Ticket #1004 (closed task: fixed)

Opened 11 years ago

Last modified 10 years ago

[S] OWS Server Security Filter

Reported by: pjkersha Owned by: pjkersha
Priority: blocker Milestone: NDG3
Component: security Version:
Keywords: security Cc:

Description

This component filters requests to a COWS server that it's protect and grants or denies access based on security constraints.

  • The filter is a PEP (Policy Enforcement Point) aka Gatekeeper in that enforces security but it doesn't actually make the access control decision. This is made by a PDP (Policy Decision Point)
  • The filter will be based on the Python WSGI.
  • It should be possible with PasteDeploy pipelines to add the filter via a Paste config file rather the need to modify the COWS code.
  • A critical requirement is to make this work with existing OWS clients such as OpenLayers. e.g. Do OpenLayers clients support cookies for holding a security context?

Change History

comment:1 Changed 11 years ago by spascoe

This is connected to #975. I suggest we document the OpenLayers? cookie issue there.

comment:2 Changed 11 years ago by pjkersha

  • Status changed from new to assigned

comment:3 Changed 11 years ago by pjkersha

Investigate deployment of PEP WSGI via mod_wsgi instead of deployment with Paste + Apache ProxyPass. Deployed in mod_wsgi the PEP should be able to access SSL environment variables and so perform SSL client authentication where necessary.

Can still use paste.deploy.load_app incorporated into a parent mod_wsgi app to enable use of ini config for a WSGI pipeline and/or other config options.

comment:4 Changed 10 years ago by pjkersha

  1. Working test with mod_wsgi and SSL Client authntication middleware
  2. Successfully tested a filter chain containing a basic implementation of this together with OpenID Relying Party and basic PDP middleware. The chain acts based on HTTP response codes set:
    • The filter intercepts based on a simple list of URIs set in a config file. If a match is found a 403 status is set.
    • The PDP middleware intercepts these 403 status messages and any others and makes an access control decision.
    • The OpenID Relying Party intercepts 401 Unauthorized messages invoking the UI for the user to input their OpenID.

comment:5 Changed 10 years ago by pjkersha

  • Status changed from assigned to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.