Wednesday, December 1, 2010
We presented the facade approach developed previously, demonstrating single sign-on from an unmodified desktop GIS client application (QGIS), to two separate OGC Web Map Services (WMS), with authentication taking place separately in a standard browser. These were unmodified services, with access controlled by IP address in one case and a developer API key in the other. Two facades were put up for the event, additionally enabling federated access to these services.
It was interesting to see the range of other approaches that were presented. A number of commercial vendors demonstrated prototype versions of their desktop GIS client offerings, modified to forward authentication requests from web services (via the ECP protocol or otherwise) to an identity provider selected from those listed in a given federation's metadata by using a built-in graphical user interface. In several cases, the authentication forwarding was based on template open-source Java software developed by Andrew Seales and others in the EDINA geospatial team. One participant demonstrated access to federated web services from unmodified desktop clients by means of a facade application locally installed on the client system, which proxies federated services to plain HTTP localhost-only ports (a flexible approach we also considered earlier in WSTIERIA).
Many thanks to Chris Higgins of the EDINA geospatial team for inviting WSTIERIA to take part in this event. He is involved both in WSTIERIA and in the OGC Interoperability Experiment and EDSIN projects described in the press release.
Monday, June 14, 2010
During discussions with the SDSS team at EDINA, one possibility that came up was to think about trying to use the facade technique to make federated authentication work with WebDAV. For those not familiar with it, WebDAV allows a web server (such as Apache) to make a directory tree on the server's host system accessible to remote clients via an XML-based web protocol. One of the attractive properties of WebDAV is that clients for the protocol come built in to common desktop operating systems, including Linux and Windows. In both systems, the client presents a web directory using the same user interface as if it was a directory in the local file system. Also, WebDAV servers are available as plug-in components for both Apache and Windows IIS. The combination of standard servers and clients would allow anyone interested to experiment with adding federated access.
Additionally, such a facility might be of practical use. Consider a directory of shared files that are too large to e-mail conveniently but should not be made public. It might be possible using WebDAV plus federated authentication to make these available to selected users via their existing federated access credentials. A specific approach to this problem has been discussed on the JISC-SHIBBOLETH list in the past but we wanted to see if our general technique could tackle it.
We duly set off down the road of attempting to add a federated authorisation facade in front of a WebDAV server and have now published WSTIERIA Technical Note 2 describing our experiences.
The result was something of a mixed bag. On one hand, we did browbeat both Linux and Windows clients into accessing an Apache WebDAV server via a very simple federated authentication facade within the UK Federation. On the other hand, only partial client functionality was supported: opening, viewing, creating and deleting files in the web directory. Some peculiarities of the WebDAV protocol prevented the use of the general facade technique from technical note 1 unmodified for creating directories and some other operations involving renaming. A different implementation specific to the WebDAV protocol (such as the one linked to above) should be able to handle those issues but we did not take that additional step as our main interest is in authorisation for web services in general.
Monday, April 26, 2010
If you're interested in this approach to supporting federated web services, there should be enough in the document to allow you to have a go yourself using nothing more than a stock installation of Apache and a little scripting (the examples in the document use perl).
I am hoping that by releasing working documents as we go along like this, it may be possible to generate engagement with others in the community with an interest in this area well before the final report appears and the project ends.
The focus is now shifting towards applying the method to real use cases. After presenting an overview of the project to an internal EDINA audience last week, a meeting with representatives from the different application groups within the organisation has been arranged for next week.
In terms of the project work packages, the release of this technical note constitutes completion of task 11 (milestone M1), prototype facade implementation based on standard Shibboleth SP software. Given that the implementation is much simpler (and therefore likely more robust) than orginially envisaged, consisting mostly of configuration rather than code, and has now been written up for a general audience, it will probably also be treated as being at least the first version of task 13, released facade implementation.
Tuesday, April 13, 2010
In fact, we have been using "REST-style" simply as shorthand for "non-SOAP-based" web services. Although the authorisation facade can easily be seen as a connector component enforcing security policies within a RESTian layered system, its requirement for the presence of an explicit session id in URLs embeds state into those URLs. A particular session id may be valid at a given time but will soon expire, leaving the client with a broken link that cannot be used to access the resource in the longer term.
