I. Abstract
The OGC Geospatial eXtensible Access Control Markup Language (GeoXACML) 3.0 JSON Profile v1.0 (GeoXACML 3.0 JSON Profile) Standard defines an extension to the JSON Profile of XACML 3.0 Version 1.1 for supporting GeoXACML Authorization Decision Requests and Authorization Decision encoded in JSON. This ensures an easy uptake in environments where JSON is the preferred encoding.
For supporting Geometry as defined by the GeoXACML 3.0 Core conformance class, this profile extends the Attribute DataType definition from JSON Profile of XACML 3.0 Version 1.1 with the geometry data-type urn:ogc:def:geoxacml:3.0:data-type:geometry
The GeoXACML 3.0 JSON Profile Standard supports the Attribute value to use Well-Known-Text (WKT), Well-Known-Binary (WKB) hex-encoding or GeoJSON as an encoding alternative for the geometry data-type defined in GeoXACML 3.0.
To support the use of the GeoXACML 3.0 specific attributes SRID, Precision, Encoding, and AllowTransformation, this profile extends the default JSON schema definition from JSON Profile of XACML 3.0 Version 1.1 accordingly.
II. Keywords
The following are keywords to be used by search engines and document catalogues.
ogcdoc, OGC document, XACML, GeoXACML, JSON, Profile
III. Security Considerations
The GeoXACML 3.0 JSON Profile does not introduce specific attack vectors to those typically considered when parsing and validating a JSON encoded service request / response. When the origin of the data is unknown, great care should be applied when parsing the data. The EdwardHuang post lists five common denial of service attack scenarios when parsing JSON data.
Mitigating attacks for the GeoXACML 3.0 JSON Profile are no different from those that can be found on the Internet. To mitigate parsing attacks, the use of a tight JSON schema in combination with meaningful limits for payload size, object size, nesting depth, etc. should be considered.
The use of JWS (JSON Web Signature) may be used in addition to this profile to establish trust in the origin of the request / response.
IV. Submitting Organizations
The following organizations submitted this Document to the Open Geospatial Consortium (OGC):
- Secure Dimensions GmbH
- Natural Resources Canada (NRCAN)
- Defense Information Systems Agency (DISA)
V. Acknowledgements
Thanks to the members of the GeoXACML Standards Working Group of the OGC as well as all contributors. In particular, Greg Buehler of OGC and Michael Leedahl of Maxar.
OGC Geospatial eXtensible Access Control Markup Language (GeoXACML) 3.0 JSON Profile v1.0
1. Scope
This Standard defines an extension to JSON Profile of XACML 3.0 Version 1.1 for supporting the encoding of a GeoXACML Authorization Decision Request and Authorization Decision in JSON.
This profile defines the encoding options for a Geometry instance as defined in GeoXACML 3.0 based on Well-Known-Text, Well-Known-Binary and GeoJSON.
2. Conformance
This Standard defines two Conformance Classes.
Conformance with this Standard shall be checked using all the relevant tests specified in Annex A (normative) of this document. The framework, concepts, and methodology for testing, and the criteria to be achieved to claim conformance are specified in the OGC Compliance Testing Policies and Procedures and the OGC Compliance Testing web site.
To conform to this OGC® Standard, a software implementation shall pass all tests defined in Annex A.
All requirements-classes and conformance-classes described in this document are owned by the standard(s) identified.
2.1. Conformance Class Data Model
2.2. Conformance Class Core
3. Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
OGC Geospatial eXtensible Markup Language (GeoXACML) 3.0, Draft OGC 22-049, OGC, 2023
eXtensible Access Control Markup Language (XACML) Version 3.0, OASIS, 2013, http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html
eXtensible Access Control Markup Language (XACML) Version 3.0 Errata 01, OASIS, 2017, http://docs.oasis-open.org/xacml/3.0/errata01/os/xacml-3.0-core-spec-errata01-os.html
JSON Profile of XACML 3.0 Version 1.1, OASIS, 2019, http://docs.oasis-open.org/xacml/xacml-json-http/v1.1/xacml-json-http-v1.1.html
The GeoJSON Format, IETF, 2016, https://www.rfc-editor.org/rfc/rfc7946
The GeoJSON Format Errata, IETF, 2017-2022, https://www.rfc-editor.org/errata/rfc7946
Geographic information — Simple features access — Part 1: Common architecture, ISO, 2004, https://portal.opengeospatial.org/files/?artifact_id=25355
4. Terms and definitions
No terms and definitions are listed in this document.
All terms and definition can be found in GeoXACML 3.0.
The following JSON property names are defined for the Attribute element according to the name convention of JSON Profile of XACML 3.0 Version 1.1:
SRID: Element property as defined in GeoXACML 3.0
Precision: Element property as defined in GeoXACML 3.0
Encoding: Element property as defined in GeoXACML 3.0
AllowTransformation: Element property as defined in GeoXACML 3.0
5. Conventions
This section provides details and examples for any conventions used in the document. Examples of conventions are symbols, abbreviations, use of XML schema, or special notes regarding how to read the document.
