Copyright © 2013 Open Geospatial Consortium
20 response is going to be filtered, matching the user’s ability to not see restricted
service endpoints. Access Control in place for Web Feature Services in a fine grained fashion to
ensure that denied data sets, down to the location of a feature or characteristics of the feature, are not accessible.
6.1 Use Case
The full use case description – as a 100 copy from the OWS9 portal – can be found in the annex A to this document.
Regarding security, the following sub sequence of the use case is important: An actor of the Integrated Client undertakes a catalogue search for determining Web Feature Services
that provide data sets on Haiti and Monterey. The user leverages a Cataloge Service for the Web CSW interface. The result of the search is presented as an OWSContext
document where particular portions are filtered according to the need-to-know principle.
The user can leverage the received information to either have a client to execute a semantic mediator or execute the protected Web Feature Services WFSs directly.
6.2 Architecture and Deployment
A user is making a Catalogue search from a mobile application using the CSW 2.0.2 interface. The response retuned to the application is an OWSContext document
containing all service resource offerings matching the request for which the user has the clearance to see. In other word, the actual response is a subset of response the service
produces. All service resource offerings for which the user has no need-to-know get removed from the service response.
In order to achieve this, the following architecture is used:
Figure 13 —Architecture to filter CSW responses based on user clearance
Copyright © 2013 Open Geospatial Consortium
21 The sequence of interactions between the modules is described in the following sequence
diagram.
Figure 14 — Interactions between the security components and the CSW
The following are the details for the interactions 1. A client submits a “Get Records” operation. This request is not directly
executed at the CSW, instead it is intercepted by the PEP. 2. The PEP analyses the request and creates a XACML 2.0 compliant
Authorization Decision Request ADR. This ADR contains information about the user Role, all parameters of the CSW request and environment
information such as Date and Time. In addition, the ADR contains information about the HTTP method and the request context ‐ CSW request.
3. The PEP sends the ADR to the PDP. 4. The PDP analysis the ADR and applies the policy which matches the request
context CSW request plus user Role, CSW operation, etc. 5. The PDP finds a matching Policy and derives the Authorization Decision
AD. Because the ADR was a XACML 2.0 Core request, only one decision is included into the AD. However, the AD must be PERMIT but in order to task
the PEP to request authorization decisions based on the CSW response for
Copyright © 2013 Open Geospatial Consortium
22 the purpose of filtering, an Obligation must be included. For the Secure
Dimensions PEP, this Obligation must indicate the ObligationID=to‐do. 6. The PEP receives the AD and analysis it. Because the decision is PERMIT, it
will continue processing the AD and find the Obligation. Processing of the Obligation id has the side effect that a flag is set to construct a XACML 2.0
MRP ADR based on the CSW response. 7. The PEP forwards the intercepted request to the CSW and receives the CSW
response, e.g. a OWS Context document. 8. The further processing of the CSW response is under the flag for XACML 2.0
MRP. This requires that a ADR including MRP is constructed and that the two required parameters are copied from the Obligation, received in the AD for
the CSW request. Also, the PEP must include the received CSW response into the Resource Content element of the ADR and the request context must be
set to CSW response. 9. The ADR is send to the PDP.
10. The PDP analysis the ADR and understands, that XACML 2.0 MRP compliant processing is required. In order to do that, it must produce individual
authorization decisions for each XML element of the Resource Content that matches the provided xpath expression in the resource‐id attribute.
11. For each matching XML element, the PDP creates an individual authorization decision by analyzing the existing policy. A decision for each element
comprises the resulting AD. 12. The PEP receives the AD for the intercepted CSW response and removes all
those XML elements for which the authorization decision is Deny. After all authorization decisions are processed, the CSW response is filtered, meaning
that all XML elements got removed for which the user has no permission to see.
13. After error free processing, the PEP forwards the shrunk CSW response to the client. It is important to note that the security was applied in an opaque
fashion, so the user does not know. This processing implies that certain criteria are met when writing the policy.
6.3 Approach to Policy writing for CSW response filtering