52°North - exploring horizons - logo

52°North WSS Quickstart

The 52°North WSS is a web service that allows policy-based access to OGC Web Services acting as a proxy.

This Quick Start describes how to:

  • start the WSS management interface
  • protect a local WMS instance
  • register new users
  • asign permissions to existent users
  • load protected services

Getting Started

For this OSGeo-Live distribution, the 52°North WSS is already set up to protect an instance of each supported OGC service: WMS, WFS, WPS, and SOS.

To get a list of protected services follow these steps:

  1. Go to Geospatial ‣ Web Services ‣ 52North ‣ Start 52North WSS to start the 52°North WSS or use this direct link.

  2. The 52°North WSS management interface will open in a browser window. Click Manage WSS (1) to get a list of those services, that can be connected using the WSS.



If it’s requested, authenticate as user/user

WSS manager

For each protected service, called Enforcement Point, the table contains the base links to the service by authentication method (httpauth, saml, WSS, ...). The table has the following columns:

  • Enforcement Point Identifier
  • Protected OGC Service base URL
  • OGC Service Type
  • Available authentication methods
  • Available actions

Secure a WMS

In this section we’re going to protect a local WMS instance.

Create a new enforcement point

  1. Start the GeoServer WMS included in the OSGeo-Live DVD by selecting Geospatial ‣ Web Services ‣ GeoServer ‣ Start GeoServer. GeoServer takes up to a minute to start, and will open a browser window once finished.

  2. Press the Create link (1) in the manager main window

  3. Fill the new protected server properties

  4. Press the Create button to create the new Enforcement Point. A new row will appear in the manager main window


Create a new user

  1. Open a new terminal emulator by selecting the menu option Applications ‣ Accessories ‣ Terminal Emulator

  2. Edit the file users.xml present at the directory /var/lib/tomcat6/webapps/wss/WEB-INF/classes/:

    $ cd /var/lib/tomcat6/webapps/wss/WEB-INF/classes/
    $ sudo medit users.xml
  3. Add a new user called livedvd by adding the next text as a new entry at <UserRepository> level (1):

    <User  username="livedvd" password="livedvd" realname="LiveDVD">
      <Role name="livedvd"/>
  4. Save the changes and exit medit


The users.xml file is only available to users with access to root privileges, which is achieved when using the “sudo” command. You will need to use the password “user” if prompted.

Adjust new user policies

Now we will set up the following access policies for the newly protected WMS:

  • User livedvd -> Full access to all the layers from the WMS
  • Users bob and guest -> Access only to the layer tasmania
  • Other users -> Access not authorized to the WMS
  1. Return to the terminal emulator window.

  2. Edit the file permissions.xml present at the directory /var/lib/tomcat6/webapps/wss/WEB-INF/classes/:

    $ sudo medit permissions.xml
  3. Add a new permission set called Geoserver localhost by adding the following text as a new entry at <SimplePermissions> level (1):

    <PermissionSet name="Geoserver localhost">
      <ResourceDomain value="http://localhost:8080/wss/service/geoserver_localhost/*"/>
      <ActionDomain value="http://localhost:8080/wss/service/geoserver_localhost/*"/>
      <SubjectDomain value="urn:n52:security:subject:role"/>
      <Permission name="livedvd_all_geoserver">
        <Resource value="layers/*"/>
        <!-- Any layers -->
        <Action value="operations/*"/>
        <!-- Any operations -->
        <Subject value="livedvd"/>
      <Permission name="bobAndGuest_most_GetMap_GetCaps_geoserver">
        <Resource value="layers/tasmania"/>
        <Action value="operations/GetCapabilities"/>
        <Action value="operations/GetMap"/>
        <Subject value="bob"/>
        <Subject value="guest"/>
  4. Save the changes and exit medit

Restart Tomcat

In order to load the users and permissions changes, it’s necessary to restart the Tomcat service:

  1. Return to the terminal emulator window.

  2. Restart the tomcat service:

    $ sudo service tomcat6 restart

Load a protected OGC Service

In order to request the capabilities of the protected Geoserver WMS, follow the next steps:

  1. Type http://localhost:8080/wss/service/geoserver_localhost/httpauth?SERVICE=WMS&REQUEST=GetCapabilities in a browser

  2. Authenticate as livedvd/livedvd to get access with full permissions or authenticate as bob/bob to access the service under limited permissions (only tasmania layer will be available)



If you’d like to request the capabilities with a different user account you have to restart the browser in order to invalidate current user cached credentials

To further test the protected service, load http://localhost:8080/wss/service/geoserver_localhost/httpauth as WMS into any desktop mapping client that supports HTTP Basic Authentication. Follow the next steps for QGis:

  1. From the start menu, select Geospatial ‣ Desktop GIS ‣ Quantum GIS

  2. The application will take a few seconds to start (a splash screen is shown while loading)

  3. Press the Add WMS Layer button from the main toolbar (1)

  4. Press the New button (1) in order to create a new WMS connection

  5. Set the connection properties and press Ok button (5) to create the connection

  6. Press the Connect button (1) to load the WMS layers. The full list of layers will be available for the user livedvd

  7. Press the Edit button (1) to edit the connection properties

  8. Set the connection properties again and press Ok button (3) to edit the connection

    • User name : bob (1)
    • Password : bob (2)
  9. Press the Connect button (1) to reload the WMS layers. Only tasmania layer will be available for the user bob


Things to try

Here are some additional challenges for you to try:

  1. Protect a WFS from the local Geoserver instance
  2. Add more users to a protected OGC service
  3. Modify the access policies to any of the other protected services for the user livedvd

What Next?

Visit the 52°North User Guide

Copyright & Disclaimer