Allow access to WFS

In this tutorial, you will learn how to use security.manager for OGC to allow access to the WFS https://services.conterra.de/arcgis/services/common/grenzen/MapServer/WFSServer for everyone. Further restrictions on access to services will be explained in the following tutorials.

Configure the service

In the server-config.json, all services whose access is to be secured by security.manager for OGC are listed. During installation, you created this file in the directory ${user.home}/.secman-ogc.

To allow access to the WFS, open the server-config.json. Add the following entry to the services section:

${user.home}/.secman-ogc/server-config.json

{
  "server": {
    "host": "https://services.conterra.de",
    "services": [
      {
        "path": "/arcgis/services/common/grenzen/MapServer/WFSServer",
        "type": "WFS"
      }
    ]
  }
}

This access must now be defined in more detail. To do this, create a file policies-grenzen-wfs.json in the folder ${user.home}/.secman-ogc/policies. Reference this file in the server-config.json by extending the entry for the WFS as follows:

${user.home}/.secman-ogc/policies/server-config.json

{
  "server": {
    "host": "https://services.conterra.de",
    "services": [
      {
        "path": "/arcgis/services/common/grenzen/MapServer/WFSServer",
        "type": "WFS",
        "policy-ref": "policies-grenzen-wfs"
      }
    ]
  }
}

Define policies

In the policies-grenzen-wfs.json you just created, all policies for the WFS are defined. In this tutorial, the service should be accessible to everyone.

Open the policies-grenzen-wfs.json and enter the following:

${user.home}/.secman-ogc/policies/policies-grenzen-wfs.json

{
  "policies": [{
    "layers": ["*"],
    "roles": ["enhancedSecurity_any"]
  }]
}

In this policy:

"roles": ["enhancedSecurity_any"] defines access for everyone, and
"layers": ["*"] defines access to all layers.

Restart Tomcat

To apply the changes, security.manager for OGC must be restarted. Restart Tomcat to do this.

Verify configuration

The WFS is now available at http://localhost:8080/secman-ogc/arcgis/services/common/grenzen/MapServer/WFSServer according to the policy for everyone. Compare the capabilities of the two services:

the target service: https://services.conterra.de/arcgis/services/common/grenzen/MapServer/WFSServer?request=GetCapabilities&service=WFS
the protected service: localhost:8080/secman-ogc/arcgis/services/common/grenzen/MapServer/WFSServer?request=GetCapabilities&service=WFS

You can see that the capabilities of both services are almost identical, except that links to services.conterra.de have been replaced with localhost:8080/secman-ogc.