wiki:TI12_Security/DEWS/SeaInfoAccess2GADS-WCSUseCase

Version 1 (modified by pjkersha, 13 years ago) (diff)

--

Use Case: BMT SeaInfo? access to GADS-WCS

Description

The steps required for SeaInfo? to access GADS-WCS data.

Actors

  • BMT SeaInfo application client
  • Marine Stream Geoserver (GADS-WCS) Gatekeeper
  • Marine Stream Geoserver (GADS-WCS)
  • Marine Stream Attribute Authority - MarineAA (deployed at ESSC)

Assumptions

  • Gatekeeper port is exposed outside host site firewall.
  • Geoserver port is protected within host site firewall.
  • Incoming SOAP messages from the client are secured with WS-Security digital signature.

Triggers

A client makes a request to the Gatekeeper for data.

Outcome

Client is granted access to secured Geoserver data.

Normal Course

  1. SeaInfo makes a getAttCert call to the MarineAA Web Service to request an Attribute Certificate. It signs the SOAP message using WS-Security signing it with a private key it holds.
  2. MarineAA receives the request from SeaInfo and verifies the signature of the SOAP message.
  3. MarineAA extracts the Distinguished Name of the SeaInfo certificate associated with the signature and looks up this user in its list of registered users.
  4. Retrieve roles contained in the Attribute Certificate.
  5. Parse Geoserver request and call getCapabilities to get the role name for the resource associated with the request.
  6. Make access control decision matching the role of the Geoserver resource against the roles available in the Attribute Certificate. If a match is found, access is granted.
  7. Call the audit/logging web service for the Gatekeeper and record:
    • timestamp
    • user ID (contained in Attribute Certificate holder element)
    • organisation (Attribute Certificate issuer or issuerName element)
    • request
    • response size
    • response time.
  8. Forward the Geoserver request to Geoserver.
  9. Receive the response from Geoserver and put into a SOAP response.
  10. Sign SOAP repsonse before dispatch if required or is practicable.
  11. Dispatch SOAP response back to the client.