5.1. Identifiers
The normative provisions in this standard are denoted by the URI
http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0
All requirements and conformance tests that appear in this document are denoted by partial URIs which are relative to this base.
6. Introduction to GeoXACML 3.0 JSON Profile v1.0
The OASIS XACML Version 3.0 Standard defines an XML-based policy language and the structure for the encoding of Authorization Decision Request (ADR) and Authorization Decision (AD) in XML. A more lightweight and compact encoding in JSON is defined in JSON Profile of XACML 3.0 Version 1.1.
The OGC GeoXACML 3.0 Standard supports the XML encoding of ADR and AD. This is because that feature is inherited from XACML Version 3.0. The direct use of JSON Profile of XACML 3.0 Version 1.1 is not possible, because it does not support the Geometry data-type as defined in OGC GeoXACML 3.0.
Also, declaring additional properties for the Attribute element is not possible which downgrades the geometry encodings to use the GeoXACML 3.0 default CRS urn:ogc:def:crs:OGC::CRS84.
To support the same expressiveness for encoding the ADR and AD in JSON, as it is possible for XML, this Profile defines the new media-type application/geoxacml+json which supports the GeoXACML 3.0 data-type urn:ogc:def:geoxacml:3.0:data-type:geometry and additional properties for the Attribute element.
7. GeoXACML 3.0 JSON Profile v1.0 Requirements
This section defines the requirements to extend the JSON Profile of XACML 3.0 Version 1.1 for encoding ADR and AD in JSON. This profile is typically used in conjunction with a GeoXACML 3.0 implementation supporting the API conformance class.
7.1. Requirement Class Data Model (abstract)
The standardization target for this requirements class is Implementation Specification.
The Data Model Requirements Class defines additional properties for the Attribute element as defined in JSON Profile of XACML 3.0 Version 1.1.
Requirement 1: Data-type | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-data-type |
| Included in | Requirements class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model |
| Statement | This profile extends the DataType definition from JSON Profile of XACML 3.0 Version 1.1, §3.3.1 with the GeoXACML 3 data-type urn:ogc:def:geoxacml:3.0:data-type:geometry. |
Requirement 2: Default CRS | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-crs |
| Included in | Requirements class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model |
| Statement | This profile inherits the default Coordinate Reference System (CRS) identifier (urn:ogc:def:crs:OGC::CRS84) as specified in GeoXACML 3.0. |
Requirement 3: Default Axis-order | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-axis-order |
| Included in | Requirements class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model |
| Statement | This profile inherits the axis order (longitude/latitude) as specified in GeoXACML 3.0. |
Requirement 4: Media-type GeoJSON | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-media-type |
| Included in | Requirements class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model |
| Statement | This profile defines the media-type application/geoxacml+json. |
Requirement 5: GeoJSON Encoding | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-geojson |
| Included in | Requirements class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model |
| Statement | This profile defines the value for the Attribute element defined in JSON Profile of XACML 3.0 Version 1.1, §3.3.1 may use the GeoJSON Geometry object as defined in The GeoJSON Format, §3.1 to represent a geometry value. |
Requirement 6: WKT Encoding | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-wkt |
| Included in | Requirements class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model |
| Statement | This profile defines the value for the Attribute element defined in JSON Profile of XACML 3.0 Version 1.1, §3.3.1 may use the WKT Geometry encoding as defined in OGC Simple Features to represent a geometry value. |
Requirement 7: WKB Encoding | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-wkb |
| Included in | Requirements class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model |
| Statement | This profile defines the value for the Attribute element defined in JSON Profile of XACML 3.0 Version 1.1, §3.3.1 may use the WKB Geometry encoding as hex-string as defined in OGC Simple Features to represent a geometry value. |
Requirement 8: Attribute SRID | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-srid |
| Included in | Requirements class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model |
| Statement | This profile defines the additional element SRID for the Attribute element defined in JSON Profile of XACML 3.0 Version 1.1, §3.3.1. |
Requirement 9: Attribute Precision | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-precision |
| Included in | Requirements class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model |
| Statement | This profile defines the additional element Precision for the Attribute element defined in JSON Profile of XACML 3.0 Version 1.1, §3.3.1. |
Requirement 10: Attribute Encoding | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-encoding |
| Included in | Requirements class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model |
| Statement | This profile defines the additional element Encoding for the Attribute element defined in JSON Profile of XACML 3.0 Version 1.1, §3.3.1. |
Requirement 11: Attribute AllowTransformation | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-allow-transformation |
| Included in | Requirements class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model |
| Statement | This profile defines the additional element AllowTransformation for the Attribute element defined in JSON Profile of XACML 3.0 Version 1.1, §3.3.1. |
7.2. Requirements Class GeoXACML 3.0 JSON Profile v1.0 Core
The standardization target for this requirements class is Implementation.
