Version 23 (modified by pjkersha, 13 years ago) (diff)



Being the NDG3 security activities. More generic NDG security activities can be found here?.


October 1, 2008

The issue is that we need to link NDG security to the OWS client and server stacks (and ideally  PyDAP too).

All these actions to be carried out by Phil in the Nov-Jan time frame.

This can be achieved in the server by using WSGI middleware that can be configured using (for example) a regular expression which identifies the resource identifier in any HTTP GET URLS (and presumably POST), and then does a call out to the rest of the NDG security infrastructure. This middleware will be a policy enforcement point and could redirect for authentication and authorisation.

We need an NDG gatekeeper piece of code which can respond to requests matching user credentials to resource URIs to make policy decisions.

We need to address the client side. While using cookies for the browser would seem straightforward, how would the owslib client do the security? How would openlayers (or any embedded javascript) respect the browser cookie security environment.


The overall objective is security enable OWS services. We want to do this in a way that has minimal impact on the services they protect and on clients such as  OpenLayers making requests.

  1. Write a security filter to filter requests to OWS services permitting access to a secured resource only to authenticated and authorized users. Test and make work with OpenLayers based clients.
    • Dependencies and ordering:
      • Re-engineering of code stack (part of OMII-UK Commissioned Software Project) needs to be completed first.
      • OWS Server development work is dependent on this. OWS Server can be tested without security but integration with security is an important step. The security filter should ideally be completed first.
    • Start Date: December 08
    • Duration: 20 days
    • Relevant tickets: #1004, #1005, #1006
  2. Write security client code to enable a client application written in Python to access a secured OWS service. (Ticket #1008)
    • Dependencies and ordering: dependent on 1) and development of OWS Python client code.
    • Start Date: Mid January 09
    • Duration: 5 days
    • Relevant tickets: #1008
  3. Apply the same or a similar filter to an  OPeNDAP service. The OPeNDAP server would be based on the Python implementation of OPeNDAP,  pyDAP. This task will require familiarisation with a new package pyDAP. This task is of secondary importance to 1)
    • Dependencies and ordering: complete task 1) and 3) first.
    • Start Date: late Jan / early Feb 09
    • Duration: 10 days
    • Relevant Tickets: #1007
  4. Security Integration.
    • Duration:5 days
    • Relevant Ticket: #1010
    • Start Date: late Feb/early March
    • Software Integration
      • server-side
      • client-side
    • Deployment Integration
    • Aiding in ensuring that resources are appropriately listed in security uri -> role database.


  1. Completion of OMII-UK Commissioned Software Project work (likely to impact). The OMII-UK project finishes at the end of October but a no cost extension has been agreed up to the end of the year. This is in order to put together final deliverables. Work from this project required to be completed:
    • Re-engineering of security code stack to use filter based (WSGI) technology. This is a prerequisite for NDG3 security work.
    • integration of NDG Security with the BADC Data Browser
  2.  Earth System Grid interoperability for the IPCC Fifth Assessment Report (less likely to impact)
    • NDG Security components need to be made interoperable with security architecture agreed with the ESG team. This work involve agreeing interfaces, developing new security modules (Attribute Service) and testing. This work is not likely to start until Feb 09 at earliest.
  3. DMAG Workshop preparation (likely to be minimal impact)
  4. Leave late Oct/early to mid Nov 08. (approx. 15 days not including Christmas and New Year).

NDG3 Security Tickets

These break down the tasks into more detail:

[S] Python OWS Client Security
[S] Authkit cookie sets user's OpenID in plain text


Two weekly summaries for James:

  1. 20090109?
  2. 20090121?
  3. 20090130?
  4. 20090213?
  5. 20090227?

NDG3: Capability?, Discovery?, Vocab?, Software?, MOLES?, Security?, Community?, Roadmap?, Management?