Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
<Insert Picture Here>
Building a Secure Web Service using Oracle Spatial
and JDeveloper
2
Overview
•Backgro
und
•Spatial W
eb S
erv
ices
•W
FS 1
.0
•W
eb S
erv
ice S
ecurity
•D
em
o: Build
ing a
Secure
Web s
erv
ice
•Serv
er sid
e m
anagem
ent (u
sin
g P
LSQ
L/J
ava/E
M)
•Build
ing a
Secure
Clie
nt (u
sin
g J
Develo
per)
•O
penLS 1
.1
•C
SW
2.0
.0
•W
MS 1
.1
•Sum
mary
3
Background
•O
pen G
IS C
onsortiu
m (O
GC
) Sta
ndard
s
•W
eb F
eatu
re S
erv
ice
•Access/s
earc
h/u
pdate
/dele
te g
eo-s
patial fe
atu
re insta
nces
based o
n s
patial/non-s
patial searc
h c
rite
ria u
sin
g a
sta
ndard
inte
rface o
ver th
e w
eb
•Location S
erv
ices
•R
outing
•M
appin
g
•G
eocodin
g
•D
irecto
ry S
erv
ices
4
Background (Contd)
•C
ata
logue S
erv
ice for W
eb
•D
efines a
com
mon inte
rface that enable
s d
ivers
e b
ut
confo
rmant applic
ations to p
erform
dis
covery
, bro
wse a
nd
query
opera
tions a
gain
st cata
log s
erv
ers
.
•W
eb M
ap S
erv
ice
•R
equest/Pro
vid
e m
aps
•R
equest/Pro
vid
e info
rmation a
bout conte
nt of a m
ap
•M
ake s
erv
ices s
ecure
•Auth
entication
•Auth
orization
•Tra
nsport-level security
5
Spatial Web Services
6
Web F
eatu
re S
erv
ice (W
FS
)
7
Requirements
•Access/s
earc
h/u
pdate
/dele
te g
eo-s
patial fe
atu
re
insta
nces b
ased o
n s
patial/non-s
patial searc
h c
rite
ria
usin
g a
sta
ndard
inte
rface o
ver th
e w
eb
•Access/U
pdate
in a
secure
way w
ith p
roper
auth
entication a
nd a
uth
orization.
•M
anage featu
re p
rivile
ges a
t an insta
nce level
•R
eal-tim
e transfe
r of fe
atu
re in
sta
nces in a
pla
tform
/pro
gra
mm
ing language independent w
ay.
8
Approach
•U
se
•SO
AP for R
equest/R
esponse
•XM
L o
ver H
TTP P
ost M
eth
od for R
equest/R
esponse
•O
racle
Spatial fo
r Featu
re insta
nce S
tora
ge/R
etrie
val.
•Im
ple
ment O
GC
filt
er specific
ation for fe
atu
re s
earc
h
•U
se W
SS/L
DAP for auth
entication, R
ow
level security
for in
sta
nce-level privile
ge m
gm
t and W
SS for secure
transfe
r of fe
atu
re d
ata
.
9
Approach (Contd)
•Support p
ublis
hin
g featu
re types fro
m d
ata
base d
ata
sourc
es(table
s, vie
ws)
•C
om
ple
x T
ype c
olu
mns
•N
este
d T
able
/VAR
RAY c
olu
mns
•XM
LType C
olu
mns
•Support p
ublis
hin
g featu
re types fro
m e
xte
rnal data
sourc
es (exte
rnal XS
Ds).
•Im
ple
ment to
ken-b
ased lockin
g o
f fe
atu
re insta
nces to
support W
FS lockin
g p
roto
col.
•Im
ple
ment fe
atu
re c
ache in m
iddle
-tie
r to
reduce
volu
me o
f spatial data
tra
nsfe
r from
DB to m
iddle
-tie
r,
and m
ake W
FS request pro
cessin
g m
ore
effic
ient.
10
WFS Operations
•Basic
•G
et C
apabilities –
get th
e m
eta
data
about th
e types /
opera
tions that a featu
re serv
er supports
•D
escribeFeatu
re -get th
e s
tructu
ral in
form
ation a
bout a
featu
re type
•G
etF
eatu
re –
query
diffe
rent parts o
f fe
atu
re insta
nces
11
WFS Operations (Contd.)
•Tra
nsactional W
FS
•G
etF
eatu
reW
ithLock –
get a s
et of fe
atu
res a
nd lock them
•LockFeatu
re –
lock a
set of fe
atu
re insta
nces, and lock
som
e/a
ll of th
em
for a c
ertain
period o
f tim
e.