Requirement 12: WKT | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-wkt-impl |
| Included in | Requirements class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core |
| Statement | An implementation SHALL support the Well Known Text (WKT) encoding as defined in OGC Simple Features for expressing geometry value in the Attribute value. |
Requirement 13: WKB | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-wkb-impl |
| Included in | Requirements class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core |
| Statement | An implementation SHALL support the Well Known Binary (WKB) hexstring encoding as defined in OGC Simple Features for expressing geometry value in the Attribute value. |
Requirement 14: GeoJSON | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-geojson-impl |
| Included in | Requirements class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core |
| Statement | An implementation SHALL support the GeoJSON encoding as defined in The GeoJSON Format for expressing geometry value in the Attribute value. |
Requirement 15: Default CRS | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-crs-impl |
| Included in | Requirements class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core |
| Statement | An implementation SHALL use the default CRS for calculating the geometry coordinate values unless specified otherwise using the element SRID for the Attribute element defined in <http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-srid>. |
Requirement 16: Axis-order | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-axis-order-impl |
| Included in | Requirements class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core |
| Statement | An implementation SHALL use the default axis order for serialization of the geometry coordinate values unless specified otherwise, indicated by using the element SRID for the Attribute element defined in <http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-srid>. |
Requirement 17: Media-type | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-media-type-impl |
| Included in | Requirements class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core |
| Statement | An implementation SHALL support the media-type application/geoxacml+json. The media type application/geoxacml+json SHALL be used in association with the HTTP Content-Type and Accept headers when sending Authorization Decision Request and asking to receive a GeoXACML 3.0 compliant Authorization Decision via HTTP transport. |
Requirement 18: SRID | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-srid-impl |
| Included in | Requirements class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core |
| Statement | An implementation SHALL support the additional element SRID for the Attribute element defined in <http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-srid>. An implementation SHALL set the SRID value to the integer that identifies the CRS which was used to calculate the geometry coordinate values. |
Requirement 19: Precision | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-precision-impl |
| Included in | Requirements class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core |
| Statement | This profile defines the additional element Precision for the Attribute element defined in <http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-precision>. |
Requirement 20: Encoding | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-encoding-impl |
| Included in | Requirements class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core |
| Statement | This profile defines the additional element Encoding for the Attribute element defined in <http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-encoding>. The value SHALL be WKT if the value is Well-Known-Text encoded. The value SHALL be WKB if the value is Well-Known-Binary (hex) encoded. If omitted, the default encoding GeoJSON SHALL be used. |
Requirement 21: AllowTransformation | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-allow-transformation-impl |
| Included in | Requirements class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core |
| Statement | This profile defines the additional element AllowTransformation for the Attribute element defined in <http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-allow-transformation>. |
Requirement 22: Missing Attribute Detail | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-error-reporting-impl |
| Included in | Requirements class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core |
| Statement | An implementation SHALL support the MissingAttributeDetail element as part of the StatusCode element when reporting an Indeterminate decision with value code urn:ogc:def:geoxacml:3.0:status:crs-error as defined in GeoXACML 3.0. |
Requirement 23: Schema | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-json-schema-impl |
| Included in | Requirements class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core |
| Statement | An implementation SHALL support the JSON request schema as defined below for the ADR structure when using the application/geoxacml+json media type. |
{
"$schema": "http://json-schema.org/draft-06/schema",
"$id": "Request-with-geometry.schema.json",
"title": "JSON schema of Request object defined in GeoXACML 3.0 JSON Profile v1.0",
"definitions": {
"RequestReferenceType": {
"type": "object",
"properties": {
"ReferenceId": {
"type": "array",
"items": {
"description": "Each item is a Category/Id",
