Control access to layers

In this tutorial you will learn, how to restrict access to the WMS https://services.conterra.de/arcgis/services/common/grenzen/MapServer/WMSServer to the layers World and Bundeslaender using security.manager for OGC.

Prerequisite

This tutorial bases on the files you created in the tutorial Allow access to WMS.

Identify layer names

To restrict access to the layers World and Bundeslaender, open the capabilities of the service: https://services.conterra.de/arcgis/services/common/grenzen/MapServer/WMSServer?request=GetCapabilities&service=WMS You will find a section <Layer>, in which all layers are listed with their names:

Excerpt from the capabilities

<Layer>
    <Title>
      <![CDATA[ Layers ]]>
    </Title>
    <!-- ... -->
    <Layer queryable="1">
        <Name>0</Name>
        <Title>
          <![CDATA[ World ]]>
        </Title>
        <!-- ... -->
    </Layer>
    <Layer queryable="1">
        <Name>1</Name>
        <Title>
          <![CDATA[ Bundeslaender ]]>
        </Title>
        <!-- ... -->
    </Layer>
    <Layer queryable="1">
        <Name>2</Name>
        <Title>
          <![CDATA[ Kreise ]]>
        </Title>
        <!-- ... -->
    </Layer>
    <Layer queryable="1">
        <Name>3</Name>
        <Title>
          <![CDATA[ Gemeinden ]]>
        </Title>
        <!-- ... -->
    </Layer>
</Layer>

In this tutorial you need the names 0 (World) and 1 (Bundeslaender).

Configure policy

Open the policies-grenzen-wms.json from the tutorial Allow access to WMS. Change the layer entry of the policy, to restrict the access to the layers World and Bundeslaender:

${user.home}/.secman-ogc/policies/policies-grenzen-wms.json

{
  "policies": [{
    "layers": ["0", "1"],
    "roles": ["enhancedSecurity_any"]
  }]
}

Restart Tomcat

Save and close the file and restart Tomcat, to apply the changes.

Check configuration

To check the configuration, request the capabilities of the protected service: http://localhost:8080/secman-ogc/arcgis/services/common/grenzen/MapServer/WMSServer?request=GetCapabilities&service=WMS

Excerpt from the capabilites

<Layer>
    <Title>
      <![CDATA[ Layers ]]>
    </Title>
    <!-- ... -->
    <Layer queryable="1">
        <Name>0</Name>
        <Title>
          <![CDATA[ World ]]>
        </Title>
        <!-- ... -->
    </Layer>
    <Layer queryable="1">
        <Name>1</Name>
        <Title>
          <![CDATA[ Bundeslaender ]]>
        </Title>
        <!-- ... -->
    </Layer>
</Layer>

Under <Layer>, you will only see the permitted layers World and Bundeslaender. However, the layers Kreise and Gemeinden can no longer be accessed.