•Tra
nsaction
•In
sert new
featu
re insta
nces
•U
pdate
exis
ting featu
re insta
nces b
ased o
n filt
er crite
ria
•D
ele
te e
xis
ting featu
re insta
nces b
ased o
n filt
er crite
ria
12
Architecture
Feature Cache Manager
Feature Metadata/Lock Metadata
JDBC
WFS Processor (Web Service)
Feature Instances
Oracle DB
WFS Clients
WFS Request (SOAP/XML)
WFS Response (SOAP/XML)
Authentication+Secure transport [WSS/LDAP]
OC4J/
J2EE Container
DB Handler
Input Processor
Response Generator
13
Caching
•Pro
vid
e m
ain
-mem
ory
sto
rage o
f spatial obje
cts
•H
elp
s reduce fre
quent transfe
r of spatial obje
ct from
data
base to m
em
ory
•In
-mem
ory
locks for update
cache e
ntrie
s
consis
tently.
14
Locking
•D
B L
ockin
g
•Lock d
ura
tion in m
inute
s. Spans d
b tra
nsaction
boundary
•Token-b
ased lockin
g s
em
antics
•U
nlo
ck row
s w
hen lock e
xpires
15
Locking Approach
•D
efine triggers
on featu
re table
s/v
iew
s to m
ake s
ure
that th
e u
ser in
the c
urr
ent sessio
n h
as s
how
n a
non-
expired lock token, w
hic
h w
as o
bta
ined p
revio
usly
for
updating/d
ele
ting the c
oncern
ed row
s.
•Lockin
g logic
will b
e e
nfo
rced u
niform
ly for Java o
r
PLSQ
L inte
rfaces.
16
WFS Metadata
•Featu
re T
ypes
•Featu
re T
ype T
ags
•Featu
re T
ype A
ttribute
s
•C
om
ple
x T
ypes
•Spatial O
pera
tors
supported
•Functions s
upported
•Serv
ice M
eta
data
17
WFS Metadata (Contd.)
•Type M
eta
data
popula
ted a
uto
matically
during type
public
ation
•Type M
eta
data
used to s
erv
e D
escribeFeatu
reType
response
•C
apabili
ties m
eta
data
used to s
erv
e G
etC
apabilities
response
18
Publish Feature Types
•R
ela
tional data
sourc
e (e.g
. ta
ble
)
•PLSQ
L A
PI w
hic
h w
ill:-
•Publis
h the c
onte
nt of a table
with S
patial C
olu
mn(s
) to
a
featu
re type w
hic
h is a
subty
pe o
f gm
l:_Featu
re s
uch that
•C
olu
mns M
ap to F
eatu
re T
ype T
ags
•C
olu
mn T
ypes M
ap to T
ag T
ypes in X
ML
•U
ser-defined o
bje
ct m
ap to C
om
ple
xTypes in X
ML
•Type n
am
ing in c
hosen b
y d
efa
ult
19
Publish Types (Contd.)
•XSD
Docum
ent based d
ata
sourc
e
•Java A
PI w
hic
h w
ill:-
•R
egis
ter fe
atu
re type X
SD
s and featu
re type m
eta
data
•R
egis
ter spatial path
s o
n w
hic
h s
patial in
dex w
ill b
e
built
•R
egis
ter non-s
patial path
s o
n w
hic
h X
DB index w
ill b
e
built
•Featu
re T
ype R
egis
tration X
SD
, captu
res a
ll fe
atu
re
type m
eta
data
para
mete
rs
•Java/P
LSQ
L A
PIs
to:-
•G
rant W
FS M
eta
data
access to W
FS U
sers
•G
rant W
FS F
eatu
re type a
ccess to W
FS U
sers
20
Use Case (Type Suppliers)
•Publis
h T
ypes
•D
efine type a
ccess c
ontrol privile
ges
21
Use Case (Type Consumers)
•G
et Serv
er C
apabili
ties
•D
escribe F
eatu
re T
ype
•G
etF
eatu
res (w
ith p
roper filter)
•G
etF
eatu
reW
ithLock
•LockFeatu
re
•Tra
nsaction
•In
sert/U
pdate
/Dele
te
22
Summary
•W
FS s
upport b
ased o
n O
racle
Spatial data
base
•Support for W
FS b
asic
/tra
nsaction inte
rfaces
•Support for Spatial and X
DB b
ased indexin
g o
n
featu
re insta
nces.
