Hi,

I will present myself: my name is Firas Al Khalil. I am a PhD
candidate in computer science at the university of French Polynesia,
Tahiti. I work on security, more specifically on geographic data
security.

In the course of my work, I plan to implement an access control model
for GIS. It is an extension of an access control model called OrBAC.
This extension has been developed here at our lab. (see references
below).

What I'm trying to do is an implementation of an architecture very
similar to GeoXACML's architecture presented here
[http://geoserver.org/display/GEOS/GeoXACML-Integration\]. The image
depicts a workflow with WMS. I intend to do the same for WMS and WFS.

I downloaded GeoServer's source code, and tried to figure out how I
can implement it but I was not successful (I am on the 2.4 branch). I
tried to look at the GeoXACML module and instructions but I
encountered several issues. It seems to be that they're talking about
things that doesn't exist in GeoServer anymore, AND they are
implementing deprecated classes.

I contacted Jody Garnett on IRC, and he redirected me to this mailing
list, and said that I can propose a community module, where I can get
help from the experts on the subject.

He also proposed that maybe I can help update GeoXACML's
implementation, and will gladly help doing it.

I contacted my advisor, since he's the main author of the OrBAC
geographical extension, and he was OK to develop the open source
module with the community, on a condition that "he get contacted by
whoever is responsible" before the actual development takes place, so
it could be somehow a "formal" collaboration.

So here, I emptied my bag. I hope this can move forward.

Thank you.

*References*
[1] Capolsini, P., Gabillon, A.: Security policies for the
Visualization of Geo Data. Proceedings of the 2nd SIGSPATIAL ACM GIS
2009 International Workshop on Security and Privacy in GIS and LBS.
(2009).
[2] Gabillon, A., Capolsini, P.: Rule-based Policy Enforcement Point
for Map Services. Proceedings of the 3rd ACM SIGSPATIAL International
Workshop on Security and Privacy in GIS and LBS. (2010).
[3] Gabillon, A., Capolsini, P.: Dynamic Security Rules for Geo Data.
Data Privacy
Management and Autonomous Spontaneous Security, Springer. (2010).
[4] Gabillon, A., Capolsini, P.: Enforcing protection mechanisms for
geographic data. In Proceedings of the 11th international conference
on Web and Wireless Geographical Information Systems (W2GIS'12).
Springer-Verlag, Berlin, Heidelberg, 185-202. (2012).

--
Firas Al Khalil
Ph.D. Candidate in Computer Science
GePaSUD Laboratory
University of French Polynesia
Tahiti, French Polynesia
Tel: +689 836 532 (GMT -10)
Mobile: +689 273 196 (GMT -10)
email: firasalkhalil@anonymised.com

Hi Firas

GeoServer tries to implement OGC standards, GeoXacml is such a standard, look here
http://www.opengeospatial.org/standards/geoxacml

The current GeoXacml module is not up to date.

Personally, I have no idea about OrBAC.

I like the idea of enhancing access control but this will need a broader discussion.

Concerning GeoXacml:
Quite powerful but complex. The problem is how to hide the complexity from the users.

Cheers
Christian

Hi Christian,

OrBAC and the extensions described in the references I mentioned are
not OGC standards, I am aware of that. I am trying to implement OrBAC
with the extensions. The initial goal was to make a prototype, a proof
of concept.

I have read this document
[http://demo.geo-solutions.it/share/securing_geoserver.pdf\] and I
tried to understand the work done on the GeoXACML community module
because what I'm trying to do is the same workflow. I failed for the
reasons I mentioned earlier.

I would like to know how to implement a custom access control model. I
am struggling with the code.

On Wed, Aug 21, 2013 at 3:47 AM, Christian Mueller
<christian.mueller@anonymised.com> wrote:

Hi Firas

GeoServer tries to implement OGC standards, GeoXacml is such a standard,
look here
http://www.opengeospatial.org/standards/geoxacml

The current GeoXacml module is not up to date.