"type": "string"
},
"minItems": 1
}
},
"required": [
"ReferenceId"
],
"additionalProperties": false
},
"MultiRequestsType": {
"type": "object",
"properties": {
"RequestReference": {
"type": "array",
"items": {
"$ref": "#/definitions/RequestReferenceType"
},
"minItems": 1
}
},
"required": [
"RequestReference"
],
"additionalProperties": false
},
"RequestType": {
"type": "object",
"properties": {
"ReturnPolicyIdList": {
"type": "boolean"
},
"CombinedDecision": {
"type": "boolean"
},
"XPathVersion": {
"type": "string"
},
"Category": {
"type": "array",
"items": {
"$ref": "common-std-with-geometry.schema.json#/definitions/AttributeCategoryType"
},
"minItems": 1
},
"MultiRequests": {
"$ref": "#/definitions/MultiRequestsType"
}
},
"required": [
"Category"
],
"additionalProperties": false
}
},
"type": "object",
"properties": {
"Request": {
"$ref": "#/definitions/RequestType"
}
},
"required": [
"Request"
],
"additionalProperties": false
}
Figure 1 — GeoXACML 3.0 JSON Profile Request schema1
{
"$schema": "http://json-schema.org/draft-06/schema",
"$id": "common-std-with-geometry.schema.json",
"title": "Common JSON schema to Request and Response objects defined in JSON profile of XACML 3.0 v1.0",
"definitions": {
"AttributeValueType": {
"anyOf": [
{
"type": "boolean"
},
{
"type": "number"
},
{
"type": "string"
},
{
"$ref": "Geometry.schema.json"
},
{
"type": "array",
"items": {
"type": "boolean"
},
"minItems": 0
},
{
"type": "array",
"items": {
"type": [
"string",
"number"
]
},
"minItems": 0
},
{
"type": "array",
"items": {
"$ref": "Geometry.schema.json"
},
"minItems": 0
}
]
},
"AttributeType": {
"type": "object",
"properties": {
"AttributeId": {
"type": "string",
"format": "uri-reference"
},
"Issuer": {
"type": "string"
},
"IncludeInResult": {
"type": "boolean"
},
"DataType": {
"type": "string",
"format": "uri-reference"
},
"Value": {
"$ref": "#/definitions/AttributeValueType"
},
"SRID": {
"type": "number"
},
"AllowTransformation": {
"type": "boolean"
},
"Precision": {
"type": "number"
},
"Encoding": {
"type": "string",
"enum": [
"WKT",
"WKB"
]
}
},
"required": [
"AttributeId",
"Value"
],
"additionalProperties": false
},
"AttributeCategoryType": {
"type": "object",
"properties": {
"CategoryId": {
"type": "string",
"format": "uri-reference"
},
"Id": {
"type": "string"
},
"Content": {
"type": "string"
},
"Attribute": {
"type": "array",
"items": {
"$ref": "#/definitions/AttributeType"
},
"minItems": 0
}
},
"required": [
"CategoryId"
],
"additionalProperties": false
},
"IdReferenceType": {
"type": "object",
"properties": {
"Id": {
"type": "string",
"format": "uri-reference"
},
"Version": {
"type": "string"
}
},
"required": [
"Id"
],
"additionalProperties": false
}
}
}
Figure 2 — common-std-with-geometry.schema.json2
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://geojson.org/schema/Geometry.json",
"title": "GeoJSON Geometry",
"oneOf": [
{
"title": "GeoJSON Point",
"type": "object",
"required": [
"type",
"coordinates"
],
"properties": {
"type": {
"type": "string",
"enum": [
"Point"
]
},
"coordinates": {
"type": "array",
"minItems": 2,
"items": {
"type": "number"
}
},
"bbox": {
"type": "array",
"minItems": 4,
"items": {
"type": "number"
}
}
}
},
{
"title": "GeoJSON LineString",
"type": "object",
"required": [
"type",
"coordinates"
],
"properties": {
"type": {
"type": "string",
"enum": [
"LineString"
]
},
"coordinates": {
"type": "array",
"minItems": 2,
"items": {
"type": "array",
"minItems": 2,
"items": {
"type": "number"
}
}
},
"bbox": {
"type": "array",
"minItems": 4,
"items": {
"type": "number"
}
}
}
},
{
"title": "GeoJSON Polygon",
"type": "object",
"required": [
"type",
"coordinates"
],
"properties": {
"type": {
"type": "string",
"enum": [
"Polygon"
]
},
"coordinates": {
"type": "array",
"items": {
"type": "array",
"minItems": 4,
"items": {
"type": "array",
"minItems": 2,
"items": {
"type": "number"
}
}
}
},
"bbox": {
"type": "array",
"minItems": 4,
"items": {
"type": "number"
}
}
}
},
{
"title": "GeoJSON MultiPoint",
"type": "object",
"required": [
"type",
"coordinates"
],
"properties": {
"type": {
"type": "string",
"enum": [
"MultiPoint"
]
},
"coordinates": {
"type": "array",
"items": {
"type": "array",
"minItems": 2,
"items": {
"type": "number"
}
}
},
"bbox": {
"type": "array",
"minItems": 4,
"items": {
"type": "number"
}
}
}
},
{
"title": "GeoJSON MultiLineString",
"type": "object",
"required": [
"type",
"coordinates"
],
"properties": {
"type": {
"type": "string",
"enum": [
"MultiLineString"
]
},
"coordinates": {
"type": "array",
"items": {
"type": "array",
"minItems": 2,
"items": {
"type": "array",
"minItems": 2,
"items": {
"type": "number"
}
}
}
},
"bbox": {
"type": "array",
"minItems": 4,
"items": {
"type": "number"
}
}
}
},
{
"title": "GeoJSON MultiPolygon",
"type": "object",
"required": [
"type",
"coordinates"
],
"properties": {
"type": {
"type": "string",
"enum": [
"MultiPolygon"
]
},
"coordinates": {
"type": "array",
"items": {
"type": "array",
"items": {
"type": "array",
"minItems": 4,
"items": {
"type": "array",
"minItems": 2,
"items": {
"type": "number"
}
}
}
}
},
"bbox": {
"type": "array",
"minItems": 4,
"items": {
"type": "number"
}
}
}
}
]
}
Figure 3 — GeoXACML 3.0 JSON Profile Geometry schema3
8. Media Types for any data encoding(s)
This Standard defines the following Media Type to be used for an Authorization Decision Request and Authorization Decision encoded according to this profile:
application/geoxacml+json
The optional parameter version can be used to indicate the GeoXACML version. Supported value is 3.0.
