Access control for geospatial information objects using/extending the eXtensible Access Control...
-
Upload
amber-ashby -
Category
Documents
-
view
233 -
download
0
Transcript of Access control for geospatial information objects using/extending the eXtensible Access Control...
Access control for geospatial information objects
using/extending the eXtensible Access Control Markup Language
Andreas Matheus, Technische Universität MünchenMunich, Germany
How does it fit into DRM?
DRM is about licensed use of an existing content Content provider encrypts the content User can use the content on- or offline User requires the decryption key, which
distribution is controlled by provider according to user’s license
Information based access control Regulates the creation/use of a content in the
first place Handles decryption key distribution, based
on the information of an existing content
Motivation: Restrict the use of geospatial features
Based on the features accessed For Write, Delete and Create access,
constraints must be enforced for the service input
For Read access, constraints must be enforced for the service output
Based on the spatial characteristics of the features (spatial features) Location (where is that feature) Geometry (which extend does the feature
have)
XACML based infrastructure
repository ofspatial
features
Web Service 1e.g. WFS, WMS
Policy Enforce-ment Point (PEP)
Policy DecisionPoint (PDP)
restrictedaccess
Internet
SQL
Client 1
Subject 1
Client m
Subject m
unrestrictedaccess
SOAP communication XML/GMLencodedmessage
policyrepository
deci
sion
requ
est
Functions of the PEP and PDP
Policy Enforcement Point Provide Web Service interfaces Analyze the service request/response
Isolate information from the request/response: User, Operation and Resource
Form a decision request message, including the request content to be send to the PDP
Accept or reject the service invocation request based on the response of PDP
Policy Decision Point Has access to the policies in the policy repository Accept decision requests from PEP and return
Deny, Permit, NotApplicable or Indeterminate
Associating access restrictions to features and feature types
A type-based restriction is linked to a feature type; it is to be enforced for all instances of that typeA instance-based restriction is linked to an individual feature; it is to be enforced for this feature onlyExamples Type-based restriction
Bob can read and write features of type BuildingType
Instance-based restrictionBob can not write the feature ‘The White House’
The decision request message
The decision request from the PEP to the PDP contains an XML encoding of the resources that the
subject likes to access (ResourceContent element) and
the subject identity, the requested operation (R, W, C, D)
PDP returns access decision based on the policies from the policy repository, the information from the decision request and optional environmental information
The ResourceContent element
This element of the decision request is filled by the PEP It contains the resources, the subject likes to
access The information is critical, because miss-
structuring can cause the PDP to return a wrong decision
The XML encoded information, hold by the ResourceContent must be valid Schema defines the feature types and defines the structure of the feature instances
An example result of a WFS<?xml version="1.0" encoding="UTF-8"?><FeatureCollection fid =“collection1" … > <gml:boundedBy><gml:Box gid="box1" srsName="foo"> <gml:coord><gml:X>0</gml:X><gml:Y>0</gml:Y></gml:coord> <gml:coord><gml:X>4</gml:X><gml:Y>4</gml:Y></gml:coord> </gml:Box></gml:boundedBy> <gml:featureMember> <Building xsi:type="BuildingType" fid="B1"> <Name>The White House</Name> <Location srsName="foo">
<gml:coord><gml:X>1</gml:X><gml:Y>0</gml:Y></gml:coord> </Location> </Building> </gml:featureMember><Name>An example feature collection</Name></FeatureCollection>
A decision request example <Request xmlns="urn:oasis:names:tc:xacml:1.0:context"
xmlns:gml="http://www.opengis.org/gml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context
cs-xacml-schema-context-01.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-
id" DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Bob</AttributeValue> </Attribute> </Subject> <Action> <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>read</AttributeValue> </Attribute> </Action>…
A decision request example … <Resource> <ResourceContent> <FeatureCollection fid =“collection1" … > <gml:boundedBy><gml:Box gid="box1" srsName="foo"> <gml:coord><gml:X>0</gml:X><gml:Y>0</gml:Y></gml:coord> <gml:coord><gml:X>4</gml:X><gml:Y>4</gml:Y></gml:coord> </gml:Box></gml:boundedBy><gml:featureMember> <Building xsi:type="BuildingType" fid="B1"> <Name>The White House</Name> <Location srsName="foo"> <gml:coord><gml:X>1</gml:X><gml:Y>0</gml:Y></gml:coord> </Location> </Building> </gml:featureMember> <Name>An example city model</Name> </FeatureCollection> </ResourceContent> …
A decision request example … <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://mySchema#CityModel</AttributeValue> </Attribute> </Resource></Request>
Example policies based on Xpath
Type-based example <Bob, Read +,
//FeatureCollection/gml:featureMember/Building>
<Bob, Write +, //FeatureCollection/gml:featureMember/Building>
Instance-based example <Bob, Write -,
//FeatureCollection/gml:feature-Member/Building/ Name/text()=‘The White House’>
Inconsistency
Two or more policies match for the same resources (features) but declare inverse access restrictions For the previous example
Bob can write Building ‘The White House’ from the type-based policy
Bob can not write the Building ‘The White House’ from the instance-based policy
Is it an inconsistency or intended exceptional restriction?