Personally, I have no idea about OrBAC.

I like the idea of enhancing access control but this will need a broader
discussion.

Concerning GeoXacml:
Quite powerful but complex. The problem is how to hide the complexity from
the users.

Cheers
Christian

On Wed, Aug 21, 2013 at 1:56 AM, Firas Al Khalil <firasalkhalil@anonymised.com>
wrote:

Hi,

I will present myself: my name is Firas Al Khalil. I am a PhD
candidate in computer science at the university of French Polynesia,
Tahiti. I work on security, more specifically on geographic data
security.

In the course of my work, I plan to implement an access control model
for GIS. It is an extension of an access control model called OrBAC.
This extension has been developed here at our lab. (see references
below).

What I'm trying to do is an implementation of an architecture very
similar to GeoXACML's architecture presented here
[http://geoserver.org/display/GEOS/GeoXACML-Integration\]. The image
depicts a workflow with WMS. I intend to do the same for WMS and WFS.

I downloaded GeoServer's source code, and tried to figure out how I
can implement it but I was not successful (I am on the 2.4 branch). I
tried to look at the GeoXACML module and instructions but I
encountered several issues. It seems to be that they're talking about
things that doesn't exist in GeoServer anymore, AND they are
implementing deprecated classes.

I contacted Jody Garnett on IRC, and he redirected me to this mailing
list, and said that I can propose a community module, where I can get
help from the experts on the subject.

He also proposed that maybe I can help update GeoXACML's
implementation, and will gladly help doing it.

I contacted my advisor, since he's the main author of the OrBAC
geographical extension, and he was OK to develop the open source
module with the community, on a condition that "he get contacted by
whoever is responsible" before the actual development takes place, so
it could be somehow a "formal" collaboration.

So here, I emptied my bag. I hope this can move forward.

Thank you.

*References*
[1] Capolsini, P., Gabillon, A.: Security policies for the
Visualization of Geo Data. Proceedings of the 2nd SIGSPATIAL ACM GIS
2009 International Workshop on Security and Privacy in GIS and LBS.
(2009).
[2] Gabillon, A., Capolsini, P.: Rule-based Policy Enforcement Point
for Map Services. Proceedings of the 3rd ACM SIGSPATIAL International
Workshop on Security and Privacy in GIS and LBS. (2010).
[3] Gabillon, A., Capolsini, P.: Dynamic Security Rules for Geo Data.
Data Privacy
Management and Autonomous Spontaneous Security, Springer. (2010).
[4] Gabillon, A., Capolsini, P.: Enforcing protection mechanisms for
geographic data. In Proceedings of the 11th international conference
on Web and Wireless Geographical Information Systems (W2GIS'12).
Springer-Verlag, Berlin, Heidelberg, 185-202. (2012).

--
Firas Al Khalil
Ph.D. Candidate in Computer Science
GePaSUD Laboratory
University of French Polynesia
Tahiti, French Polynesia
Tel: +689 836 532 (GMT -10)
Mobile: +689 273 196 (GMT -10)
email: firasalkhalil@anonymised.com

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!

http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

--
Firas Al Khalil
Ph.D. Candidate in Computer Science
GePaSUD Laboratory
University of French Polynesia
Tahiti, French Polynesia
Tel: +689 836 532 (GMT -10)
Mobile: +689 273 196 (GMT -10)
email: firasalkhalil@anonymised.com

By the way, I do have a prototype of the extension based on the
reference OrBAC implementation [http://motorbac.sourceforge.net/\] (It
has been a year since I last worked on it, and it's not anything near
production quality, as always we were doing prototypes).

Now all I need to do is to "plug it" in GeoServer.

On Wed, Aug 21, 2013 at 9:31 AM, Firas Al Khalil
<firasalkhalil@anonymised.com> wrote:

Hi Christian,

OrBAC and the extensions described in the references I mentioned are
not OGC standards, I am aware of that. I am trying to implement OrBAC
with the extensions. The initial goal was to make a prototype, a proof
of concept.

