AUTHENTICATION AND AUTHORIZATION MANAGEMENT TO OGC SERVICES WITH GEOSHIELD: IMPROVEMENTS FROM FOSS4G 2009
The usage of OGC standards in public administration has to deal with security of sensible data. Today a few possibilities are available and most of them are extremely complicated and not specific for geospatial services. The definition of users authentications and privileges are essential in developing specific applications like emergency response management systems.
For this reason we studied how the OGC services could be secured and how a filtered access for different groups and users could be realized. The result of this studies is the design and realization of GeoShield, a project born to offer a centralized way to define security access-control to OGC services. Basically it acts like a proxy, intercepting all the communications between clients and OGC compliant services (WMS, WFS, WPS, SOS).
GeoShield is able to manage users and groups, it handles authentication and privileges settings among groups and registered services. It is capable to analyse requests applying the filters setted to the user and manipulating the response.
For example handling WMS security, with GeoShield we can:
define access privilege for each layer provided by the service,
specify if a layer can be viewed or not,
define geometrical extent of view permission
define permissions based on data attributes
Actually all WMS and WFS privileges on single layers are based on Common Query Language (CQL) filters, that allow interesting combination of permissions definition that operate in a hidden way to end-user.
Currently the GeoShield service is applied in production environments for the securing of two application for the Public Administration in Switzerland, the presentation will provide some consideration about actual security issues in OGC standards and detailed informations about technical implementation, performance report, and future enhancement of the GeoShield software.
Milan Antonovic - SUPSI
Massimiliano Cannata - SUPSI