Introduction to the Mapbender OWS Security Proxy



Similar documents
FreeGIS.net, INSPIRE, Open Source Software and OGC standards

UK Location Programme

Secure your GIS. Protecting GIS applications suites. camptocamp / 9. septembre 2010 / / info@camptocamp.com

OSGeo Web Mapping Typification: GeoMajas, Mapbender, MapFish and OpenLayers. Christoph Baudson Arnulf Christl FOSS4G 2010 Barcelona

Introduction to OSGeo and QGIS

DISMAR implementing an OpenGIS compliant Marine Information Management System

GeoNetwork, The Open Source Solution for the interoperable management of geospatial metadata

Cloud application for water resources modeling. Faculty of Computer Science, University Goce Delcev Shtip, Republic of Macedonia

Enabling embedded maps

Standardized data sharing through an open-source Spatial Data Infrastructure: the Afromaison project

Cloud-based Infrastructures. Serving INSPIRE needs

GeoMedia Product Update. Title of Presentation. Lorilie Barteski October 15, 2008 Edmonton, AB

Introduction to Spatial Data Management with Postgis. Spatial Data Management

The OSGeo Foundation. FOSS4G Korea 2011 Seoul. Professionally leveraging Open Source Geospatial. Arnulf Christl President

Data interchange between Web client based task controllers and management information systems using ISO and OGC standards

GeoNetwork, The Open Source Solution for the interoperable management of geospatial metadata

Chaining Façades: Higher Efficiency in evolution-enabled Spatial Data Infrastructures (SDI)

From Geoportal to Spatial Data Service Platform. Jani Kylmäaho National Land Survey of Finland Development Centre

Analysis of the Free GIS Software Applications in respect to INSPIRE services and OGC standards

Authentication Methods

This module provides an overview of service and cloud technologies using the Microsoft.NET Framework and the Windows Azure cloud.

Combining Drupal Content Management System with OGC Web Services

Institute of Computational Modeling SB RAS

Centre for EcologicalNoosphere Studies NAS RA CENS

GeoMedia & Geostandaarden. Frank Langelaan

CentropeSTATISTICS a Tool for Cross-Border Data Presentation Manfred Schrenk, Clemens Beyer, Norbert Ströbinger

Web-based spatio-temporal visualization and analysis of the Siberian Earth System Science Cluster (SIB-ESS-C)

DESIGN SECURITY AND GEO-RIGHTS MANAGEMENT SERVICES IN SPATIAL DATA INFRASTRUCTURE

Quality Assessment for Geographic Web Services. Pedro Medeiros (1)

WP6. e-soter Web Services: Status and Way Ahead to a Global Soil Information Service Yusuf YIGINI EU Joint Research Centre

Developing of A GIS Based Enviromental Monitoring System with Open Source Softwares

EasySDI Publish. Software requirements & specifications

Correspondence can be sent to: GeoConnections Natural Resources Canada 615 Booth Street Ottawa, Ontario K1A 0E9

Secure Web Appliance. Reverse Proxy

Introduction to Geospatial Web Services

WEB MAPPING WITH DRUPAL Ranel O. Padon

Secure Web Appliance. SSL Intercept

Open Source Software and Open Interoperability Standards at EDINA National Datacentre

An architecture for open and scalable WebGIS

Microsoft Exam MB2-702 Microsoft Dynamics CRM 2013 Deployment Version: 6.1 [ Total Questions: 90 ]

MOC DEVELOPING WINDOWS AZURE AND WEB SERVICES

EXPLORING AND SHARING GEOSPATIAL INFORMATION THROUGH MYGDI EXPLORER

Neues vom QGIS Server und QGIS-Webclient

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Web Mapping in Archaeology

Caching techniques for high-performance Web Map Services

Data Visualization Using Web GIS Software

From centralized to single sign on

GIS AS A DECISION SUPPORT FOR SUPPLY CHAIN MANAGEMENT

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

What s new in Carmenta Server 4.2

Geodata-Management in the Thünen- Institute. Till Kirchner Thünen-Institute for Forest Ecosystems, Eberswalde