I have read this document
[http://demo.geo-solutions.it/share/securing_geoserver.pdf\] and I
tried to understand the work done on the GeoXACML community module
because what I'm trying to do is the same workflow. I failed for the
reasons I mentioned earlier.

I would like to know how to implement a custom access control model. I
am struggling with the code.

On Wed, Aug 21, 2013 at 3:47 AM, Christian Mueller
<christian.mueller@anonymised.com> wrote:

Hi Firas

GeoServer tries to implement OGC standards, GeoXacml is such a standard,
look here
http://www.opengeospatial.org/standards/geoxacml

The current GeoXacml module is not up to date.

Personally, I have no idea about OrBAC.

I like the idea of enhancing access control but this will need a broader
discussion.

Concerning GeoXacml:
Quite powerful but complex. The problem is how to hide the complexity from
the users.

Cheers
Christian

On Wed, Aug 21, 2013 at 1:56 AM, Firas Al Khalil <firasalkhalil@anonymised.com>
wrote:

Hi,

I will present myself: my name is Firas Al Khalil. I am a PhD
candidate in computer science at the university of French Polynesia,
Tahiti. I work on security, more specifically on geographic data
security.

In the course of my work, I plan to implement an access control model
for GIS. It is an extension of an access control model called OrBAC.
This extension has been developed here at our lab. (see references
below).

What I'm trying to do is an implementation of an architecture very
similar to GeoXACML's architecture presented here
[http://geoserver.org/display/GEOS/GeoXACML-Integration\]. The image
depicts a workflow with WMS. I intend to do the same for WMS and WFS.

I downloaded GeoServer's source code, and tried to figure out how I
can implement it but I was not successful (I am on the 2.4 branch). I
tried to look at the GeoXACML module and instructions but I
encountered several issues. It seems to be that they're talking about
things that doesn't exist in GeoServer anymore, AND they are
implementing deprecated classes.

I contacted Jody Garnett on IRC, and he redirected me to this mailing
list, and said that I can propose a community module, where I can get
help from the experts on the subject.

He also proposed that maybe I can help update GeoXACML's
implementation, and will gladly help doing it.

I contacted my advisor, since he's the main author of the OrBAC
geographical extension, and he was OK to develop the open source
module with the community, on a condition that "he get contacted by
whoever is responsible" before the actual development takes place, so
it could be somehow a "formal" collaboration.

So here, I emptied my bag. I hope this can move forward.

Thank you.

*References*
[1] Capolsini, P., Gabillon, A.: Security policies for the
Visualization of Geo Data. Proceedings of the 2nd SIGSPATIAL ACM GIS
2009 International Workshop on Security and Privacy in GIS and LBS.
(2009).
[2] Gabillon, A., Capolsini, P.: Rule-based Policy Enforcement Point
for Map Services. Proceedings of the 3rd ACM SIGSPATIAL International
Workshop on Security and Privacy in GIS and LBS. (2010).
[3] Gabillon, A., Capolsini, P.: Dynamic Security Rules for Geo Data.
Data Privacy
Management and Autonomous Spontaneous Security, Springer. (2010).
[4] Gabillon, A., Capolsini, P.: Enforcing protection mechanisms for
geographic data. In Proceedings of the 11th international conference
on Web and Wireless Geographical Information Systems (W2GIS'12).
Springer-Verlag, Berlin, Heidelberg, 185-202. (2012).

