WFS Rights with Filter Expressions

In security.manager you can link policies for Web Feature Services with filter expressions as defined by OpenGIS Filter Encoding Implementation Specification 1.1.0. This allows to defines policies that limit access to certain features by attribute-based rules.

Example

A protected WFS publishes the feature type "cities" that offers an attribute "population". By means of filter encoding expression the set of returned features can be restricted to Only those cities that have more than 100,000 inhabitants, based on the role a user

Filter expressions are not supported for Web Feature Services with version 2.0.

If the according policy applies, security.manager adds the defined filter expression to the incoming WFS request which is then forwarded to the protected service. This is why potential restrictions regarding filter expression evaluation imposed by the WFS implementor need to be taken into account.

Creating the obligation

  1. Initial creation
    Select ObligationNewOGC Filter Expression inside a WFS policy.

  2. Specify the name of the obligation
    Enter a short descriptive name of the obligation in Common dataName. Example: only_major_cities.

  3. Select feature type
    In ParameterFeature Type select the feature type for which the expression is defined. Example: cities.

  4. Define filter expression
    Use the text area ParameterFilter Expression to enter a valid OGC filter expression.
    Example:

    <ogc:PropertyIsGreaterThan xmlns:ogc="http://www.opengis.net/ogc">
    <ogc:PropertyName>population</ogc:PropertyName>
    <ogc:Literal>100000</ogc:Literal>
    </ogc:PropertyIsGreaterThan>
  5. Save Obligation
    To link the obligation with the underlying policy, click Save obligation. The obligation becomes effective instantly.