Changes between Initial Version and Version 1 of TI12_Security/DEWS/SeaInfoAccess2GADS-WCSUseCase


Ignore:
Timestamp:
12/01/07 11:57:00 (13 years ago)
Author:
pjkersha
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TI12_Security/DEWS/SeaInfoAccess2GADS-WCSUseCase

    v1 v1  
     1== Use Case: BMT SeaInfo access to GADS-WCS == 
     2 
     3=== Description === 
     4The steps required for SeaInfo to access GADS-WCS data. 
     5 
     6=== Actors === 
     7 * BMT !SeaInfo application client 
     8 * Marine Stream Geoserver (GADS-WCS) Gatekeeper 
     9 * Marine Stream Geoserver (GADS-WCS) 
     10 * Marine Stream Attribute Authority - MarineAA (deployed at ESSC) 
     11 
     12=== Assumptions === 
     13 * Gatekeeper port is exposed outside host site firewall. 
     14 * Geoserver port is protected within host site firewall. 
     15 * Incoming SOAP messages from the client are secured with WS-Security digital signature. 
     16 
     17=== Triggers === 
     18A client makes a request to the Gatekeeper for data. 
     19 
     20=== Outcome === 
     21Client is granted access to secured Geoserver data. 
     22 
     23=== Normal Course === 
     24 1. !SeaInfo makes a `getAttCert` call to the MarineAA Web Service to request an Attribute Certificate.  It signs the SOAP message using WS-Security signing it with a private key it holds. 
     25 1. MarineAA receives the request from !SeaInfo and verifies the signature of the SOAP message. 
     26 1. MarineAA extracts the Distinguished Name of the !SeaInfo certificate associated with the signature and looks up this user in its list of registered users. 
     27 1. Retrieve roles contained in the Attribute Certificate. 
     28 1. Parse Geoserver request and call getCapabilities to get the role name for the resource associated with the request. 
     29 1. Make access control decision matching the role of the Geoserver resource against the roles available in the Attribute Certificate.  If a match is found, access is granted. 
     30 1. Call the audit/logging web service for the Gatekeeper and record:  
     31    * timestamp 
     32    * user ID (contained in Attribute Certificate ''holder'' element) 
     33    * organisation (Attribute Certificate ''issuer'' or ''issuerName'' element) 
     34    * request 
     35    * response size 
     36    * response time. 
     37 1. Forward the Geoserver request to Geoserver. 
     38 1. Receive the response from Geoserver and put into a SOAP response. 
     39 1. Sign SOAP repsonse before dispatch if required or is practicable. 
     40 1. Dispatch SOAP response back to the client.