Annex A
(normative)
Abstract Test Suite
A.1. Conformance Class Data Model
The purpose of the tests from this conformance class is to construct different ADRs that are sent to a GeoXACML 3.0 implementation compliant with the API Conformance Class.
Conformance test A.2 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model/crs-axis-order |
| Requirements | Requirement 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-crs Requirement 3: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-axis-order |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model |
| Indirect prerequisite | Conformance class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model |
| Indirect | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model |
| Test purpose | To validate that a JSON encoded ADR uses the default CRS and axis-order when no SRID element is present. |
| Test-method-type | Manual Inspection |
| Test method | Construct a JSON encoded ADR and have the Attribute value contain a geometry serialized in the default CRS (urn:ogc:def:crs:OGC::CRS84) and default axis order (longitude/latitude). |
| A | Verify that the coordinates of the geometry are calculated using urn:ogc:def:crs:OGC::CRS84. |
| B | Verify that the coordinate order uses longitude/latitude. |
Conformance test A.3 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model/media-type |
| Requirement | Requirement 4: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-media-type |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model |
| Indirect prerequisite | Conformance class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model |
| Indirect | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model |
| Test purpose | To validate that a HTTP POST request for sending a JSON encoded ADR uses the media type application/geoxacml+json. |
| Test-method-type | Manual Inspection |
| Test method | Construct a HTTP POST request which body is a JSON encoded ADR compliant <http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model> and <http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model/crs-axis-order> and set the Content-Type header to value application/geoxacml+json. |
| A | Verify that the HTTP POST request uses media type application/geoxacml+json. |
Conformance test A.7 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model/wkt-encoding-error |
| Requirement | Requirement 6: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-wkt |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model |
| Indirect prerequisite | Conformance class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model |
| Indirect | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model |
| Test purpose | To validate that the implementation returns a urn:ogc:def:geoxacml:3.0:status:geometry-error in case of wrong geometry encoding. |
| Test-method-type | Manual Inspection |
| Test method | Construct a JSON encoded ADR compliant <http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model> and <http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model/crs-axis-order>. Set Encoding=WBT and the Attribute value to a WKT encoded geometry. |
| A | Verify that the geometry encoding of the Attribute value is not compliant to the value represented by the Encoding attribute. |
Conformance test A.8 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model/wkb-encoding-error |
| Requirement | Requirement 7: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/data-model/req-wkb |
| Included in | Conformance class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model |
| Indirect prerequisite | Conformance class 1: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model |
| Indirect | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model |
| Test purpose | To validate that the implementation returns a urn:ogc:def:geoxacml:3.0:status:geometry-error in case of wrong geometry encoding. |
| Test-method-type | Manual Inspection |
| Test method | Construct a JSON encoded ADR compliant <http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model> and <http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model/crs-axis-order>. Set Encoding=WKT and the Attribute value to a WKB encoded geometry. |
| A | Verify that the geometry encoding of the Attribute value is not compliant to the value represented by the Encoding attribute. |
A.2. Conformance Class Core
Conformance test A.9 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core/media-type-impl |
| Requirements | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core Requirement 17: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-media-type-impl |
| Included in | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core |
| Test purpose | To validate that the implementation accepts the media-type application/geoxacml+json for HTTP headers Content-Type and Accept. |
| Test-method-type | Postman |
| Test method | Send the ADR constructed and verified in <http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model> via HTTP POST to the implementation’s /decision endpoint (as defined in API Conformance Class of GeoXACML 3.0) and verify that the request was not rejected, e.g. with HTTP status code 415. |
| A | Send the ADR with HTTP POST and Content-Type set to application/geoxacml+json and verify that the response status code is not 415. |
| B | Send the ADR with HTTP POST and Content-Type and Accept set to application/geoxacml+json and verify that the response Content-Type is set to application/geoxacml+json. |
Conformance test A.11 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core/wkt-impl |
| Requirements | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core Requirement 12: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-wkt-impl |
| Included in | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core |