This isn't a complete show-stopper of course, because many simple web services are accessed by plain HTTP (without SOAP) but don't require the full panoply of REST architectural features. Nevertheless, we should endeavour to be more accurate in the terminology used in future.
Incidentally, this is one reason for being interested in OAuth WRAP (the current specification, 0.9.7.2, is available in the files area of its Google groups site). WRAP has some conceptual similarities to the SEE-GEO/WSTIERIA method but uses the HTTP Authorization: header to carry a token, exploiting the extensibility built into that part of the HTTP standard, rather than using the URL. Others have used cookies. In either case, the session id or token is taken out of the URL. WRAP additionally provides a mechanism for the client to renew expired tokens. The drawbacks are that, although it has been submitted to IETF for standardisation, WRAP is not yet widely deployed (but implementations are starting to appear, notably from Facebook and Microsoft). The client must also support the protocol. Working with completely unmodified clients, which do not support WRAP (or even cookies) therefore remains one of the strengths of the SEE-GEO/WSTIERIA approach, justifying placement of the session id in the URL.
Monday, March 15, 2010
My presentation (PDF, PPT) about WSTIERIA to the Security working group got a fair number of questions, which is usually a good sign, and the chairman reckoned it had hit the right level for the audience (though after he had asked for an earlier draft to be made less detailed, with fewer slides!)
This was the first OGC meeting I have attended, so other than giving the talk I had two days to meet and greet new people, ably introduced by my colleague Chris Higgins, and become attuned to the feel of the event and the interests of those attending.
The OGC seems to be trying to enhance as much as possible of the web with geospatial information and queries, covering as many services and protocols as possible. This is of course a very large task, touching on most areas of current interest in web development, up to and including the Semantic Web, and so the scope is extremely wide. It is a formal standards organisation with well defined processes, strongly influenced by the ISO example. My colleagues Sandy Shaw and Ed Dee, who have both served on big standards committees, would be right at home here. Formal motions are put. I witnessed one proposal being politely but brutally ambushed and shot down but most others got "assumed unanimous consent", which appears to be an accepted idea. This is interestingly combined with free-flowing, detailed technical discussion of proposals. It's been years since I've been even tangentially involved with standards work (last time I think was an occam language binding for MPI, really...) but it all came flooding back. There was the cut and thrust of good ideas presented by clever people. My favourite here was a proposal for a one-dimensional co-ordinate system to be available in addition to the 2 and 3-D co-ordinates usually used for geographic location, to accommodate "2 miles past Junction 12 on the M6" and so on (the railway anorak in me wanted to ask about offsets in miles and chains, but I resisted).
Of course, there is also the grinding of corporate and personal axes, the impossibly annoying hair-splitting and the "wow, I didn't think of that!" My favourite in this last category was a question from the floor to a presenter looking to define a geospatial query extension to the OpenSearch interface to search engines, as used by the built-in search boxes in modern browsers. The presenter's main ambition was to keep it simple and enable mass-market adoption. The question: why does your proposed interface assume that the location is on the Earth? Apparently, the existing specialised interfaces for searching OGC service catalogues already allow for places on the Moon, Mars and Beyond!
Thursday, March 11, 2010
It didn’t make much sense to travel back from London to Edinburgh on Thursday evening only to fly out on Tuesday to Italy to give a talk at the Open Geospatial Consortium (OGC) Technical Committee meeting in Frascati. Instead, I decided to meet up with friends in London on Thursday evening, do tourist things in London on Friday and fly out to Rome on Saturday morning.
I stayed on for an extra day at the Devonport House hotel in a personal capacity, and since I was starting at Greenwich went for a wander through Greenwich Market and into the Royal Park. One of the culinary highlights of the trip was an excellent Ethiopian veggie carry-out lunch in a plastic box from one of the market stalls: chick peas, potatoes, carrots that I could see, with chilli, lime pickle and other less identifiable spices. I ate that walking through the park going up the hill to the Royal Observatory.