•Support for re
gis
tering R
ela
tional and D
ocum
ent
based F
eatu
re T
ype
•Support for to
ken-b
ased W
FS lockin
g
23
Web S
erv
ices S
ecurity
24
Issues addressed
•Auth
entication (W
SS)
•Auth
orization
•Tra
nsport S
ecurity
(W
SS)
25
Authentication (WSS)
<env:Envelope ... >
<env:Header>
<wsse:Security ... >
...
<dsig:Signature ... >
...
</dsig:Signature>
<wsse:UsernameToken ... >
<wsse:Username>SpatialWsUser0</wsse:Username>
<wsse:Password ... >MzSmymXK7mIiH4NU6h4lvS+IVb8=</wsse:Password>
...
</wsse:UsernameToken>
...
</wsse:Security>
</env:Header>
<env:Body ... >
<ns0:makeSpatialRequestElement>
<XLS ...> ...
</XLS>
</ns0:makeSpatialRequestElement>
</env:Body>
</env:Envelope>
26
Authorization
Clie
ntoc
4jD
BP
roxy
Aut
hent
icat
ion
App
Use
r M
gmt
Sin
gle
App
Use
r
SO
AP
/WS
S
Propagation Of User ID
27
Authorization (Contd)
•U
ser vie
ws
•VPD
•Enfo
rced in the D
B
28
Transport Security
•M
essage Inte
grity
(Sig
nin
g/S
ignatu
re v
erification)
•M
essage P
rivacy (Encry
ption/D
ecry
ption)
29
Dem
o: B
uild
ing a
Secure
Web S
erv
ice
30
Server-side management
•D
eplo
y a
nd c
onfigure
spatial w
eb s
erv
ice (sdow
s.e
ar)
•Publis
h a
featu
re type in W
FS (D
ocum
ent-based)
usin
g J
ava A
PI pro
vid
ed b
y O
racle
Spatial
•This
function c
an b
e p
erform
ed b
y a
WFS A
dm
in u
ser
•Specify featu
re type X
SD
•Specify the X
path
s o
n w
hic
h to b
uild
spatial in
dex
•Specify the X
path
s o
n w
hic
h to b
uild
XM
LTable
index
•Specify o
ther fe
atu
re type m
eta
data
•Pro
vid
e the a
bove a
s X
ML/J
ava p
ara
mete
rs to J
ava A
PI
•G
rant privile
ges to W
FS U
ser (w
ho w
ill p
erform
WFS q
uery
and tra
nsaction o
pera
tions)
31
Building a Secure Client
•G
enera
te a
Clie
nt pro
xy fro
m S
patialW
S.w
sdl (u
sin
g
Ora
cle
Jdevelo
per)
•Secure
the C
lient pro
xy (usin
g O
racle
Jdevelo
per)
•C
usto
miz
e c
lient to
invoke the S
patial W
eb s
erv
ice
(WFS in this
case) m
ultip
le tim
es w
ith d
iffe
rent W
FS
opera
tions in a
certain
sequence.
•G
enera
te s
erv
ice o
utp
ut in
log file
s
32
Open L
ocation S
erv
ices
(OpenLS)
33
Functionality
•Location U
tilit
y S
erv
ice
(uses O
racle
Geocoder)
•Pre
senta
tion S
erv
ice
(uses O
racle
MapVie
wer)
•R
oute
Serv
ice
(uses O
racle
Route
Serv
er)
•D
irecto
ry S
erv
ice
34
Location Utility Service
Sample Request
<XLS …>
… <Request …methodName="GeocodeRequest" … >
<GeocodeRequest>
<Address countryCode="US">
<StreetAddress>
<Building number="400"/>
<Street>Post Street</Street>
</StreetAddress>
<Place type="CountrySubdivision">CA</Place>
<Place type="Municipality">San Francisco</Place>
<PostalCode>94102</PostalCode>
</Address>
<Address countryCode="US">
<StreetAddress>
<Building number="233"/>
<Street>Winston Drive</Street>
</StreetAddress>
<Place type="CountrySubdivision">CA</Place>
<Place type="Municipality">San Francisco</Place>
<PostalCode>94132</PostalCode>
</Address>
</GeocodeRequest>
</Request>
</XLS>
35
Location Utility Service
Sample Response
<xls:XLS … >
… <xls:Response … >
<xls:GeocodeResponse … >
<xls:GeocodeResponseList … >
<xls:GeocodedAddress>
<gml:Point … >
<gml:pos dimension="2" srsName="4326">-122.4083257 37.788208</gml:pos>
</gml:Point>
<xls:Address countryCode="US">
<xls:StreetAddress>
<xls:Building number="400"/>
<xls:Street>POST ST</xls:Street>
