OGC 11-086r1r1 Copyright © 2012 Open Geospatial Consortium 43 The insertion of entries into the repository containing the digital signatures and the assignment of their validity period can be either realised by adding appropriate PIP- control-obligations to a deny rule element containing rewrite-obligations or implicitly through an appropriately implemented Obligation Handler. The augmentation of the ADRs by this information can happen by default, through the Context Handler or can be controlled by the policy through the XACML missing- attribute mechanism or through PIP-control-obligations.

7.3.5 Indeterminate response with missing-attribute information andor PIP-control-

obligations Figure 16 shows the consequences on the information flow in cases where the Context Handler receives an indeterminate response with missing-attribute information andor PIP-control-obligations. A Context Handler receiving an XACML authorization decision response with a Decision element contents of Indeterminate with a status code of urn:oasis:names:tc:xacml:1.0:status:missing-attribute, will try to retrieve the missing information. There are two options how this can be done. In case of missing XACML attributes the Context Handler implementation can use built- in methods to resolve the values of the missing XACML attributes. The StatusDetail element lists the names and data-types of any attributes that are needed by the PDP to refine its decision. To support this approach in a specific application domain one has to clearly define the expected behaviour of the Context Handler, in case one of the used XACML attributes turns out to be missing in the ADR. A more generic solution that is also available if information under Content elements is missing i.e. in case of indeterminate responses that result from AttributeSelector elements that cannot be evaluated, can be realized by using PIP-control-obligations. These obligations contain instructions that tell the PIP from where to retrieve more data, how the corresponding PIP query should look like and how the resulting response should be included in the original XACML ADR. After extending the original ADR the Context Handler can resubmit the extended ADR. Now the PDP has all the information that caused the missing-attribute indeterminate response in the first run and can finally calculate the requested authorization decision. 44 Copyright © 2012 Open Geospatial Consortium Su ect PEP i ation and er XACML Autorisation Decision Request ADR XACML Autorisation Decision Response: Indeterminate status issing-attrib te inc ist o missin acm attri utes and or pip contro o i ations process o i ationspip ctr o ADR e tended ADR WFS request su requests additiona data e ten e M torisation e ision Re est R XACML Autorisation Decision Response etc. n ormation Source su requests additiona data et missin acm attri utes e tend adr PDP P P Figure 16: Information flow in case of an indeterminate response with missing-attribute information andor PIP-control-obligations OGC 11-086r1 Copyright © 2012 Open Geospatial Consortium 45 8 Techniques to implement the required types of rights in GeoXACML This section explains how to generate adequate XACML ADRs based on intercepted WFS messages and how to implement the required types of the rights. For each type of rights we present an XACML code fragment that demonstrates how to express authorization semantics of that kind. All examples given in this section are not AIXM specific and intend to explain the concepts only. The application of these concepts to protect WFS instances that process AIXM data will be shown in the upcoming section 9. Note that the interested reader is recommended to have detailed knowledge on the language constructs provided by the XACML v3.0 specification, the GeoXACML specification and the related profiles cp. 6.3.6.

8.1 XACML based implementation of the SSME evaluation context model