Restrict access spatially

In this tutorial, you will learn how to restrict access to the service https://services.conterra.de/arcgis/services/common/grenzen/MapServer/WFSServer spatially to features within the bounding box of North Rhine-Westphalia.

Prerequisite

This tutorial builds on the files created in the tutorial Allow access to WFS.

Define geometry

To spatially restrict access to the WFS roughly to the area of North Rhine-Westphalia, first create the file nrw.geojson in the policies folder:

${user.home}/.secman-ogc/policies/nrw.geojson

{
  "type": "Polygon",
  "coordinates": [
    [
      [ 5.86725, 50.32375 ],
      [ 9.46245, 50.32375 ],
      [ 9.46245, 52.52860 ],
      [ 5.86725, 52.52860 ],
      [ 5.86725, 50.32375 ]
    ]
  ]
}

Geometries in this file must be of type Polygon or MultiPolygon. They describe the regions where access is allowed. A more detailed description of this file and its conditions can be found under Geometries for spatial restrictions.

Define spatial restriction

The spatial restriction must now be defined in the policy file. Open the policies-grenzen-wfs.json from the previous tutorial.

Add the restrictions section to the file and include a spatial restriction as follows:

${user.home}/.secman-ogc/policies/policies-grenzen-wfs.json

{
  "policies": [{
    "layers": ["*"],
    "roles": ["enhancedSecurity_any"]
  }],
  "restrictions":{
    "nrw":{
      "type":"spatial",
      "source":"nrw.geojson"
    }
  }
}

By default, the spatial restriction uses the intersects spatial operation. That means features intersecting the defined geometry are returned. To ensure only features fully within the defined geometry are returned, extend the spatial restriction with the spatial operation within:

${user.home}/.secman-ogc/policies/policies-grenzen-wfs.json

{
  "policies": [{
    "layers": ["*"],
    "roles": ["enhancedSecurity_any"]
  }],
  "restrictions":{
    "nrw":{
      "type":"spatial",
      "source":"nrw.geojson",
      "spatialOperation": "within"
    }
  }
}

Reference restriction

After defining the geometries and spatial restriction, you must reference it in a policy file. To do this, extend the policy file with a list of restrictions. Add the name of the restriction to this list:

${user.home}/.secman-ogc/policies/policies-grenzen-wfs.json

{
  "policies": [{
    "layers": ["*"],
    "roles": ["enhancedSecurity_any"],
    "restrictions":["nrw"]
  }],
  "restrictions":{
    "nrw":{
      "type":"spatial",
      "source":"nrw.geojson",
      "spatialOperation": "within"
    }
  }
}

Restart Tomcat

Save the changes and restart Tomcat to apply the changes.

Verify configuration

To verify the configuration, call the protected service with the FeatureType Bundeslaender: http://localhost:8080/secman-ogc/arcgis/services/common/grenzen/MapServer/WFSServer?SERVICE=WFS&REQUEST=GetFeature&VERSION=2.0.0&TYPENAMES=common_grenzen%3ABundeslaender&SRSNAME=EPSG%3A3857 You will see that this query only returns the state North Rhine-Westphalia.

For comparison, also call the target service with the same parameters: https://services.conterra.de/arcgis/services/common/grenzen/MapServer/WFSServer?SERVICE=WFS&REQUEST=GetFeature&VERSION=2.0.0&TYPENAMES=common_grenzen%3ABundeslaender&SRSNAME=EPSG%3A3857 Here, you can see all states.