After that I went hunting locally for a travel keyboard and mouse. My venerable HP TC1100 convertible tablet was always destined to have keyboard trouble given the complicated converting hinge mechanism, but it and its predecessor almost-identical Compaq model had in fact survived quite happily since 2003 until recently. On this trip the keyboard died completely. Unfortunately nothing was available locally, so I ended up going to the huge shopping centre that lies beneath Canary Wharf to try and find something suitable. Since I was in tourist mode anyway, this was combined with lots of rubber-necking up at One Canada Place and the other bombastic 80s towers about there, which was all quite fun since it was a beautiful sunny day. It took forever to find Curry’s Digital, since the maps show the three stacked shopping levels as if they were adjacent streets in the same plane rather than on top of each other. The nearest thing they had was a smallish Logitech desktop keyboard that fits in my backpack and has done the job. (Handwriting recognition is fine for short phrases but tedious on long text).
Off then to Gatwick airport. I had asked Julie, who does EDINA’s travel organising, for an airport hotel, and she had booked me into the Yotel, which turns out to be physically inside the South Terminal (down in the lift beside the Costa coffee shop), which is great. The compromise is that they offer “cabins” rather than rooms, with just enough space for a single bunk bed, a drop-down table, a folding camp stool hung on the door, a shower and basin, with eerie low-level purple lighting, and booked by the hour! The effect being aimed at is a luxurious, super-first class, flat-bed aircraft seat plus shower (A380-style) or a ship’s cabin, rather than a hotel room, and it works quite well. Breakfast is bookable from the “galley”.
The upshot was just a short walk to my 0650 flight and away. Easyjet go to Rome Fiumicino so in to Termini station on the Leonardo Express (about 30 minutes) then change for Frascati, avoiding the various pickpockets, con artists and other dodgy characters who hang around Termini waiting to pounce on tourists. It’s only another 30 minutes on the train to Frascati and a taxi to the hotel. Because this part of the trip was non-work I splashed out for a very nice converted palazzo out of town, built by a Cardinal in the 1580s, where you can sit around reading a magazine in the great hall looking at the original frescos. Occasionally a guided tour party wanders past! Dinner there on Sunday was matchingly excellent, then off down-market on Monday to a cheaper, motel-style place I had chosen for the OGC conference! My colleague Chris Higgins arrived on Monday evening so we had a beer in the hotel bar before turning in.
Thursday 4 March was an all-day start-up meeting for the JISC Access and Identity Management (AIM) Programme at Devonport House in Greenwich. Chris Brown ran us through how projects are expected to interact with the programme as a whole, project reporting and so on. Later in the day, Andy McGregor from JISC introduced the new JISCPM project management forum, complete with its own #jiscpm twitter hashtag.
The rest of the day was mainly a short presentation from each project in the programme. These ran in alphabetical order, so WSTIERIA was up last (didn't think of that one when choosing the acronym, maybe A1 Web Service Plumbers would have been better...)
The GRAND project at Newcastle also has an N-tier element, but based on Kerberos so targeted at back-end tiers within a single administrative domain. The example use cases mentioned were federated login to something like a student portal, with the portal getting a Kerberos ticket allowing it to invoke back-end services such as an enterprise e-mail system (to show the student that they have pending mail), or a file system.
The most unexpected potential commonality was with the Student-Managed Access to online Resources (SMART) project, also at Newcastle. Maciej Machulak described the work they are doing as contributors to the new User-Managed Access (UMA) standard within the Kantara initiative. I mentioned I had taken a look at OAuth WRAP because of its conceptual similarities to the web service access-control façade idea from the previous JISC/EDINA SEE-GEO project on which WSTIERIA is based. Maciej says that UMA has some similar features. Both he and Aad van Morsel from SMART suggested a visit to Newcastle, which sounds well worth while.
Wednesday, March 10, 2010
I got a taxi from the meeting with MIMAS to Piccadilly Station. I cut it a bit fine though. The 13.55 to London Euston pulled out just a couple of minutes after I got sat down. The train was quite quiet and we had a mostly unimpeded run down the West Coast main line in about two hours. The plan was to take the Northern Line to London Bridge and change there to get to Greenwich main line station for the JISC AIM Programme’s get-together dinner that evening in Greenwich. Luckily I saw the whiteboard with the notice about a line-side fire at London Bridge that was causing major disruption, so switched horses and took the Docklands Light Railway from Bank out to Cutty Sark via Canary Wharf instead. I got the benefit of a front seat, the driverless DLR being one of the few trains where you can see out the front as if you were the driver, adding to the tourist experience.
