Copyright © 2011 Open Geospatial Consortium, Inc. All Rights Reserved. 47 understands to resolve “Missing Attributes” for “aixm:controllingAgency” and “aixm:usingAgency”. The GeoPDP is a Web Service that returns XACML Authorization Decisions upon an XACML Authorization Decision Request. The GeoPDP involved in OWS-8 is a GeoXACML v1.0 BASIC implementation including extensions A+B. Next to the access control system components two demo clients have been implemented that show various access restrictions for the Snowflake and Comsoft Authoritative Data Store also see the OWS-8 Aviation Thread - Authoritative AIXM Data Source Engineering Report - OGC 11-086. 48 Copyright © 2011 Open Geospatial Consortium, Inc. All Rights Reserved. 8 Access Control System within the OWS-8 Aviation Architecture

8.1 Service-oriented Security Architecture

Separating security aspects as much as possible from the implementation of OGC Web Services allows securing existing OWS instances without security related code changes. This separation of concerns further enables leveraging available IT-security concepts and implementations. When externalizing security functionalities it is advantageous to provide the security capabilities through separate security services e.g. authentication, authorization and audit services. Security services can be flexibly combined and can be used in different configurations for several geo-processing services 3 . Each of these security services can itself be composed of further services. Advantages of a modular security architecture approach are e.g.: Splitting the security solution into separated functional components reduces the associated development and maintenance complexity. The solution is fully scalable and easy to upgrade. New security services can be easily inserted and existing services can be upgraded without affecting the others. Because of the mentioned advantages we use a service-oriented security architecture.

8.2 Initiation of the Access Control Process

During the design and development of an Access Control System ACS for an OWS based architecture one needs to address the question where to initiate the access control process in the overall system architecture. Figure 17 shows components see ACS boxes in which the access control process could be initiated. 3 for further details, see Service Oriented Security Architecture applied to Spatial Data Infrastructures. Cristian OPINCARU, Munich 2008 . Copyright © 2011 Open Geospatial Consortium, Inc. All Rights Reserved. 49 Figure 17 – Candidate components for the initialization of the access control process No assumptions on the client side software configuration In OWS based architectures one cannot assume that subjects interact with OWS instances through client programs with specific built-in security functionalities. It can e.g. be the case that subjects interact with services through ordinary web browsers. The consequence of this situation is that the access control process cannot be initiated and enforced in components labeled 1 and 2. Access rights cannot be controlled “behind” services Enforcing access rights in the components 6 to 12 implies that the access control process operates on the sub-requests andor the corresponding responses. This is problematic in cases where the required authorization semantics can only be enforced based on the messages exchanged between the interacting subject and the service e.g. GetCapabilities or WPS Execute operation requests. Next to this problem the post-service access control Proxy Client ServiceClient- Implementation ACS ACS ACS Service- Implementation ACS ACS ACS ACS Server 1 2 3 4 5 6 7 Proxy ACS 8 Service- Implementation ACS ACS ACS Server 10 11 12 ACS 9