Copyright © 2013 Open Geospatial Consortium
7
5.4.1 GEOAxIS PEP – con terra PDP communication protocol
The con terra PDP accepts XACML 2.0 compliant Authorization Decision Requests ADR using HTTP POST. The ADR may be wrapped into a SOAP message or sent as
plain HTTP request body. It returns an XACML 2.0 compliant Authorization Decision, again wrapped into a SOAP message or as plain HTTP response body,
according to the encoding used for the request. For this testbed, the con terra PDP is only available to dedicated source IP
addresses.
5.4.2 GEOAxIS con terra PEP – Secure Dimensions PDP communication protocol
The Secure Dimensions PDP accepts XACML 2.0 compliant Authorization Decision Requests ADR using HTTP POST. After processing the ADR, it returns a XACML 2.0
compliant Authorization Decision AD. The structure of the ADR is defined by the XACML 2.0 schema element RequestType
and the structure of the AD is defined by the ResponeType, both defined in the namspace URI
urn:oasis:names:tc:xacml:2.0:context:schema:os. In terms of protection, each PDP prodivded by Secure Dimensions can only be
accessed via a cleared IP address. A request from any other IP address will receive a HTTP 403 „Forbidden“ status. So in order for GEOAxIS and con terra to leverage the
provided PDP, the PEP’s outbound IP address must be known.
5.4.3 PAP communication protocol
According to the flow of communication, all PDPs load the policy from the Policy Administration Point. It is therefore required that the PAP provides a web service
alike interface in addition to the policy creation and maintenance GUI that can be accessed using login username ows9 and password ogcows9
The PAP service interface for obtaining a policy is not protected. The following service endpoint URL is available
http:ows9.secure‐dimensions.orgcgi‐binPAP The Web Service interface can be executed via HTTPGet using Key‐Value‐Pair
encoding to shape the request. Currently, this interface can be executed using the following parameters keys:
PolicySetId=value tasks the PAP to return the policy where the attribute “PolicySetId” equals value. The root element of the returned
policy is a PolicySet element PolicyId=value tasks the PAP to return the policy where the attribute
“PolicyId” equals value. The root element of the returned policy is Policy element.
Copyright © 2013 Open Geospatial Consortium
8
Figure 5 — Interaction with the PAP’s Web Service Interface
5.5 Communication between components