</xls:StreetAddress>
<xls:Place type="CountrySubdivision">CA</xls:Place>
<xls:Place type="Municipality">SAN FRANCISCO</xls:Place>
<xls:PostalCode>94102</xls:PostalCode>
</xls:Address>
</xls:GeocodedAddress>
</xls:GeocodeResponseList>
…
</xls:GeocodeResponse>
</xls:Response>
</xls:XLS>
36
Directory Service
Sample Request
<XLS … >
… <Request …
methodName="DirectoryRequest">
<DirectoryRequest>
<POILocation>
<WithinBoundary>
<AOI>
<gml:CircleByCenterPoint
… >
<gml:pos>-122.405 37.785</gml:pos>
<gml:radius uom="9001">500</gml:radius>
</gml:CircleByCenterPoint>
</AOI>
</WithinBoundary>
</POILocation>
<POIProperties>
<POIProperty name="SIC_code" value="1234567890"/>
</POIProperties>
</DirectoryRequest>
</Request>
</XLS>
37
Directory Service
Sample Response
<xls:XLS … >
… <xls:Response … >
<DirectoryResponse … >
<xls:POIContext … >
<xls:POI ID="2" POIName="Borders Books & More" phoneNumber="415-399-1633" description="Books & more">
<POIAttributeList … >
<ReferenceSystem … >
<xls:NAICS …category="Books" … />
<xls:SIC …category="Book stores" code="1234567890" … />
<xls:SIC …category="Cafes & Cafeterias" code="1234567891" … />
</ReferenceSystem>
</POIAttributeList>
<gml:Point … >
<gml:pos dimension="2" srsName="4326">-122.4083257 37.788208</gml:pos>
</gml:Point>
<xls:Address countryCode="US">
<xls:StreetIntersection>
<xls:Street>Post St</xls:Street>
<xls:IntersectingStreet>Powell St</xls:IntersectingStreet>
</xls:StreetIntersection>
<xls:Place type="CountrySubdivision">CA</xls:Place>
… <xls:Place type="Municipality">San Francisco</xls:Place>
… <xls:PostalCode>94102</xls:PostalCode>
</xls:Address>
</xls:POI>
…
38
Cata
log S
erv
ice W
eb (C
SW
)
39
Overview Catalogue Application Client
Catalogue Service
Metadata Repository
Resource/Service
describes
Search
CSW Request/Response
OGC Service Interfaces
Application Interaction with Catalogue Server
40
Requirements
•Access/s
earc
h/u
pdate
/dele
te g
eo-s
patial cata
log
record
s b
ased o
n s
patial/non-s
patial searc
h c
rite
ria
usin
g a
sta
ndard
inte
rface o
ver th
e w
eb
•Access/U
pdate
in a
secure
way w
ith p
roper
auth
entication a
nd a
uth
orization.
•M
anage c
ata
log record
privile
ges a
t an insta
nce level
•R
eal-tim
e transfe
r of cata
log in
sta
nces in a
pla
tform
/pro
gra
mm
ing language independent w
ay.
41
Our Approach
•U
se
•SO
AP for R
equest/R
esponse
•XM
L o
ver H
TTP P
ost M
eth
od for R
equest/R
esponse
•O
racle
Spatial fo
r R
ecord
insta
nce S
tora
ge/R
etrie
val.
•Im
ple
ment O
GC
filt
er specific
ation for re
cord
searc
h
•U
se W
SS/L
DAP for auth
entication, R
ow
level security
for in
sta
nce-level privile
ge m
gm
t, a
nd W
SS for secure
transfe
r of re
cord
data
.
•R
esultSet cachin
g w
ill b
e s
upported, to
retrie
ve
record
s fro
m a
sin
gle
query
acro
ss d
iffe
rent w
eb
requests
.
42
CSW Operations
•D
iscovery
•G
et C
apabilities –
get th
e m
eta
data
about th
e types /
opera
tions that a c
ata
log serv
er supports
•D
escribeR
ecord
-get th
e s
tructu
ral in
form
ation a
bout a
cata
log record
type
•G
etR
ecord
s–
query
diffe
rent parts o
f re
cord
insta
nces
•G
etR
ecord
ById
–query
a record
insta
nce b
y identifier
•G
etD
om
ain
–query
about ra
nge o
f valu
es for C
SW
request
type p
ara
mete
rs
43
CSW Operations (Contd.)
