Mapping incoming request to a protected services

Learn about how incoming requests are assigned to protected services.

security.manager for OGC acts as a proxy between clients and the server to be secured. When requests are made to security.manager for OGC, the request path is compared with the configured services. The path is compared with the path property of each service in the server-config.json. The comparison is done as a prefix match. This means the request path must start with the path property of the service. The comparison ignores the case of the paths. If a match is found, the request is forwarded to the target service. If no match is found, the request is rejected with a 404 Not Found response.

Examples

Let’s assume we want to protect a WMS service that is hosted on a geodata server at https://gisserver.example.com/nature/wms. The service is configured like this in the server-config.json:

{
  "host": "https://gisserver.example.com",
  "services": [
    {
      "path": "/nature/wms",
      "type": "WMS",
      "policy-ref": "..."
    }
  ]
}

How are incoming requests mapped to this service, depending on the context path under which security.manager for OGC is deployed?

The following examples show how incoming requests are forwarded to the protected service.

Deployed as "/secman-ogc"

In this example we assume that security.manager for OGC is deployed with context path /secman-ogc and is accessible under http://secman.example.com:8080/secman-ogc/.

Incoming request to http://secman.example.com:8080 Forwarded request to https://gisserver.example.com Notes

Incoming request to `http://secman.example.com:8080`		Forwarded request to `https://gisserver.example.com`	Notes
`/secman-ogc/nature/wms`	→	`/nature/wms`	Direct path match
`/secman-ogc/Nature/WMS`	→	`/nature/wms`	Case insensitive match, uses configured path case
`/secman-ogc/Nature/WMS/schemas/wms.xml`	→	`/nature/wms/schemas/wms.xml`	Additional path segments are appended to target
`/secman-ogc/nature/wfs`	→	no forwarding	security.manager for OGC responds with HTTP status `404 Not Found` because no path match was found

/secman-ogc/nature/wms

→

/nature/wms

Direct path match

/secman-ogc/Nature/WMS

→

/nature/wms

Case insensitive match, uses configured path case

/secman-ogc/Nature/WMS/schemas/wms.xml

→

/nature/wms/schemas/wms.xml

Additional path segments are appended to target

/secman-ogc/nature/wfs

→

no forwarding

security.manager for OGC responds with HTTP status 404 Not Found because no path match was found

Deployed as "/"

In this example we assume that security.manager for OGC is deployed with context path / and is accessible under http://secman.example.com:8080/.

Incoming request to http://secman.example.com:8080 Forwarded request to https://gisserver.example.com Notes

Incoming request to `http://secman.example.com:8080`		Forwarded request to `https://gisserver.example.com`	Notes
`/nature/wms`	→	`/nature/wms`	Direct path match
`/Nature/WMS`	→	`/nature/wms`	Case insensitive match, uses configured path case for forwarding
`/Nature/WMS/schemas/wms.xml`	→	`/nature/wms/schemas/wms.xml`	Additional path segments are appended to target
`/nature/wfs`	→	no forwarding	security.manager for OGC responds with HTTP status `404 Not Found` because no path match was found

/nature/wms

→

/nature/wms

Direct path match

/Nature/WMS

→

/nature/wms

Case insensitive match, uses configured path case for forwarding

/Nature/WMS/schemas/wms.xml

→

/nature/wms/schemas/wms.xml

Additional path segments are appended to target

/nature/wfs

→

no forwarding

security.manager for OGC responds with HTTP status 404 Not Found because no path match was found