CHARON
Research and development activities in SOA security have provided a large number of specifications as well as both free and commercial tools to equip SOA based applications with security. In commercial SOA-based application security measures are undertaken on a case by case and possibly requirement driven basis resembling the process of actual service and message specifications and implementations. OASIS has undertaken major efforts to provide standards for web service security on the message level, supporting the design and implementation process for each individual solution and leaving an abundance of choices to the developer.
When dealing with environmental information systems we have a slightly different and in a way less complex situation, as SOA based solutions in the environmental sector need to rely on generic standard services, in many cases OGC services. The existence of such standard services in the geospatial sector drives the requirement for security approaches that are equally interoperable, that work in conjunction with all standard services, and that do not rely on individual design decisions that could nullify measures taken to overcome system heterogeneity. As security is a topic that in most cases is orthogonal to the geospatial context, OGC's activities are mostly restricted to geospatial extensions of existing solutions. What is missing is an architectural and general approach on how to security-enable OGC and related web services in a non-proprietary way. The work presented here covers the access control aspects of the problem in the context of spatial data infrastructures (SDI).
The volume of existing security- and access control-related specifications, approaches and architectural patterns is immense. In terms of standards, both OASIS and W3C need to be mentioned. In OASIS, WS-Security (OASIS 2006), WS-Trust (OASIS 2007), SAML (OASIS 2003) and XACML (OASIS 2005) are prominent. In W3C the Web Services Policy Framework (WS-Policy 2006) provides a general purpose model and syntax to describe and communicate the policies of a Web service. The WS-I Basic Security Profile (BSP) , backed by a number of major companies, is a guide for ensuring secure, interoperable Web services. In OGC, GeoXACML (OGC 2007) defines spatial data types and spatial authorization decision functions, which can be used for additional spatial constrains for XACML based policies, and GEO-RM (OGC 2006) aims at digital rights enforcement of spatial resources. Many of the sources mentioned above include proposals for architectural patterns, like the Gatekeeper Metaphor ( GEO-RM), the abstract interaction pattern of OASIS (OASIS 2005) , which is the basis of the presented work, the GDI-NRW pattern for how to secure OGC-based services ( GDI NRW 2002 ) or the ORCHESTRA UAA services (ORCHESTRA). Most solutions share an architectural pattern similar to the following figure.
The current state-of-the-art situation with respect to SDI's is such that there is no general specification of SAC on a service level. There are numerous specifications and standards for individual pieces of the problem, in particular for the encoding of messages, policies and rights, but no standard specification of SAC services exist. This leads to the situation in which SAC is implemented for each individual case in an individual fashion, or - even worse - that proprietary extensions are used, which contradicts the notion of a standard. It will not be possible to accept this situation in the context of large SDI's like INSPIRE.
Therefore, the aim of the work presented here was to close this gap and to develop a generic and flexible Access Control Architecture for service networks in the context of SDI's. It provides a solution that can serve as the foundation of most other security concepts and adjunct topics like protection against malicious system interaction, licensing and digital rights management. It tries to overcome deficiencies in existing solutions and where necessary fills gaps by fulfilling a set of additional requirements.