| Test purpose | To validate that the implementation processes an ADR compliant to this GeoXACML 3.0 JSON Profile v1.0 with no error, when the Attribute value contains a WKT encoded geometry. |
| Test-method-type | Postman or OpenAPI |
| Test method | Send the ADR constructed and verified in http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model/wkt via HTTP POST to the implementation’s /decision endpoint (as defined in API Conformance Class of GeoXACML 3.0) and verify that the received response (the AD) does not indicate a processing error. |
| A | Send the ADR constructed and verified in http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model/wkt with HTTP POST and Content-Type application/geoxacml+json to the /decision endpoint and verify that the response does not contain an error. |
Conformance test A.12 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core/wkt-encoding-error-impl |
| Requirements | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core Requirement 12: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-wkt-impl |
| Included in | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core |
| Test purpose | To validate that the implementation returns a urn:ogc:def:geoxacml:3.0:status:geometry-error in case that the geometry encoding is not compliant as indicated by the Encoding attribute. |
| Test-method-type | Postman or OpenAPI |
| Test method | Send the ADR constructed and verified in http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model/wkt-encoding-error via HTTP POST to the implementation’s /decision endpoint (as defined in API Conformance Class of GeoXACML 3.0) and verify that the received response (the AD) does not indicate a processing error. |
| A | Send the ADR constructed and verified in http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/data-model/wkt-encoding-error with HTTP POST and Content-Type application/geoxacml+json to the /decision endpoint and verify that the response does contain the urn:ogc:def:geoxacml:3.0:status:geometry-error error. |
Conformance test A.13 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core/wkb-impl |
| Requirements | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core Requirement 13: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-wkb-impl |
| Included in | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core |
| Test purpose | To validate that the implementation processes an ADR compliant to this GeoXACML 3.0 JSON Profile v1.0 with no error, when the Attribute value contains a WKT encoded geometry. |
| Test-method-type | Postman or OpenAPI |
| Test method | Send the ADR constructed and verified in /conf/data-model/wkb via HTTP POST to the implementation’s /decision endpoint (as defined in API Conformance Class of GeoXACML 3.0) and verify that the received response (the AD) does not indicate a processing error. |
| A | Send the ADR constructed and verified in /conf/data-model/wkb with HTTP POST and Content-Type application/geoxacml+json to the /decision endpoint and verify that the response does not contain an error. |
Conformance test A.14 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core/wkb-encoding-error-impl |
| Requirements | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core Requirement 13: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-wkb-impl |
| Included in | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core |
| Test purpose | To validate that the implementation returns a urn:ogc:def:geoxacml:3.0:status:geometry-error in case that the geometry encoding is not compliant as indicated by the Encoding attribute. |
| Test-method-type | Postman or OpenAPI |
| Test method | Send the ADR constructed and verified in /conf/data-model/wkb-encoding-error via HTTP POST to the implementation’s /decision endpoint (as defined in API Conformance Class of GeoXACML 3.0) and verify that the received response (the AD) does not indicate a processing error. |
| A | Send the ADR constructed and verified in /conf/data-model/wkb-encoding-error with HTTP POST and Content-Type application/geoxacml+json to the /decision endpoint and verify that the response does contain the urn:ogc:def:geoxacml:3.0:status:geometry-error error. |
Conformance test A.15 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core/geojson-impl |
| Requirements | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core Requirement 14: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-geojson-impl |
| Included in | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core |
| Test purpose | To validate that the implementation processes an ADR compliant to this GeoXACML 3.0 JSON Profile v1.0 with no error, when the Attribute value contains a WKT encoded geometry. |
| Test-method-type | Postman or OpenAPI |
| Test method | Send the ADR constructed and verified in /conf/data-model/geojson via HTTP POST to the implementation’s /decision endpoint (as defined in API Conformance Class of GeoXACML 3.0) and verify that the received response (the AD) does not indicate a processing error. |
| A | Send the ADR constructed and verified in /conf/data-model/geojson with HTTP POST and Content-Type application/geoxacml+json to the /decision endpoint and verify that the response does not contain an error. |
Conformance test A.16 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core/allow-transformation-impl |
| Requirements | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core Requirement 21: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-allow-transformation-impl |
| Included in | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core |
| Test purpose | To validate that the implementation honors the allowTransformation value. |
| Test-method-type | Postman or OpenAPI |