We all met up at the Admiral’s Bar in the Devonport House hotel to walk to the nearby restaurant (everything in Maritime Greenwich has a nautical flavour). It was a good choice of place and there were few enough of us (about a dozen) for people to be able to talk to each other. I was sat next to a trio from the University of Kent: Bonnie Ferguson, George Inman and Matthew Slowe. Bonnie corresponded with me previously when I was doing SDSS technical support for the UK federation but we had never met; George had corresponded with me when we were both working on the JISC Review of OpenID but we had only previously met once (at the AIM Programme Briefing Day in Birmingham in September 2009); Matthew and I were meeting for the first time. Chris Brown, the JISC Programme Manager, was also sitting next to us.
Other than just getting to know each other a bit better, I got to find out a bit more about the AIM project that Kent is working on, Logins for Life. This is a joint attempt by Kent’s information services directorate and David Chadwick’s information systems security research group in the school of computing to look properly at how individuals could access university services using whatever existing personal account(s) they might already have (e.g., an OpenID). The accounts used might also change over time. This is instead of the present approach of having to use a university-issued account to access university services. This was one of the possibilities we looked at in the OpenID review, which was a joint effort between Kent and EDINA. It always seemed quite appealing to me (I remember floating it in a blue-sky discussion with Nate Klingenstein) but we got a dose of cold water from the (few) actual IT support people we spoke to (“how would that benefit the institution?”) So it’s good to see Kent having a go.
Monday, March 8, 2010
The next morning (3 March) after finding the building where the people we were to meet are based (which is cunningly hidden, Man From U.N.C.L.E.-style, within a 1960s shopping centre on Oxford Rd.), Chris Higgins and I met with Keith Cole and Kamie Kitmitto of MIMAS. Keith is Director of MIMAS, EDINA's sister national data centre in Manchester; Kamie leads the MIMAS geospatial team; Chris is the EDINA geospatial team's liaison with the WSTIERIA project. We were later joined by Andrew Rawley from Manchester computing, who has been doing Shibboleth-related work for MIMAS.
I had originally envisaged possible co-operation with MIMAS on WSTIERIA by making some of EDINA's back-end geospatial web services available for authenticated access. These services would provide data for integration and display in a user-facing MIMAS service (such as Landmap). However, both Keith and Kamie felt that it would be better for MIMAS to make data which they hold available via authenticated web services instead. User-facing EDINA services such as Digimap could then display these data. This was suggested because they viewed EDINA as having stronger capabilities in presenting geographic data with good cartographic quality, while MIMAS' strength is more in back-end data management. Also the MIMAS geo team is a lot smaller (three people) and user-interface development is very resource-intensive.
In order to pursue this approach, and for EDINA to be able to provide as large a proportion as possible of the short-term development effort (from either WSTIERIA or Chris Higgins' related OGC Authentication Interoperability Experiment, AuthIE) it would be neccessary for MIMAS to provide IP-address protected access to one or more of their back-end web services from EDINA development machines. This might be harder than it sounds, since currently everything is secured by JBoss mechanisms shared with the production systems, and therefore hard to change. There was agreement though that MIMAS should quantify the level of effort that would be required to create such a development "sandpit", which would be useful for both WSTIERIA and the AuthIE. Both Keith and Kamie were supportive of the idea, both to enable longer-term interoperability with EDINA and also to build up authentication expertise within the MMAS geo team.
Doing this would open up the prospect of a WSTIERIA demonstrator that might, for example, be able to display aerial images from MIMAS Landmap data aligned with roads or administrative boundary data from EDINA, which could be used to assess the level of end-user interest in such integration before investing major effort in moving to production.
This was the first time I had met either Keith or Kamie, and I came away with a good sense of possible co-operation if resource constraints could be addressed. The meeting was definitely helped along by Kamie offering round some mahmoules (sp?), which seem to be a form of levantine shortbread, filled with dates or pistachio paste, very nice! (Chris says levantine is an archaic word but I disagree!)