GeoXACML based Access Control Systems for Geo Web Services

People: Jan Herrmann, Dr. Andreas Matheus (UniBW)

Currently, OGC Web Services are a priori unprotected. No specifications exist, that describe how to establish protection for OGC Web Services through an access control mechanism. Nevertheless policy languages such as XACML or GeoXACML exist, that support the declaration and enforcement of fine-grained, content and context dependant access control rules. In a nutshell, GeoXACML describes a Policy Language that uses XML encoding to express spatial access rights. GeoXACML allows the interoperable processing, exchange and collaborative creation of policies independent from the underlying service based architecture.
In reality, different problems arise from the fact that GeoXACML, or rather its base specification XACML, give too much freedom in expressing access rights and in the elaboration of information upon which an access control decision is based. The flexibility that (Geo)XACML provides and the different supported bindings of OGC Services (currently Get/POST but for the future SOAP and REST) are a potential cause of losing the interoperability between protected services and GeoXACML-based access control systems.
Hence the focus of this project is to evaluate and demonstrate methods how to provide interoperable, spatial access control for OGC Web Services using GeoXACML. This research project is conducted in cooperation with the Universität der Bundeswehr München and as part of the OGC Web Services, Phase 6 (OWS-6) Interoperability Initiative, a testbed to advance OGC's open interoperability framework for geospatial capabilities. Various test cases, derived from the OWS-6 sponsors’ requirements, will demonstrate the results and assist the analyses. Additionally it is intended to advance and harmonize existing OGC specifications and the access control related OASIS specifications.
Clear and consistent recommendations will be derived, that show how to declare access rights for OGC Web Services in a GeoXACML policy and how to obtain information from an OGC Web Service request/response, the environment etc. to create a uniform authorization decision request that fits to the given rules of the policy. Thanks to those recommendations, users will have a comprehensive guideline how to use GeoXACML to define policies for OGC Web Services in an interoperable way and how to generate the corresponding access control decision requests.