Service-oriented Security Architecture Initiation of the Access Control Process
Copyright © 2011 Open Geospatial Consortium,
Inc. All Rights Reserved.
49
Figure 17 – Candidate components for the initialization of the access control process No assumptions on the client side software configuration
In OWS based architectures one cannot assume that subjects interact with OWS instances through client programs with specific built-in security functionalities. It can e.g. be the
case that subjects interact with services through ordinary web browsers. The consequence of this situation is that the access control process cannot be initiated and enforced in
components labeled 1 and 2.
Access rights cannot be controlled “behind” services
Enforcing access rights in the components 6 to 12 implies that the access control process operates on the sub-requests andor the corresponding responses. This is problematic in
cases where the required authorization semantics can only be enforced based on the messages exchanged between the interacting subject and the service e.g. GetCapabilities
or WPS Execute operation requests. Next to this problem the post-service access control
Proxy Client
ServiceClient- Implementation
ACS
ACS ACS
Service- Implementation
ACS
ACS ACS
ACS
Server
1
2 3
4 5
6
7
Proxy
ACS
8
Service- Implementation
ACS
ACS ACS
Server
10 11
12
ACS
9
50 Copyright © 2011 Open Geospatial Consortium,
Inc. All Rights Reserved.
approach is not realizable if the components 8 to 12 belong to other, independent administrative domains.
Independency of enforceable rights of the used service implementations
OWS implementations used in SOAs are usually proprietary, from different vendors and have no or variably powerful built-in access control capabilities. It cannot be assumed
that all service implementations provide sufficiently expressive access control functionalities. Hence the access control process cannot be realized in the components 5
and 10.
The requirements listed above clearly reduce the number of suitable components and imply that the access control process can only be enforced in the components 3 or 4. This
implies that an appropriate rights model must support the definition of rights that next to others refer to the intercepted messages. Whether component 3 i.e. a dedicated proxy
server or component 4 i.e. a server-side proxy component is more suitable is dependent on the characteristics and requirements of the given use case. Component 4 could e.g. be
in favor as it allows local calls of the access control system and thus implies certain performance advantages. In contrast, the initialization of the access control process in
component 3 can result in scalability and availability advantages.