RFC 15: Access Control Support¶
This RFC describes access control support for the EOxServer. The following figure gives an overview of the proposed access control implementation and its different components:
The access control implementation relies on the Shibboleth framework and parts of the CHARON framework, namely the CHARON Authorisation Service. The components are all released as Open Source. Shibboleth is used for the authentication of users; the CHARON Authentication Service is responsible for making authorisation decisions if a certain request may be performed.
Authentication is not handled directly by the EOxServer components, but uses the Shibboleth federated identity management system. In order to do this, two requirements must be met:
- A Shibboleth Identity Provider (IdP) must be available for authentication
- A Shibboleth Service Provider must be installed and configured in an Apache HTTP Server to protect the EOxServer resource.
A user has to authenticate at an IdP in order to perform requests to an EOxServer with access control enabled. The IdP issues a SAML token which will be validated by the SP.
Is the user valid, the SP adds the user attributes by the IdP to the HTTP Header of the original service requests and conveys it to the protected EOxServer instance. The whole process ensures, that only authenticated users can access the EOxServer.
EOxServer Security Component¶
The EOxServer security component is located in the package
eoxserver.services.auth.base in the EOxServer source code directory. The
implementation of the
PolicyDecisionPointInterface for the proposed setup
is included in
eoxserver.services.auth.charonpdp.py, which is a wrapper for
the CHARON Authorisation Service client. Every request for authorisation is
encoded into a XACML Authorization Query and sent to the Authorisation Service.
The decision (permit, deny) of the service is then enforced by the EOxServer.
|Motion:||Adopted on 2011-02-09 with +1 from Arndt Bonitz, Fabian Schindler, Stephan Meißl and +0 from Milan Novacek, Martin Paces|