| Test method | Use a GeoXACML policy that compares two geometries (e.g., using geometry-equals) and send an ADR with a geometry in different CRS from the geometry used in the policy. An implementation that is compliant to the GeoXACML 3.0 Conformance Class CRS Transformation will process the request without error. A Core compliant implementation must return an error, as it is not capable to execute the required CRS transformation |
| A | Verify that the implementation is compliant to conformance class CRS Transformation |
| B | Construct a test geometry |
| C | Construct a simple GeoXACML policy that compares two geometries (e.g., using geometry-equals): The first geometry is obtained from the ADR and the second geometry is obtained from the policy. Use the test geometry for the policy |
| D | Construct an ADR containing the test geometry and send the ADR to the implementation |
| E | Verify that the AD contains the desired decision and not an error |
Conformance test A.17 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core/crs-impl |
| Requirements | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core Requirement 15: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-crs-impl |
| Included in | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core |
| Test purpose | To validate that the implementation honors the default CRS CRS84. |
| Test-method-type | Postman or OpenAPI |
| Test method | Use a GeoXACML policy that compares two geometries (e.g., using geometry-equals) where the policy geometry is using the default CRS and send an ADR with a geometry using the default CRS. An implementation that honors the default CRS should process the ARD with no errors. |
| A | Construct a test geometry using the default CRS |
| B | Construct a simple GeoXACML policy that compares two geometries (e.g., using geometry-equals): The first geometry is obtained from the ADR and the second geometry is obtained from the policy. Use the test geometry for the policy |
| C | Construct an ADR containing the test geometry and send the ADR to the implementation |
| D | Verify that the AD contains the desired decision and not an error |
Conformance test A.18 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core/axis-order-impl-1 |
| Requirements | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core Requirement 16: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-axis-order-impl |
| Included in | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core |
| Test purpose | To validate that the implementation honors the default axis-order Axis_Order. |
| Test-method-type | Postman or OpenAPI |
| Test method | Use a GeoXACML policy that compares two geometries (e.g., using geometry-equals) where the policy geometry is using the default CRSand default axis-order and send an ADR with a geometry using the default CRS and default axis-order. An implementation that honors the default axis-order should process the ARD with no errors. |
| A | Construct a test geometry using the default CRS and axis-order |
| B | Construct a simple GeoXACML policy that compares two geometries (e.g., using geometry-equals): The first geometry is obtained from the ADR and the second geometry is obtained from the policy. Use the test geometry for the policy |
| C | Construct an ADR containing the test geometry and send the ADR to the implementation |
| D | Verify that the AD contains the desired decision and not an error |
Conformance test A.19 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core/axis-order-impl-2 |
| Requirements | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core Requirement 16: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-axis-order-impl |
| Included in | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core |
| Test purpose | To validate that the implementation honors the default axis-order Axis_Order. |
| Test-method-type | Postman or OpenAPI |
| Test method | Repeat test /conf/core/axis-order-impl-1 where the geometry in the ADR has swapped axis. |
| A | Construct a test geometry using the default CRS and axis-order |
| B | Construct a simple GeoXACML policy that compares two geometries (e.g., using geometry-equals): The first geometry is obtained from the ADR and the second geometry is obtained from the policy. Use the test geometry for the policy with swapped coordinates |
| C | Construct an ADR containing the test geometry and send the ADR to the implementation |
| D | Verify that the AD contains the desired decision and not an error |
Conformance test A.20 | |
|---|---|
| Identifier | http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core/error-reporting-impl |
| Requirements | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core Requirement 22: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/req-class/core/req-error-reporting-impl |
| Included in | Conformance class 2: http://www.opengis.net/spec/geoxacml-3.0-json-profile/1.0/conf/core |
| Test purpose | To validate that the implementation provides GeoXACML geometry specific error information. |
| Test-method-type | Postman or OpenAPI |
| Test method | Verify that the implementation supports the encoding of the MissingAttributeDetail as defined in GeoXACML 3.0. |
| A | Instantiate the implementation with a GeoXACML policy that returns an Indeterminate decision response for any request where the geometry value is not encoded using the default CRS. Send such a JSON encoded ADR with HTTP Content-Type and Accept headers set to application/geoxacml+json to the implementation. Evaluate the response and in particular verify that the response has status Indeterminate and that there is a MissingAttributeElement encoded in JSON. |
| Description | NOTE: In principle, this test in JSON should result in the same level of expressiveness as the equivalent test conducted in XML. |
Annex B
(informative)
Examples for the GeoXACML 3.0 JSON Profile v1.0
The following sections illustrate the use of the GeoXACML 3.0 JSON Profile v1.0.