--
Firas Al Khalil
Ph.D. Candidate in Computer Science
GePaSUD Laboratory
University of French Polynesia
Tahiti, French Polynesia
Tel: +689 836 532 (GMT -10)
Mobile: +689 273 196 (GMT -10)
email: firasalkhalil@anonymised.com

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!

http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

--
Firas Al Khalil
Ph.D. Candidate in Computer Science
GePaSUD Laboratory
University of French Polynesia
Tahiti, French Polynesia
Tel: +689 836 532 (GMT -10)
Mobile: +689 273 196 (GMT -10)
email: firasalkhalil@anonymised.com

--
Firas Al Khalil
Ph.D. Candidate in Computer Science
GePaSUD Laboratory
University of French Polynesia
Tahiti, French Polynesia
Tel: +689 836 532 (GMT -10)
Mobile: +689 273 196 (GMT -10)
email: firasalkhalil@anonymised.com

On Wed, Aug 21, 2013 at 9:31 PM, Firas Al Khalil <firasalkhalil@anonymised.com>wrote:

Hi Christian,

OrBAC and the extensions described in the references I mentioned are
not OGC standards, I am aware of that. I am trying to implement OrBAC
with the extensions. The initial goal was to make a prototype, a proof
of concept.

I have read this document
[http://demo.geo-solutions.it/share/securing_geoserver.pdf\] and I
tried to understand the work done on the GeoXACML community module
because what I'm trying to do is the same workflow. I failed for the
reasons I mentioned earlier.

I would like to know how to implement a custom access control model. I
am struggling with the code.

Not sure how relevant it is, but you might also want to have a look at
GeoFence,
it plugs into the GeoServer authorization subsystem to apply security rules
that can limit attributes, filter features, cut rasters, based on the
current user,
request and layer, using an IPTables inspired approach (in terms of how the
security rules are evaluated):
https://github.com/geosolutions-it/geofence

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

On Wed, Aug 21, 2013 at 9:37 PM, Firas Al Khalil <firasalkhalil@anonymised.com>wrote:

By the way, I do have a prototype of the extension based on the
reference OrBAC implementation [http://motorbac.sourceforge.net/\] (It
has been a year since I last worked on it, and it's not anything near
production quality, as always we were doing prototypes).

Now all I need to do is to "plug it" in GeoServer.

Mind one thing, all the code implementing ResourceAccessManager (the
interface
that one needs to implement to talk to the geoserver own security subsystem)
is going to be GPL licensed, since that's the license of that interface

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

Ok, I will take a look at it now.

Thanks

On Wed, Aug 21, 2013 at 9:44 AM, Andrea Aime
<andrea.aime@anonymised.com> wrote:

On Wed, Aug 21, 2013 at 9:37 PM, Firas Al Khalil <firasalkhalil@anonymised.com>
wrote:

By the way, I do have a prototype of the extension based on the
reference OrBAC implementation [http://motorbac.sourceforge.net/\] (It
has been a year since I last worked on it, and it's not anything near
production quality, as always we were doing prototypes).

Now all I need to do is to "plug it" in GeoServer.

Mind one thing, all the code implementing ResourceAccessManager (the
interface
that one needs to implement to talk to the geoserver own security subsystem)
is going to be GPL licensed, since that's the license of that interface

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

--
Firas Al Khalil
Ph.D. Candidate in Computer Science
GePaSUD Laboratory
University of French Polynesia
Tahiti, French Polynesia
Tel: +689 836 532 (GMT -10)
Mobile: +689 273 196 (GMT -10)
email: firasalkhalil@anonymised.com

I contacted my advisor, since he's the main author of the OrBAC
geographical extension, and he was OK to develop the open source
module with the community, on a condition that "he get contacted by
whoever is responsible" before the actual development takes place, so
it could be somehow a "formal" collaboration.

I think any project steering committee member can send that email. We do
have a formal process for you to set up a community module (as we also need
a record).

-
http://docs.geoserver.org/stable/en/developer/policies/community-modules.html

Hi Andrea,

I cloned geofence and I was trying to build (HEAD, using mvn 2) it but it fails

Missing:
----------
1) org.apache.maven.wagon:wagon-ftp:jar:1.0-beta-6
2) org.codehaus.plexus:plexus-utils:jar:1.1

I downloaded the Jars and installed them, but I the build always fail
for the same reason.

