Secure SDI - a client perspective
Over the last few months we've been demonstrating Secure SDI a lot. What's Secure SDI? It's role-based access control and feature-level security for OGC SDI. Secure SDI answers one of the primary challenges in deploying real-world systems based on OGC standards - making sure critical geospatial information goes to the people who are supposed to have it. But folks have asked - how does this work on the client side?
From the client perspective there are two key functionalities - First, logging into an authentication service (like the one above from CubeWerx) to get the credentials needed, and second an OGC service like WFS using the relevant credentials to respond to queries with information according to the user rights and access rules.
To support Secure SDI The Carbon Project uses CarbonTools PRO to alter the HTTP request at the communications layer, and add new functionality to Gaia (through an Extender plug-in) CarbonArc PRO products. For example, to get user credentials Gaia needs to log-in to a Secure SDI Authentication service. To achieve that functionality we added a tool in the form of a dialog box that allows people to type in a username and password. Users can also set the authentication service URL and add an optional jurisdiction parameter. Once the information is set, clicking on a ‘Get User Credentials’ button will fetch the list of credentials from the authentication service. This process is done through GET type HTTPS request (all communication between client and server is SSL encrypted).
CarbonTools PRO provides the distinct ability to control the HTTPS requests sent to OGC Web Services. This level of control over the communication layer is crucial for Secure SDI. Since credentials are applied at the communication layer all queries are affected - getting capabilities, features or even performing transactions on a WFS-T.
The Secure SDI capability answers one of the primary challenges in deploying real-world systems based on OGC standards - making sure critical geospatial information goes to the people who are supposed to have it.