Binonymizer A Two-Way Web-Browsing Anonymizer

Developing Windows Azure and Web Services

CentropeMAP - Information Infrastructure for a dynamic cross-border region in the heart of Europe Manfred Schrenk, Clemens Beyer, Walter Pozarek

BlackBerry Enterprise Service 10. Version: Configuration Guide

Web Map Service Architecture for Topographic Data in Finland

The use of Semantic Web Technologies in Spatial Decision Support Systems

Performance Characteristics of Data Security. Fabasoft Cloud

13 th EC GI & GIS Workshop WIN: A new OGC compliant SOA. for risk management. GMV, 2007 Property of GMV All rights reserved

Documentation of open source GIS/RS software projects

ishare in the Cloud Service Definition v5.0

Design Requirements for an AJAX and Web-Service Based Generic Internet GIS Client

Location Based Asset Management Application for Railway: AMS-R

CubeWerx USA. Role-based Access Control. Best Practices for Geospatial SOA NSDI CAP Project. 2007, CubeWerx USA

Oklahoma s Open Source Spatial Data Clearinghouse: OKMaps

Astaro Mail Archiving Getting Started Guide

Chapter 6: Data Acquisition Methods, Procedures, and Issues

SAML 2.0 Configurations at SAP NetWeaver AS ABAP and Microsoft ADFS

MS 20487A Developing Windows Azure and Web Services

County of Los Angeles. Chief Information Office Preferred Technologies for Geographic Information Systems (GIS) September 2014

Spectrum Technology Platform. Version 9.0. Administration Guide

Kentico CMS security facts

ArcGIS. Server. A Complete and Integrated Server GIS

Load Balancing Microsoft Sharepoint 2010 Load Balancing Microsoft Sharepoint Deployment Guide

COSTE: a Web-Services Infrastructure Enabling Interoperability and Integration of Spatial and Traffic e-contents for European Regions

SSL VPN Portal Options

ARCHITECTURE OF INTEGRATED GIS AND GPS FOR VEHICLE MONITORING

Geospatially Enabling the World: The Convergence of Geospatial and Architectural and Engineering Design

Smart Cities require Geospatial Data Providing services to citizens, enterprises, visitors...

XML Signatures in an Enterprise Service Bus Environment

White Paper DocuWare Cloud. Version 2.0

Citrix NetScaler and Microsoft SharePoint 2013 Hybrid Deployment Guide

Hybrid for SharePoint Server Search Reference Architecture

African European Georesources Observation System

PowerLink for Blackboard Vista and Campus Edition Install Guide

RoomWizard Synchronization Software Manual Installation Instructions

Configuring Load Balancing

Free and Open Source GIS Software for Building a Spatial Data Infrastructure

Avatier Identity Management Suite

Why a Reverse Proxy with My Instant Communicator for mobiles??

itop: the open-source ITSM solution

Content. What is Metadata Design and Thing Catalogs INSPIRE and digital Geo Data New Requirement: Pragmatics...and the w holy REST.


4. SSL-VPN Connection


SIMCom_3G_SSL_Application Note_V1.10

Open Source GIS. Open Source GIS. Agenda. Open Source. Typische GIS Funktionen. LOTS Bern

LDAP Authentication and Authorization

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Transcription:

Introduction to the Mapbender OWS Security Proxy Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 1/16

Agenda 1 Introduction to the Architecture OWS from Bottom Up with the OSGeo SDI Software Stack Mapbender Application Framework, User Management and Orchestration 2 Proxy Technology as OWS Service Facade Basic Security IT: Authentication, Authorization, Encryption Basic Web IT: Proxy, Sessions and Caching Technology 3 Mapbender Implementation Authentication and Session Management Apache URL Rewrite Ticketing Web Based User Authorization with OWS Service Containers 3 Individual Development Personalized Object-based WFS-T Access Planned OGC Standards adoption Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 2/16

Introduction to the Architecture OSGeo SDI Software Stack: FreeBSD Operating System Apache http Web Server UMN MapServer OGC WMS, WFS GeoServer Transactional OGC WFS PostgreSQL object relational SQL database PostGIS spatial database extension SFS, WKT Mapbender Portal OGC OWS Management Standards: Open Geospatial Consortium and ISO TC 211 ISO meta data standards Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 3/16

