WFS Rights with Filter Expressions
In security.manager you can link policies for Web Feature Services with filter expressions as defined by OpenGIS Filter Encoding Implementation Specification 1.1.0. This allows to defines policies that limit access to certain features by attribute-based rules.
A protected WFS publishes the feature type "cities" that offers an attribute "population". By means of filter encoding expression the set of returned features can be restricted to Only those cities that have more than 100,000 inhabitants, based on the role a user
Filter expressions are not supported for Web Feature Services with version 2.0. |
If the according policy applies, security.manager adds the defined filter expression to the incoming WFS request which is then forwarded to the protected service. This is why potential restrictions regarding filter expression evaluation imposed by the WFS implementor need to be taken into account.
Creating the obligation
-
Initial creation
Select Obligation → New → OGC Filter Expression inside a WFS policy. -
Specify the name of the obligation
Enter a short descriptive name of the obligation in Common data → Name. Example:only_major_cities
. -
Select feature type
In Parameter → Feature Type select the feature type for which the expression is defined. Example:cities
. -
Define filter expression
Use the text area Parameter → Filter Expression to enter a valid OGC filter expression.
Example:<ogc:PropertyIsGreaterThan xmlns:ogc="http://www.opengis.net/ogc"> <ogc:PropertyName>population</ogc:PropertyName> <ogc:Literal>100000</ogc:Literal> </ogc:PropertyIsGreaterThan>
-
Save Obligation
To link the obligation with the underlying policy, click Save obligation. The obligation becomes effective instantly.