Locked History Actions

deegree3/SecurityRequirements

deegree3 Security Requirements

All requirements regarding the deegree security proxy (DSP) are collected and managed in the deegree-services issue tracker.

The following table shows the list of requirements for the deegree security system which 'have not yet' been transfered to the deegree issue tracker.

ID scheme is "sec-[auth|g|ows|u3r|ui]-##" where

  • "auth" is for authentication requirements,
  • "g" is for general requirements,
  • "ows" is for open web services-related requirements,
  • "u3r" is requirements regarding the users, roles and resources and
  • "ui" is for user interface-related requirements.

ID

Feature

Minispec

Status

Priority (M-S-C-W)(*)

Discussion

sec-auth1

support cascadable, configurable authentication mechanisms

supported authentication mechanisms are tested one after another. If none is successful, request can be denied or user can be treated as anonymous

not started

M

-

sec-auth2

dynamic extension of authentication mechanisms

list of supported authentication mechanisms is extensible and can be edited during runtime

not started

C

might become mandatory if authentication options are realized client specific

sec-auth3

support username/password authentication

tbd

not started

M

-

sec-auth4

support sessionID

tbd

not started

?

mandatory if backwards compatibility to deegree2 is needed

sec-auth5

support IP-Pattern authentication

tbd

not started

S

-

sec-auth6

support Http-Basic authentication

tbd

not started

M

-

sec-auth7

support Network ID

e.g. in a Microsoft network in combination with IIS

not started

S

-

sec-auth8

support SSO authentication

forward authentication information to an external service

not started

M

token in http header?

sec-auth9

issue ticket

Request ticket from a server

not started

M

deegree should only implement interfaces to external ticket servers. How can user information be requested from these servers?

sec-auth10

validate ticket

forward ticket to appropriate server

not started

M

-

sec-auth11

request user information related to ticket

tbd

not started

M

-

sec-auth12

define valid ticket time

tbd

not started

M

-

sec-auth13

support SSO

authentication of users through external authentication service, identity provider such as OpenID

not started

S

-

sec-auth14

support SAML

exhange authentication data via SAML with other external services

not started

S

-

sec-g1

support HTTPS

client-server-communication encrypted by SSL

not started

M

-

sec-ows1

support deegree webservices (java-based)

Secure deegree webservices (WMS,WFS,CSW)

not started

M

-

sec-ows2

support other webservices (java-based)

Secure other java based webservices

not started

M

-

sec-ows3

support webservices (non java/deegree-based)

Secure other OGC services

not started

M

-

sec-ows4

support for server sided portal component

Secure portal components

not started

M

Implementation is portal specific hence we need a plugin concept in order to support different portals/clients

sec-ows5

support preconditions

deny requests because of missing rights, restrictions regarding request methods as well as request parameters

not started

M

-

sec-ows6

support post conditions

manipulation of the reply dependent on the assigned rights

not started

S

-

sec-u3r01

support users, groups, roles, rights and resources

all users, groups, roles as well as resources to be protected are stored in a db

not started

?

possibly not necessary, if we rely entirely on external solutionswenn es externe Alternativen gibt → siehe (sec-u3r03

sec-u3r02

support different db as backend

tbd

not started

conditional

depend on solution for sec-u3r01

sec-u3r03

usage of external user, groups, and role definition

bind e.g. ActiveDirectory, LDAP, Tomcat, or DB

not started

C

Use cases need to be defined (external/internal definition of users/groups/roles), evaluate possibility to exclusivly use existing solutions

sec-u3r04

password expiration date

support 'final expiration' and 'pw needs renewal'

not started

M

-

sec-u3r05

support password for one-time usage

pw needs to be changed after first login

not started

S

one time login for new user in order to change user pw

sec-u3r06

configurable rules for valid password creation

min/max length, allowed characters, no words from dictionary, no relation to user name etc

not started

M

As regular expressions: (?=.*[A-Z])(?=.*[@#$%&+=])(?=.*[a-z])(?=.*[0-9]).{6,50}$

sec-u3r07

expiration date for user

no expiration, expiration date, pause period

not started

M

-

sec-u3r08

number of logins per user

unlimited, limit per resource

not started

C

-

sec-u3r09

groups are users

groups are logically treated as users

not started

M

-

sec-u3r10

relate users to groups

each user is member of 1..n groups

not started

M

-

sec-u3r11

expiration date for groups

allows for temporal groups

not started

M

-

sec-u3r12

resources can be of any type

freely defined resource types

not started

M

-

sec-u3r13

combine resources to resource groups

tbd

not started

M

-

sec-u3r14

resource groups are resources

resource groups are treated as resources themselves

not started

M

-

sec-u3r15

relate resource to resource group

each resource is member of 0..n resource groups

not started

M

-

sec-u3r16

relate resources to data sources/services

resources can be linked to a resource source, e.g. a Layer to a WMS. Sources are resources themselves

not started

M

as in the concept of namespaces

sec-u3r17

define right type

rights can be freely defined actions, e.g. GetMap, GetFeature etc.

not started

M

-

sec-u3r18

grant rights to user/group

rights are granted through an association of a resource with a user and a right type

not started

M

-

sec-u3r19

define additional constraints to rights

restrict a right through e.g. FilterEncoding expression

not started

M

several options for the filter language are possible, needs further evaluation. Options would include FilterEncoding, SQL, JavaObjects, etc

sec-u3r20

define expiration time of right

no expiration, expiration date, pause period

not started

S

-

sec-u3r21

support for clients (Mandanten) within the rights database

several separated sections within the rights database

not started

M

-

sec-u3r22

support user roles (on administration level)

admin, sub-admin (administration only for a subset of u3r), users and anonymous

not started

S

is this feasible with sec-u3r03?

sec-u3r23

support encryption

within the system information can be stored encrypted or as clear text

not started

M

pw-encryption: http://www.heise.de/security/artikel/Passwoerter-unknackbar-speichern-1253931.html

sec-u3r25

support synchronization deegree security <> other security systems

classes/tools for import/synchronization, other systems e.g. ActiveDirectory/LDAP, Oracle, Postgres

not started

S

-

sec-ui1

administration: web-based (HTML)

as stand-alone UI

not started

M

-

sec-ui2

administration: web-based (HTML)

as part of deegreePortal

not started

M

-

sec-ui3

administration: swing-based

stand-alone or JWS

not started

S

-

sec-ui4

administration: command line tool

script/batch-tools for user/rights management

not started

M

-

(*) M-S-C-W: Must have, Should have, Could have, Won't have


CategoryDeegree3