access control for geospatial information objects using/extending the extensible access control...
TRANSCRIPT
![Page 1: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/1.jpg)
Access control for geospatial information objects
using/extending the eXtensible Access Control Markup Language
Andreas Matheus, Technische Universität MünchenMunich, Germany
![Page 2: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/2.jpg)
How does it fit into DRM?
DRM is about licensed use of an existing content Content provider encrypts the content User can use the content on- or offline User requires the decryption key, which
distribution is controlled by provider according to user’s license
Information based access control Regulates the creation/use of a content in the
first place Handles decryption key distribution, based
on the information of an existing content
![Page 3: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/3.jpg)
Motivation: Restrict the use of geospatial features
Based on the features accessed For Write, Delete and Create access,
constraints must be enforced for the service input
For Read access, constraints must be enforced for the service output
Based on the spatial characteristics of the features (spatial features) Location (where is that feature) Geometry (which extend does the feature
have)
![Page 4: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/4.jpg)
XACML based infrastructure
repository ofspatial
features
Web Service 1e.g. WFS, WMS
Policy Enforce-ment Point (PEP)
Policy DecisionPoint (PDP)
restrictedaccess
Internet
SQL
Client 1
Subject 1
Client m
Subject m
unrestrictedaccess
SOAP communication XML/GMLencodedmessage
policyrepository
deci
sion
requ
est
![Page 5: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/5.jpg)
Functions of the PEP and PDP
Policy Enforcement Point Provide Web Service interfaces Analyze the service request/response
Isolate information from the request/response: User, Operation and Resource
Form a decision request message, including the request content to be send to the PDP
Accept or reject the service invocation request based on the response of PDP
Policy Decision Point Has access to the policies in the policy repository Accept decision requests from PEP and return
Deny, Permit, NotApplicable or Indeterminate
![Page 6: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/6.jpg)
Associating access restrictions to features and feature types
A type-based restriction is linked to a feature type; it is to be enforced for all instances of that typeA instance-based restriction is linked to an individual feature; it is to be enforced for this feature onlyExamples Type-based restriction
Bob can read and write features of type BuildingType
Instance-based restrictionBob can not write the feature ‘The White House’
![Page 7: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/7.jpg)
The decision request message
The decision request from the PEP to the PDP contains an XML encoding of the resources that the
subject likes to access (ResourceContent element) and
the subject identity, the requested operation (R, W, C, D)
PDP returns access decision based on the policies from the policy repository, the information from the decision request and optional environmental information
![Page 8: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/8.jpg)
The ResourceContent element
This element of the decision request is filled by the PEP It contains the resources, the subject likes to
access The information is critical, because miss-
structuring can cause the PDP to return a wrong decision
The XML encoded information, hold by the ResourceContent must be valid Schema defines the feature types and defines the structure of the feature instances
![Page 9: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/9.jpg)
An example result of a WFS<?xml version="1.0" encoding="UTF-8"?><FeatureCollection fid =“collection1" … > <gml:boundedBy><gml:Box gid="box1" srsName="foo"> <gml:coord><gml:X>0</gml:X><gml:Y>0</gml:Y></gml:coord> <gml:coord><gml:X>4</gml:X><gml:Y>4</gml:Y></gml:coord> </gml:Box></gml:boundedBy> <gml:featureMember> <Building xsi:type="BuildingType" fid="B1"> <Name>The White House</Name> <Location srsName="foo">
<gml:coord><gml:X>1</gml:X><gml:Y>0</gml:Y></gml:coord> </Location> </Building> </gml:featureMember><Name>An example feature collection</Name></FeatureCollection>
![Page 10: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/10.jpg)
A decision request example <Request xmlns="urn:oasis:names:tc:xacml:1.0:context"
xmlns:gml="http://www.opengis.org/gml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:context
cs-xacml-schema-context-01.xsd"> <Subject> <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-
id" DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>Bob</AttributeValue> </Attribute> </Subject> <Action> <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">
<AttributeValue>read</AttributeValue> </Attribute> </Action>…
![Page 11: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/11.jpg)
A decision request example … <Resource> <ResourceContent> <FeatureCollection fid =“collection1" … > <gml:boundedBy><gml:Box gid="box1" srsName="foo"> <gml:coord><gml:X>0</gml:X><gml:Y>0</gml:Y></gml:coord> <gml:coord><gml:X>4</gml:X><gml:Y>4</gml:Y></gml:coord> </gml:Box></gml:boundedBy><gml:featureMember> <Building xsi:type="BuildingType" fid="B1"> <Name>The White House</Name> <Location srsName="foo"> <gml:coord><gml:X>1</gml:X><gml:Y>0</gml:Y></gml:coord> </Location> </Building> </gml:featureMember> <Name>An example city model</Name> </FeatureCollection> </ResourceContent> …
![Page 12: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/12.jpg)
A decision request example … <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://mySchema#CityModel</AttributeValue> </Attribute> </Resource></Request>
![Page 13: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/13.jpg)
Example policies based on Xpath
Type-based example <Bob, Read +,
//FeatureCollection/gml:featureMember/Building>
<Bob, Write +, //FeatureCollection/gml:featureMember/Building>
Instance-based example <Bob, Write -,
//FeatureCollection/gml:feature-Member/Building/ Name/text()=‘The White House’>
![Page 14: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/14.jpg)
Inconsistency
Two or more policies match for the same resources (features) but declare inverse access restrictions For the previous example
Bob can write Building ‘The White House’ from the type-based policy
Bob can not write the Building ‘The White House’ from the instance-based policy
Is it an inconsistency or intended exceptional restriction?
