UK Ministry of Defence
The Geospatial Intelligence Integrated Reference Architecture (GI2RA) project implements an SDI framework for the sharing and exchange of geospatialy related data encoded as GML.
GI2RA Data Sharing
Phase I
In Phase I, a Pull replication model was implemented. Changes at data sources are pulled automatically from the data sources as GML messages and executed as defined by the subscription and are subsequently delivered to the subscribers target data store. A Controller node acts as a Pub/Sub manager and as a message broker between publisher and subscriber data stores. Publications and subscriptions can be created at runtime via a web application user interface that is provided as an administration interface to users and administrators. Access to the interface is subject to authentication and access control policies.
One major focus of this project was the implementation of a web service security layer to protect OGC web services such as Web Feature Service (WFS) and Web Registry Service (WRS) from unauthorized access and to protect messages from unauthorized manipulation and inspection while traveling through different physical nodes and across the internet. This required the implementation of a security framework that covered various security aspects such as:
- Identity Management and Authentication
- Authorization and Access Control
- Confidentiality and Encryption
- Data Integrity and Authenticity
- Message Level Security (MLS).
The security framework implementation was based on standard specifications from OASIS and other standard bodies. This guaranteed interoperability with other external systems and environments that are also using XML for interoperability via web services.
The standards that support the security aspects mentioned above are:
- WS-Security and WS-SecurityPolicy
- WS-Trust and WS-Federation
- XML Canonicalization, XML Signature, and XML Encryption
- SAML and XACML
GI2RA Security Service Architecture
Authentication was based on the implementation of a Security Token Service that used SAML tokens to authenticate, sign, and encrypt the messages before sending them to the relying party web service.
The relying party web service acted as a Policy Enforcement Point, which used a Policy Decision Point to request an access control decision based on the subject, content, and target of the message. The Policy Decision Point evaluated the access request using XACML policies retrieved from a Policy Administration Point that used the Galdos registry web service INdicio to manage the XACML policies.
Phase II
GI2RA phase II implemented a data sharing and incremental updating infrastructure incorporated as a SDI based on an Event Driven Service Oriented Architecture framework. The system is comprised of loosely coupled services that communicate via JMS and are orchestrated via a Java Business Integration environment. The environment supports the composition of services that are decoupled from their implementations by creating Service Assemblies as EJB3 components running in an Enterprise Application Container.
The SDI framework implemented by Galdos decouples data providers from data consumers via a Peer-to-Peer network of publisher and subscriber nodes that are used to broker the geospatial data as XML (GML) messages.
Phase II implemented a Push model for replicating changes from data sources to data targets. The XML messages are triggered automatically by changes at the provider data sources and are sent (pushed) to the nearest neighbour broker service for subscription matching and subsequent transformation and propagation to subscribers. Users subscribing to publications can constrain their subscriptions by selecting specific data entities and also provide further constrains based on the content of the XML messages via filters such as bounding boxes and property values.
If data source and subscriber’s data target have a different format and different data encodings, the data are automatically transformed and mapped to the consumers data target format.
