deny
access to the OWS, as it is required by a ‘Deny’ decision from the PDP.
A PDP may also respond with ‘Indeterminate’ or ‘NotApplicable’, both of them also resulting in a denial of access due to the denial biased characteristics of the PEPs used in
this testbed. .
9.3 Dynamic View: Security Workflows
Requesting a secured service typically requires one to get information about the service’s security requirements. Usually a service would at least require an authentication in order
to apply policies to a certain request. Figure 2 shows an initial request for the service’s preconditions. This step can be omitted if the client already knows the service’s security
requirements, or if the information was already received from a different source, e.g. a catalog.
Alternatively, the client could also try to access the service without any special preparation and try to derive the security requirements from the error message. This
strategy, however, may not lead to the desired result, since an error message not always indicates the real reason for the exception see discussion in section 15.2, or the service
handles a request without any security information as an anonymous request without producing an exception. In this case, the client would not be informed that a potentially
richer result would be available for an authenticated request.
In this testbed, the complexity of issues surrounding the exchange of security metadata for different types of services was discovered, without being able to resolve these issues
broadly. So further work on this problem seems to be necessary.
If the client is informed about the service’s preconditions it can try to prepare the required information e. g. an authentication, and submit this information together with
the request.
Figure 2 does not explicitly indicate a PEP nor a PDP or PAP, since from the client perspective there is only one service endpoint, which may be a separate PEP service, or a
security-enabled service with built-in policy decision and enforcement capabilities. In addition, this diagram also abstractly represents all pre- and post-processing that may be
performed by the PEP service. Such actions might include:
• Preparing an XACML authorization decision request • Processing of the XACML authorization decision response
• Preparing a native service request based on the authorization decision response • Processing of the native service response
• Forwarding of final result to the requestor
Cop
sd Abstract_Security_Interactions
Client Secured Service
RequestPreconditions ExposePreconditions
PrepareRequiredInformation AccessServiceRequiredInformation
ServiceResponse
Figure 2, Abstract Security Interactions 10
SOAP Binding
For OGC services, SOAP is one possible binding, which must be specified for every new service specification. Moreover, SOAP is the basis for most SOA infrastructures in the
mainstream IT world. OWS-6 testbed placed a strong focus on security for SOAP-based services.
10.1 Relevant Standards