Zum Inhalt
Zum Navigation

Networked Information Systems - Security AreaHome of Networked Information Systems
Home > Projects > XML Security Services > Demonstrator (deutsche Version)

Demonstrator of XMLSecurity Services for BioCASE

Primarily for test purposes, we developed an example scenario covering all essential functionality of the XML Security Services. An enhanced version of this scenario was developed in conjunction with the software components and is now online for demonstration.
The demonstrator consists of a BioCASE provider offering data from the test databases (training and pontaurus) of the original BioCASE software distribution, and the main component of the XML Security Services, the Policy Enforcement Point (PEP). The PEP may be used with a web browser as well as with the Client-API classes. For comparison, the original BioCASE provider may be reached without the PEP also. 

Access Control Policies

The role based XACML access control policies correspond to those described in the example scenario of the software documentation. There, the following roles and users were specified:
User Role(s)
Nobody,not authenticated user Guest
Client Client, TrustedClient
Expert Expert

The roles described in the subsequent sections have been generated executing the script provider-setup, which uses the RoleManager component.

The Role Guest

The role Guestdescribes the default role with minimal access rights. This role has only access to those elements elements marked as obligatory in the XML-schema of the ABCD-standards V1.20 and V2.06:

ABCD V1.20
ABCD V2.06 Furthermore, the role Guest may request no more than five query results.

The Role Client

The role Clienthas access to all elements of a content document, except the following elements and their subelements of the ABCD standards V1.20 bzw. V2.06:
ABCD V1.20
ABCD V2.06
 These elements contain information regarding geographic locations and images of biodiversity objects.
Furthermore, the role Guest may request no more than 100 query results.

The Role TrustedClient

The role TrustedClientrepresents a predefined system role, which may be assigned by the provider to users appearing trustworthy enough to the provider to proceed user authenticatication on behalf of the provider. This way, the client may send the certificate of the authenticated user to the provider's PEP additionally. This role can be used with the Client-API only to realise some kind of Single-Sign-On (SSO) authentication.

The Role Expert

The role Expert has no constraints and has access to all elements. In addition, the PEP signs all subsequently listed elements and their subelements of the returned content document on behalf of the provider keinerlei Einschränkungen. 
ABCD V1.20
ABCD V2.06

Authentication

The user authentication is processed using X.509 certifcates. Therefore relating key and certificate files should be installed in the web browser or must be configured with the Client-API according to the description in the software documentation. The following PKCS#12-files contain the private key and the certificate of the corresponding user. The passwords of the private keys equal to the corresponding user name.
Key File Password
Nobody nobody
Client client
Expert expert

To verify the certificate chain of the provider's certificate the certificates of the provider,  the root certificate of the issuing, fictitious Certification Authority (CA)  and its Server Registration Authority (Server CA) may be installed in the web browser or stored in the trust store of the Client-API.

Installation of Certificates

We provide installation description for the following browsers:
Firefox
Internet Explorer

Also, you can install all available key files within your web browser. During the installation process opens a dialog, where you can configure the related behaviour of the web browser. You should select, that you want to be select the certificate to use during the browser session. So, you can experiment the effects of all available roles. 

The Demonstrator

After having successfully installed the key and certificates, we can start to experiment with the demonstrator's example scenario. The demonstrator should be connectable using the following URIs:
Demonstrator with XML Security Services
Provider without XML Security Services

For the beginning, the most interesting way to start would be the usage of the Query-Tool. Select the database training and enter on the following page the pattern  ger* into the Country field.  Then, you may choose any of the three results on the following page. They all contain locality information as well as images. Both information type should be accessible when you authenticated as expert, but not if you were authenticated as client.
Note:
If you omit to install a certicate or if you authenticated as user nobody, you should select the entry UnitID on the page's Start>QueryTool>QueryForm selection box Group result by in order to get results. This is required, because with minmal access rights defined in the access control policies for the role guest, you have only access the UnitID of any entry.

For advanced users the page Utilities » PyWrapper QueryFormsoffers the possibility to enter BioCASE requests directly. Beside the usage of the Client-API, this is the only to see signed provider responses if you are authenticated as Expert .

In the End

If you have any problems, questions, discussions or suggestions concerning the example scenario or our implementation of the XML Security Services, or if you discover any error or simply would like to compliment for the work, please contact me immediately by mail: suhrbier@inf.fu-berlin.de

Have fun,
Lutz Suhrbier

News

XML Security Services : Demonstrator online.

2006-08-21
© 2006 Freie Universität Berlin | Feedback |
Last update: 2006-08-30