![Page 15: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/15.jpg)
Inconsistency
If these restrictions are declared in independent policies, it’s probably an inconsistencyIf these restrictions are declared in a linked fashion, it’s probably an intended situation Type-based restriction represents the general
case Instance-based restriction represents the specific
case
Quintessence: A mechanism must be in place that deals with this
![Page 16: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/16.jpg)
How to deal with NotApplicable and Indeterminate decisions?
Policies express explicit restrictions/allowancesRequests, not matching the explicit policies result in a PDP NotApplicable result How shall the PEP treat these decisions? Minimum allowed: Deny the request Maximum allowed: Permit the request
It must be certain that a NotApplicable decision is always mend to be Permit or Deny, but never bothIndeterminate is always handled as a Deny The PEP may return extra information to the user
about what went wrong
![Page 17: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/17.jpg)
Spatial access restrictions
Feature based restrictions give the abilitySpatial access restrictions can be applied to an area, the restriction area primitive area with no holes complex area with holes
Applicable to spatial features in the resource content, based on their location geometry
Policy must link an area with spatial property
![Page 18: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/18.jpg)
Extending the access control triplet
<Subject, Operation, Object, Condition> Subject, Operation as usual Object = Xpath to the XML elements (spatial
features) Condition = Boolean expression using
spatial relation functions Within Intersects Outside Touches Equals etc.
![Page 19: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/19.jpg)
Spatial restriction example
Spatial exampleBob can read all spatial features of type
BuildingType that reside inside the ‘RestrictedArea’
<Bob, Read +, //FeatureCollection/gml: FeatureMember/Building, Within(//FeatureCollection/gml:FeatureMember/ Building/Location, RestrictedArea>
<Polygon gid=“RestrictedArea" srsName="foo"> <outerBoundaryIs><LinearRing> <coordinates>0,0 0,2 2,2 2,0 0,0</coordinates>
</LinearRing></outerBoundaryIs></Polygon>
![Page 20: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/20.jpg)
Spatial policies and XACML
XACML does not provide the required language constructs => GeoXACMLGeoXACML requirements geometry types based on
gml:Point gml:Polygon gml:Box
functions for checking spatial relation based on Java Topology Suite (JTS) Equals, Disjoint, Intersects, Touches, Crosses,
Within, Contains, Overlaps Combination algorithm that take care of
specific spatial situations
![Page 21: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/21.jpg)
Spatial inconsistency
Spatial restriction examples Bob can read and write spatial features, located
inside restricted area 1 Bob can not write spatial features located inside
restricted area 2
How to encode this? Meta information required Two independent policies:
inconsistency Two linked policies:
indented situation
Quintessence: Deal with spatial inconsistencies
(0,0)
(1,1)
(3,3)
(2,2)
![Page 22: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/22.jpg)
Upcoming work in this field of research
Implement the GeoXACML extensions Geospatial attributes Spatial relation functions Combination algorithms
Prepare a set of XACML policies Type-based policies Instance-based policies Spatial policies
Run test requests on the set of policies Produce lessons learned Produce guide
![Page 23: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/23.jpg)
Conclusion
Feature based restrictions give the ability to restrict access/use of a particular contentSpatial based restrictions gives the ability to restrict access/use of a particular content for a particular areaXACML is a promising specification to be extendedThis type of restriction can be used for controlling the creation of a feature based content the distribution of decryption keys for DRM
![Page 24: Access control for geospatial information objects using/extending the eXtensible Access Control Markup Language Andreas Matheus, Technische Universität](https://reader035.vdocuments.site/reader035/viewer/2022062318/5514e183550346b0338b58bb/html5/thumbnails/24.jpg)
The final slide
Thank you very much for your attention
Any feedback is desirable, please mail to [email protected]
Questions, please