On Wed, Aug 21, 2013 at 9:50 AM, Firas Al Khalil
<firasalkhalil@anonymised.com> wrote:

Ok, I will take a look at it now.

Thanks

On Wed, Aug 21, 2013 at 9:44 AM, Andrea Aime
<andrea.aime@anonymised.com> wrote:

On Wed, Aug 21, 2013 at 9:37 PM, Firas Al Khalil <firasalkhalil@anonymised.com>
wrote:

By the way, I do have a prototype of the extension based on the
reference OrBAC implementation [http://motorbac.sourceforge.net/\] (It
has been a year since I last worked on it, and it's not anything near
production quality, as always we were doing prototypes).

Now all I need to do is to "plug it" in GeoServer.

Mind one thing, all the code implementing ResourceAccessManager (the
interface
that one needs to implement to talk to the geoserver own security subsystem)
is going to be GPL licensed, since that's the license of that interface

Cheers
Andrea

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

--
Firas Al Khalil
Ph.D. Candidate in Computer Science
GePaSUD Laboratory
University of French Polynesia
Tahiti, French Polynesia
Tel: +689 836 532 (GMT -10)
Mobile: +689 273 196 (GMT -10)
email: firasalkhalil@anonymised.com

--
Firas Al Khalil
Ph.D. Candidate in Computer Science
GePaSUD Laboratory
University of French Polynesia
Tahiti, French Polynesia
Tel: +689 836 532 (GMT -10)
Mobile: +689 273 196 (GMT -10)
email: firasalkhalil@anonymised.com

On Thu, Aug 22, 2013 at 2:46 AM, Firas Al Khalil <firasalkhalil@anonymised.com>wrote:

Hi Andrea,

I cloned geofence and I was trying to build (HEAD, using mvn 2) it but it
fails

Missing:
----------
1) org.apache.maven.wagon:wagon-ftp:jar:1.0-beta-6
2) org.codehaus.plexus:plexus-utils:jar:1.1

I downloaded the Jars and installed them, but I the build always fail
for the same reason.

Not sure, but I believe we're building everything with Maven 3 these days.
I've cc'ed Emanuele, he might know more about this issue

Cheers
Andera

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

I tried with Maven 2 and 3 ... but the docs say that I should use Maven 2.

Anyway, I think I may be going with the Proxy solution
[http://demo.geo-solutions.it/share/securing_geoserver.pdf\] since the
initial objective
is to make a prototype.

I will try to understand the security mechanism of geoserver and if I
was able to come up with a solution I will contact you. Maybe I could
write a tutorial about it and ask for a community module.

I'll keep you posted.

On Thu, Aug 22, 2013 at 2:16 AM, Andrea Aime
<andrea.aime@anonymised.com> wrote:

On Thu, Aug 22, 2013 at 2:46 AM, Firas Al Khalil <firasalkhalil@anonymised.com>
wrote:

Hi Andrea,

I cloned geofence and I was trying to build (HEAD, using mvn 2) it but it
fails

Missing:
----------
1) org.apache.maven.wagon:wagon-ftp:jar:1.0-beta-6
2) org.codehaus.plexus:plexus-utils:jar:1.1

I downloaded the Jars and installed them, but I the build always fail
for the same reason.

Not sure, but I believe we're building everything with Maven 3 these days.
I've cc'ed Emanuele, he might know more about this issue

Cheers
Andera

--

Our support, Your Success! Visit http://opensdi.geo-solutions.it for more
information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------

--
Firas Al Khalil
Ph.D. Candidate in Computer Science
GePaSUD Laboratory
University of French Polynesia
Tahiti, French Polynesia
Tel: +689 836 532 (GMT -10)
Mobile: +689 273 196 (GMT -10)
email: firasalkhalil@anonymised.com