B.1. Examples how to encode Geometry in ADR
{
"Attribute": {
"AttributeId": "subject-location",
"DataType": "urn:ogc:def:geoxacml:3.0:data-type:geometry",
"Encoding": "WKT",
"Value" : "POINT(-77.035278 38.889444)"
}
}
Figure B.1 — Geometry encoding in WKT with default CRS
{
"Attribute": {
"AttributeId": "subject-location",
"DataType": "urn:ogc:def:geoxacml:3.0:data-type:geometry",
"Encoding": "WKB",
"Value" : "010100000000000000000000400000000000001040"
}
}
Figure B.2 — Geometry encoding in WKB with default CRS
{
"Attribute": {
"AttributeId": "subject-location",
"DataType": "urn:ogc:def:geoxacml:3.0:data-type:geometry",
"Encoding": "WKT",
"Value" : ["POINT(-77.035278 38.889444)", "Point (-122.4538755 37.8106729)"]
}
}
Figure B.3 — Geometry bag encoding in WKT with default CRS
{
"Attribute": {
"AttributeId": "subject-location",
"DataType": "urn:ogc:def:geoxacml:3.0:data-type:geometry",
"Encoding": "WKT",
"Value" : "GEOMETRYCOLLECTION(POINT(-77.035278 38.889444), Point (-122.4538755 37.8106729))"
}
}
Figure B.4 — Homogeneous Geometry Collection encoding in WKT with default CRS
{
"Attribute": {
"AttributeId": "subject-location",
"DataType": "urn:ogc:def:geoxacml:3.0:data-type:geometry",
"Value": {
"type": "Point",
"coordinates": [-77.035278, 38.889444]
}
}
}
Figure B.5 — Geometry encoding in GeoJSON with default CRS
{
"Attribute": {
"AttributeId": "subject-location",
"DataType": "urn:ogc:def:geoxacml:3.0:data-type:geometry",
"Value": [
{
"type": "Point",
"coordinates": [-77.035278, 38.889444]
},
{
"type": "Point",
"coordinates": [-77.035278, 38.889444]
}
]
}
}
Figure B.6 — Geometry bag encoding in GeoJSON with default CRS
{
"Attribute": {
"AttributeId": "subject-location",
"DataType": "urn:ogc:def:geoxacml:3.0:data-type:geometry",
"SRID": 3857,
"Encoding": "WKT",
"Value" : "POINT(-8571600.791082066 4579425.812870098)"
}
}
Figure B.7 — Geometry encoding in WKT with CRS EPSG:3857
{
"Attribute": {
"AttributeId": "subject-location",
"DataType": "urn:ogc:def:geoxacml:3.0:data-type:geometry",
"Precision": 4,
"Encoding": "WKT",
"Value" : "POINT(-77.035278 38.889444)"
}
}
Figure B.8 — Geometry encoding in WKT with precision of 4 decimal places
{
"Attribute": {
"AttributeId": "subject-location",
"DataType": "urn:ogc:def:geoxacml:3.0:data-type:geometry",
"AllowTransformation": true,
"Encoding": "WKT",
"Value" : "POINT(-77.035278 38.889444)"
}
}
Figure B.9 — Geometry encoding in WKT with allowTransformation=true
B.2. Example GeoXACML 3.0 policy, request and response
{
"Request": {
"Category": [
{
"CategoryId": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
"Attribute": [
{
"AttributeId": "subject-location",
"DataType": "urn:ogc:def:geoxacml:3.0:data-type:geometry",
"SRID": 4326,
"Encoding": "WKT",
"Value": "POINT(38.889444 -77.035278)"
}
]
}
]
}
}
Figure B.10 — Request example using GeoXACML 3.0 JSON schema
{
"Response": [
{
"Status": {
"StatusCode": {
"Value": "urn:ogc:def:geoxacml:3.0:status:crs-error"
},
"StatusMessage": "Geometry must be encoded using specified CRS",
"StatusDetail": {
"MissingAttributeDetail": {
"DataType": "urn:ogc:def:geoxacml:3.0:data-type:geometry",
"Category": "urn:oasis:names:tc:xacml:1.0:subject-category:access-subject",
"SRID": 3857,
"AttributeId": "subject-location"
}
}
},
"Decision": "Indeterminate"
}
]
}
Figure B.11 — Response example using GeoXACML 3.0 JSON schema including MissingAttributeDetail
NOTE: The Response above can be received using the GeoXACML 3.0 policy below.
<xacml3:PolicySet xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns6="http://www.w3.org/2005/Atom"
xmlns:ns5="http://authzforce.github.io/core/xmlns/pdp/8"
xmlns:ns4="http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6"
xmlns:ns3="http://authzforce.github.io/rest-api-model/xmlns/authz/5" PolicySetId="root"
Version="1"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides">
<xacml3:Target />
<xacml3:Policy PolicyId="urn:ogc:geoxacml:3.0:conformance-test:core:policy:geometry-encoding"
Version="1"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides">
<xacml3:Description>http://www.opengis.net/spec/GEOXACML/3.0/Core/conf/function-equals/support-valid</xacml3:Description>
<xacml3:Target />
<xacml3:Rule RuleId="precision6" Effect="Permit">
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:ogc:def:function:geoxacml:3.0:geometry-has-precision">
<xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">4</xacml3:AttributeValue>
<xacml3:AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="subject-location" DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
MustBePresent="true" />
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:ogc:def:function:geoxacml:3.0:geometry-equals">
<xacml3:AttributeValue DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
xmlns:geoxacml="http://www.opengis.net/geoxacml/3.0"
geoxacml:srid="3857"
>POINT(-8571600.791082066 4579425.812870098)</xacml3:AttributeValue>
<xacml3:Apply FunctionId="urn:ogc:def:function:geoxacml:3.0:geometry-one-and-only">
<xacml3:AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="subject-location" DataType="urn:ogc:def:geoxacml:3.0:data-type:geometry"
MustBePresent="true" />
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
<xacml3:Rule RuleId="DenyAll" Effect="Deny"></xacml3:Rule>
</xacml3:Policy>
</xacml3:PolicySet>
Figure B.12 — GeoXACML 3.0 policy example causing a MissingAttributeDetail response when the request geometry is not in CRS84 and AllowTransformation=false
Annex C
(informative)
Revision History
Table C.1
| Date | Release | