Demonstrator of XMLSecurity Services for BioCASE
Primarily for test purposes, we developed an example
scenario covering all essential functionality of the XML
Security Services. An enhanced version of this scenario was developed
in conjunction with the software components and is now
online
for demonstration.
The demonstrator consists of a BioCASE provider offering data from the
test databases (training and pontaurus) of the original BioCASE
software distribution, and the main component of the XML Security
Services, the Policy
Enforcement Point (PEP). The PEP may be used with a web browser as well
as with the Client-API classes. For comparison, the original BioCASE
provider may be reached without the PEP also.
Access
Control Policies
The role based XACML access control policies correspond to those
described in the example scenario of the
software
documentation. There, the following roles and users were
specified:
User |
Role(s) |
Nobody,not authenticated user |
Guest |
Client |
Client, TrustedClient |
Expert |
Expert |
The roles described in the subsequent sections have been generated
executing the script
provider-setup, which uses
the
RoleManager
component.
The Role Guest
The role
Guestdescribes
the default role with minimal access rights. This role has only access
to those elements elements marked as obligatory in
the XML-schema of the ABCD-standards V1.20 and V2.06:
ABCD V1.20
- /DataSets
- /DataSets/DataSet
- /DataSets/DataSet/OriginalSource
- /DataSets/DataSet/OriginalSource/SourceInstitutionCode
- /DataSets/DataSet/OriginalSource/SourceName
- /DataSets/DataSet/OriginalSource/SourceLastUpdatedDate
- /DataSets/DataSet/DatasetDerivations
- /DataSets/DataSet/DatasetDerivations/DatasetDerivation
- /DataSets/DataSet/DatasetDerivations/DatasetDerivation/DateSupplied
- /DataSets/DataSet/DatasetDerivations/DatasetDerivation/Supplier
- /DataSets/DataSet/Units
- /DataSets/DataSet/Units/Unit
- /DataSets/DataSet/Units/Unit/UnitID
ABCD V2.06
- /DataSets
- /DataSets/DataSet
- /DataSets/DataSet/TechnicalContacts
- /DataSets/DataSet/TechnicalContacts/TechnicalContact/
- /DataSets/DataSet/TechnicalContacts/TechnicalContact/Name
- /DataSets/DataSet/ContentContacts
- /DataSets/DataSet/ContentContacts/ContentContact/
- /DataSets/DataSet/ContentContacts/ContentContact/Name
- /DataSets/DataSet/MetaData
- /DataSets/DataSet/MetaData/Description/
- /DataSets/DataSet/MetaData/Description/Representation/
- /DataSets/DataSet/MetaData/Description/Representation/Title
- /DataSets/DataSet/MetaData/RevisionData/
- /DataSets/DataSet/MetaData/RevisionData/DateModified
- /DataSets/DataSet/Units
- /DataSets/DataSet/Units/Unit/
- /DataSets/DataSet/Units/Unit/SourceInstitutionID
- /DataSets/DataSet/Units/Unit/SourceID
- /DataSets/DataSet/Units/Unit/UnitID
Furthermore, the role
Guest
may request no more than five query results.
The Role Client
The role
Clienthas
access
to all elements of a content document, except the following elements
and their subelements of the ABCD standards V1.20 bzw. V2.06:
ABCD V1.20
- DataSets/DataSet/Units/Unit/UnitDigitalImages
- DataSets/DataSet/Units/Unit/Gathering/GatheringSite
ABCD V2.06
- /DataSets/DataSet/Units/Unit/MultiMediaObjects
- /DataSets/DataSet/Units/Unit/Gathering/SiteCoordinateSets
- /DataSets/DataSet/Units/Unit/Gathering/SiteImages
These elements contain information regarding geographic locations and
images of biodiversity objects.
Furthermore, the role
Guest
may request no more than 100 query results.
The Role TrustedClient
The role
TrustedClientrepresents
a predefined system role, which may be assigned by the provider to
users appearing trustworthy enough to the provider to proceed user
authenticatication on behalf of the provider. This way, the client may
send the certificate of the authenticated user to the provider's PEP
additionally. This role can be used with the Client-API only to realise
some kind of Single-Sign-On (SSO) authentication.
The Role Expert
The role
Expert
has no
constraints and has access to all elements. In addition, the PEP signs
all subsequently listed elements and their subelements of the returned
content document on behalf of the provider
keinerlei Einschränkungen.
ABCD V1.20
- /DataSets/DataSet/OriginalSource/Source
- /DataSets/DataSet/DatasetDerivations/DatasetDerivation/DateSupplied
- /DataSets/DataSet/DatasetDerivations/DatasetDerivation/Supplier
- /DataSets/DataSet/Units/Unit/UnitID
ABCD V2.06
- /DataSets/DataSet/Metadata
- /DataSets/DataSet/Units
Authentication
The user authentication is processed using X.509 certifcates. Therefore
relating key and certificate files should be installed in the web
browser or must be configured with the Client-API according to the
description in the
software documentation.
The following
PKCS#12-files contain the private key and the certificate of the
corresponding user. The passwords of the private keys equal to the
corresponding user name.
To verify the certificate chain of the provider's certificate the
certificates of the
provider,
the
root
certificate
of the issuing, fictitious Certification Authority (CA) and
its
Server
Registration
Authority (Server CA) may be installed in the web browser or
stored in the trust store of the Client-API.
Installation
of Certificates
We provide installation description for the following browsers:
Firefox
Internet Explorer
Also, you can install all available key files within your web browser.
During the installation process opens a dialog, where you can configure
the related behaviour of the web browser. You should select, that you
want to be select the certificate to use during the browser
session. So, you can experiment the effects of all available
roles.
The
Demonstrator
After having successfully installed the key and certificates, we can
start to experiment with the demonstrator's example scenario. The
demonstrator should be connectable using the following URIs:
Demonstrator
with XML Security Services
Provider
without XML Security Services
For the beginning, the most interesting way to start would be the usage
of the
Query-Tool.
Select the database
training
and enter on the following page the pattern
ger*
into the
Country
field.
Then, you may choose any of the three results on the
following page. They all contain locality information as well as
images. Both information type should be accessible when you
authenticated as
expert,
but not if you were authenticated as
client.
Note:
If you omit to install a certicate or if you authenticated as
user
nobody,
you should select the entry
UnitID on
the page's
Start>QueryTool>QueryForm
selection box
Group result by
in order to get results. This is required, because with minmal access
rights defined in the
access
control policies for the role
guest, you have
only access the UnitID of any entry.
For advanced users the page
Utilities
»
PyWrapper QueryFormsoffers the possibility
to enter
BioCASE requests directly. Beside the usage of the Client-API, this is
the only to see signed provider responses if you are authenticated
as
Expert .
In the End
If you have any problems, questions, discussions or suggestions
concerning the example scenario or our implementation of the XML
Security Services, or if you discover any error or simply would like to
compliment for the work, please contact me immediately by mail:
suhrbier@inf.fu-berlin.de
Have fun,
Lutz Suhrbier