•Public
ation
•Tra
nsaction
•In
sert new
record
insta
nces
•U
pdate
exis
ting record
insta
nces b
ased o
n filt
er crite
ria
•D
ele
te e
xis
ting record
insta
nces b
ased o
n filt
er crite
ria
44
Architecture
Catalog Cache Manager
Record MetadataJDBC
CSW Processor (Web Service)
Record Instances
Oracle DB
CSW Clients
CSW Request (SOAP/XML)
CSW Response (SOAP/XML)
Authentication+Secure transport [WSS/LDAP]
OC4J/
J2EE Container
DB Handler
Input Processor
Response Generator
45
Caching
•Pro
vid
e m
ain
-mem
ory
sto
rage o
f spatial obje
cts
•H
elp
s reduce fre
quent transfe
r of spatial obje
ct from
data
base to m
em
ory
•In
-mem
ory
locks for update
cache e
ntrie
s
consis
tently.
46
CSW Metadata
•R
ecord
Types M
eta
data
•D
om
ain
Rela
ted M
eta
data
•C
apabilities R
ela
ted M
eta
data
•R
ecord
s M
eta
data
•Type m
eta
data
popula
ted d
uring p
ublis
hin
g record
type
•Type m
eta
data
used to s
erv
e D
escribeR
ecord
Type response
•C
apabilities m
eta
data
used to s
erv
e G
etC
apabilities response
47
Publish Record Types
•D
efa
ult (C
SW
Record
Type).
•C
usto
m R
ecord
Types, confo
rmin
g to
csw
:AbstractR
ecord
48
Use Case (Type Suppliers)
•Publis
h R
ecord
Types
•Java A
PI w
hic
h w
ill:-
•R
egis
ter re
cord
type X
SD
s and record
type m
eta
data
•R
egis
ter spatial path
s o
n w
hic
h s
patial in
dex w
ill b
e
built
•R
egis
ter non-s
patial path
s o
n w
hic
h X
DB index w
ill b
e
built
•R
ecord
Type R
egis
tration X
SD
, captu
res a
ll re
cord
type
meta
data
para
mete
rs
•Java A
PIs
to:-
•G
rant C
SW
Meta
data
access to C
SW
Users
•G
rant C
SW
Record
type a
ccess to C
SW
Users
49
Use Case (Type Consumers)
•G
et C
SW
Serv
er C
apabilities
•D
escribe R
ecord
Type
•G
etR
ecord
s (w
ith p
roper filter)
[C
urr
ent support is for
OG
C F
ilter specific
ation]
•G
etR
ecord
ById
•G
etD
om
ain
•D
o T
ransaction o
n R
ecord
s
•In
sert/U
pdate
/Dele
te
50
Web M
ap S
erv
ice (W
MS
)
51
Operations
•G
etC
apabilities
•G
etM
ap
•G
etF
eatu
reIn
fo
52
Summary
•W
FS s
upport b
ased o
n O
racle
Spatial fe
atu
re repository
. It
pro
vid
es O
GC
sta
ndard
s b
ased a
ccess to O
racle
Spatial ta
ble
data
for query
and m
anip
ula
tion
•Location S
erv
ice p
rovid
es O
GC
sta
ndard
s b
ased a
ccess to
Mappin
g, R
outing, G
eocodin
g a
nd D
irecto
ry S
erv
ice functionalit
y
of O
racle
Spatial, w
hic
h p
rom
ote
s inte
ropera
bility
•C
SW
support im
ple
ments
OG
C C
ata
logue S
erv
ice s
pecific
ation
based o
n O
racle
Spatial C
ata
logue repository
•W
MS pro
vid
es O
GC
sta
ndard
s b
ased a
ccess to m
aps a
nd
info
rmation a
bout conte
nt of a m
ap
•U
se W
SS/L
DAP for auth
entication, R
ow
level security
for
insta
nce-level privile
ge m
gm
t and W
SS for secure
tra
nsfe
r of
featu
re d
ata
.
•Build
a s
ecure
web s
erv
ice c
lient usin
g O
racle
Jdevelo
per
53
Geo Services
54
For More Information
searc
h.o
racle
.com
or
www.oracle.com/database/spatial.html
Spatial
55