Introduction to the Architecture Implemented OGC Standards: WMS access for spatial objects in database via SFS (access restricted to dedicated and known host from same domain) Standard WMS 1.1.1 for map production in three security categories unprotected access from everywhere protected services for authorized access only (all data) protected services for personalized access (selected data) WFS for query and search interfaces (read only, unprotected) WFS-T for edit access (read/write, protected, personalized) Web Context Document to start client with personalized area of interest, service and layer selection (protected) Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 4/16

Introduction to the Architecture Mapbender: Application to build user interface and provide functionality View and Navigate: zoom, pan, search, find, activate, deactivate layers, etc. Services: add, reorder, remove, overlay, metadata (CS-W 2.0 services) Digitize: create, edit, delete, snap, break, unify, query, etc. User Management Create users, allow access to services via user interface and/or group Service Orchestration Upload, remove, edit, monitor WMS and WFS Bind WMS and WFS into user interface, allow functionality on services Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 5/16

Proxy Technology as OWS Service Facade Unprotected Open Access from Authorized Domain Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 6/16

Proxy Technology as OWS Service Facade The OpenGIS architecture needs to be protected and secured by an additional layer of security. Use standard IT solutions for standard requirements. Requirements: Only authenticated users are allowed to access the system Users can only see and edit their own (authorized) objects Data transport is encrypted on a lower level (SSL, TLS) Sessions have to expire after a timeout limit is reached Everything needs to be logged Integrity of the data and services have to be ensured Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 7/16

Mapbender Implementation User authenticates at OWS Security Proxy before accessing services. Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 8/16

Authentication and Session Management On unsuccessful authentication the request is rejected. Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 9/16

Apache URL Rewrite Ticketing Valid authentication creates a session ID which becomes part of a dynamic WMS OnlineResource (ticket) directly routing the client to the service. Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 10/16

Apache URL Manipulation with Ticket The OnlineResource parameter of the requests are manipulated by the proxy to identify the authenticated user and control the authorization for the requested service. Original request: http://localhost/wms/germany.xml?version=1.1.1& REQUEST=GetMap&SERVICE=WMS&LAYERS=my_polygons,... Modified request sent to Proxy: http://127.0.0.1/owsproxy/50b3c6d6237efaaa7603f35faab17c18 /63b3b2765758813b3a41265829ca5668?VERSION=1.1.1& REQUEST=GetMap&SERVICE=WMS&LAYERS=my_polygons,... The Security Proxy identifies the user (the red parameter is the hashed session ID) and checks permissions for the unique wms ID (blue parameter). The rest of the request is unchanged. Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 11/16

Mapbender Implementation Hands on demonstration: Configuration of the web server (Apache) with a regular expression and the alias module to extract user and requested service from OGC request URL parameters Configuration within Mapbender to use OWS Security Proxy Protected WMS service (directly accessible only from within secure domain) Web based interface to activate OWS Security Proxy for OGC WMS services in user interfaces Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 12/16

Web Based User Authorization Multi-client capability of the software allows providers to manage access security for their own users and services themselves. Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 13/16

Management with OWS Service Containers Service containers (Repository) allows for management, logging and monitoring of services stacks. Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 14/16

Personalized Object-based WFS-T Access Personalized Access Implemented as Application Module All requests are intercepted inside the secure domain User authorization for requested task is checked Request is logged and either rejected or executed Examples of productive environments The German federal states of Rhineland Palatinate and Baden Wurttemberg operate similar infrastructures in an application for the European agricultural subsidy grant program since spring of 2005. In the first two years of operation 650.000 secured GML edit-, modify- and delete requests were processed through this framework. http://www.mapbender.org/index.php/fiona Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 15/16

Discussion For further information contact: Arnulf Christl arnulf.christl@wheregroup.com Siemenstr. 8 53121 Bonn Germany This presentation is licensed and protected under the GNU FDL. http://www.gnu.org/licenses/fdl.txt Appendix: You are free to copy and redistribute this document, with or without modifying it, either commercially or noncommercially keeping this page and the author's name in place. Arnulf Christl, WhereGroup GmbH & Co. KG, Bonn, Germany 16/16

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information