Inconsistency
If these restrictions are declared in independent policies, it’s probably an inconsistencyIf these restrictions are declared in a linked fashion, it’s probably an intended situation Type-based restriction represents the general
case Instance-based restriction represents the specific
case
Quintessence: A mechanism must be in place that deals with this
How to deal with NotApplicable and Indeterminate decisions?
Policies express explicit restrictions/allowancesRequests, not matching the explicit policies result in a PDP NotApplicable result How shall the PEP treat these decisions? Minimum allowed: Deny the request Maximum allowed: Permit the request
It must be certain that a NotApplicable decision is always mend to be Permit or Deny, but never bothIndeterminate is always handled as a Deny The PEP may return extra information to the user
about what went wrong
Spatial access restrictions
Feature based restrictions give the abilitySpatial access restrictions can be applied to an area, the restriction area primitive area with no holes complex area with holes
Applicable to spatial features in the resource content, based on their location geometry
Policy must link an area with spatial property
Extending the access control triplet
<Subject, Operation, Object, Condition> Subject, Operation as usual Object = Xpath to the XML elements (spatial
features) Condition = Boolean expression using
spatial relation functions Within Intersects Outside Touches Equals etc.
Spatial restriction example
Spatial exampleBob can read all spatial features of type
BuildingType that reside inside the ‘RestrictedArea’
<Bob, Read +, //FeatureCollection/gml: FeatureMember/Building, Within(//FeatureCollection/gml:FeatureMember/ Building/Location, RestrictedArea>
<Polygon gid=“RestrictedArea" srsName="foo"> <outerBoundaryIs><LinearRing> <coordinates>0,0 0,2 2,2 2,0 0,0</coordinates>
</LinearRing></outerBoundaryIs></Polygon>
Spatial policies and XACML
XACML does not provide the required language constructs => GeoXACMLGeoXACML requirements geometry types based on
gml:Point gml:Polygon gml:Box
functions for checking spatial relation based on Java Topology Suite (JTS) Equals, Disjoint, Intersects, Touches, Crosses,
Within, Contains, Overlaps Combination algorithm that take care of
specific spatial situations
Spatial inconsistency
Spatial restriction examples Bob can read and write spatial features, located
inside restricted area 1 Bob can not write spatial features located inside
restricted area 2
How to encode this? Meta information required Two independent policies:
inconsistency Two linked policies:
indented situation
Quintessence: Deal with spatial inconsistencies
(0,0)
(1,1)
(3,3)
(2,2)
Upcoming work in this field of research
Implement the GeoXACML extensions Geospatial attributes Spatial relation functions Combination algorithms
Prepare a set of XACML policies Type-based policies Instance-based policies Spatial policies
Run test requests on the set of policies Produce lessons learned Produce guide
Conclusion
Feature based restrictions give the ability to restrict access/use of a particular contentSpatial based restrictions gives the ability to restrict access/use of a particular content for a particular areaXACML is a promising specification to be extendedThis type of restriction can be used for controlling the creation of a feature based content the distribution of decryption keys for DRM
The final slide
Thank you very much for your attention
Any feedback is desirable, please mail to [email protected]
Questions, please