Cop
sd Abstract_Security_Interactions
Client Secured Service
RequestPreconditions ExposePreconditions
PrepareRequiredInformation AccessServiceRequiredInformation
ServiceResponse
Figure 2, Abstract Security Interactions 10
SOAP Binding
For OGC services, SOAP is one possible binding, which must be specified for every new service specification. Moreover, SOAP is the basis for most SOA infrastructures in the
mainstream IT world. OWS-6 testbed placed a strong focus on security for SOAP-based services.
10.1 Relevant Standards
For SOAP there are several existing security-related standards which can be applied to OWS infrastructures.
The starting point when binding to a secured service is to request the service’s security requirements. These security-related metadata can be described with WS-SecurityPolicy
[18] as part of a WS-Policy [16] description.
A standardized way to access the WS-Policy description of a service is defined by WS- MetadadaExchange [15]. WS-MetadataExchange makes typical service-related metadata
accessible, besides WS-Policy also including WSDL.
The security metadata may define requirements for communication with a secured service, such as the requirement for encrypted communication either on message level or
on transport layer level, required signatures on messages or message parts, and required security information.
yright © 2009 Open Geospatial Consortium, Inc.
15
16
Copyright © 2009 Open Geospatial Consortium, Inc.
An example of required security information would be authentication information. WS- SecurityPolicy is able to require certain token formats and can also refer to trusted issuers
for those tokens by using WS-Addressing [14].
Security tokens can be issued by a Security Token Service STS defined by WS-Trust [19]. An STS is primarily designed to issue tokens. It can be used to either convert a
token from a certain format into a different format, or to convert tokens from one security domain into tokens of another security domain.
Within OWS-6, an STS is used as authentication service. This STS provides Identity Assertions expressed in Security Assertion Markup Language SAML [12] which can be
used to authenticate at a PEP. The STS also expresses its security requirements by WS- SecurityPolicy and thus can require a username token including credentials which can be
used for authentication purposes.
Whenever communication has to be secured, WS-Security [17] can be applied to provide encryption on message level, using XML Encryption [20], and to provide signatures on
messages or message parts following XML Signature [21]. WS-Security furthermore defines several profiles describing how to attach security tokens to SOAP messages in
order to transmit them along with a request to a service.
10.2 Protocol