Version 8 (modified by pjkersha, 11 years ago) (diff)



Being the NDG3 security activities. More generic NDG security activities can be found here?.


October 1, 2008

The issue is that we need to link NDG security to the OWS client and server stacks (and ideally  PyDAP too).

All these actions to be carried out by Phil in the Nov-Jan time frame.

This can be achieved in the server by using WSGI middleware that can be configured using (for example) a regular expression which identifies the resource identifier in any HTTP GET URLS (and presumably POST), and then does a call out to the rest of the NDG security infrastructure. This middleware will be a policy enforcement point and could redirect for authentication and authorisation.

We need an NDG gatekeeper piece of code which can respond to requests matching user credentials to resource URIs to make policy decisions.

We need to address the client side. While using cookies for the browser would seem straightforward, how would the owslib client do the security? How would openlayers (or any embedded javascript) respect the browser cookie security environment.


The overall objective is security enable OWS services. We want to do this in a way that has minimal impact on the services they protect and on clients such as  OpenLayers making requests.

  1. Write a security filter to filter requests to OWS services permitting access to a secured resource only to authenticated and authorized users. Test and make work with OpenLayers based clients.
    • Dependencies and ordering:
      • OMII-UK Commissioned Software Project needs to be completed first.
      • OWS Server development work is dependent on this. OWS Server can be tested without security but integration with security is an important step. The security filter should ideally be completed first.
    • Start Date: December 08
    • Duration: 20 days
    • Relevant tickets: #1004, #1005, #1006
  2. Apply the same or a similar filter to an  OPeNDAP service. The OPeNDAP server would be based on the Python implementation of OPeNDAP,  pyDAP. This task will require familiarisation with a new package pyDAP. This task is of secondary importance to 1)
    • Dependencies and ordering: complete task 1) and 3) first.
    • Start Date: Jan
    • Duration: 10 days
    • Relevant Tickets: #1007
  3. Write security client code to enable a client application written in Python to access a secured OWS service. (Ticket #1008)
    • Dependencies and ordering: dependent on 1) and development of OWS Python client code.
    • Start Date: Mid January 09
    • Duration: 5 days
    • Relevant tickets: #1008

NDG3 Security Tickets

These break down the tasks into more detail:

[S] Python OWS Client Security
[S] Authkit cookie sets user's OpenID in plain text

NDG3: Capability?, Discovery?, Vocab?, Software?, MOLES?, Security?, Community?, Roadmap?