Please take a look at
http://geoserver.org/display/GEOS/GeoXACML-Integration
Feedback is welcomed
Christian Müller ha scritto:
Please take a look at
http://geoserver.org/display/GEOS/GeoXACML-Integration
Feedback is welcomed
Doh, sorry I did not see this mail before answering the
one about the committed geoxacml module.
So the wiki page is there and looks good, thanks a lot,
it's clear and concise.
I guess the point about "how to address the PEP
integration" is contained in point 3?
"GeoServer should be able to handle spatial access control for its own requests. This step needs involvement from the core developers to achieve the expected functionallity and avoid performance bottlenecks."
That is, there is not a defined plan still, but we'll look
into it. Right?
Cheers
Andrea
--
Andrea Aime
OpenGeo - http://opengeo.org
Expert service straight from the developers.
Christian Müller ha scritto:
Please take a look at
Ah, about the XACML policy file editor, have you
tried to contact the research group that makes the
xacml editor you pointed at (http://xacml.dif.um.es/)?
They might be interested in some sort of collaboration,
it would be a source of research articles for them I guess.
I'm also wondering how hard it would be to have a
Wicket, web-based editor.
Cheers
Andrea
--
Andrea Aime
OpenGeo - http://opengeo.org
Expert service straight from the developers.
Renamed the tests, anything works fine.
Btw, I included also the offical XACML test set, but disabled the tests. I will only need them if have to fix something in suns xacml implementation.
-----------
Of course I looked at gt-xsd module, but I decided to do an own implementation, studying the code from Justin to avoid errors. The reasons are
1) I only need a subset of gml2 and gml3 (only geometries)
2) The GeoXACML specifications says that within a policy, one SHOULD decide between GML2 or GML2.
I implemented an approach looking into the GML DOM and decide on the fly which GML version to use.
3) I solved the LAT/LON problem of the CRS definitions with CRS.decode("..",true) for any needed CRS
(I asked today on the mailing list). At the moment, all GML coords within a policy have to be LON/LAT,
perhaps I think about a possibility to allow LAT/LON, which should be possible. The "crs" Method of the GML2Util class uses CRS.decode("...").
----------
Yes, point 3 on the wiki page is about the PEPs, and I left it open where and how to integrate them into GeoServer.
That is a decision for the core geoserver developers.
The java code is easy as you can see here http://sunxacml.sourceforge.net/guide.html#using-pep
---------------------------------------
I took a quick look at the policy editor. This is an universal editor which is driven bei the xml schema.
But you have to fill in the attribute Values for yourself and that is a challenge.
The data type attribute for a geometry is "urn:ogc:def:dataType:geoxacml:1.0:geometry", the functionid attribute for the "area" is "urn:ogc:def:function:geoxacml:1.0:geometry-area". No user will do that.
XACML functions are typed like in java, so the starting point of a Condition element can only be a function which returns a boolean. Based on the type system, the names of possible functions and the xml schema, one could build a comfortable wizzard. A Web based editor in geoserver would be the best, but that is a not a small project.
I am not really good in designing web pages, I simple do not like it. But I could implement the base functionality.
----------------------------------------
The next logical step would be
1) Implement a PolicFinderModule for GeoServer. I need some place in the GEOSERVER_DATA_DIR. Give me a directory.
I will open a second module "web-geoxacml", the geoxacml module should be moved to geotools
2) Trying to have the same functionality as http://geoserver.org/display/GEOSDOC/2.6+Security+subsystem
I have to implement the XACML RBAC to support roles (including hierarchies), and we must implement a PEP.
------------------------------------------
So far, I invested 4 weeks. At the moment I am working on my master thesis "Securing spatial data with GeoXACML in a J2ee container" and I want to get finished with my study. That is the reason for the GeoXACML boost.
christian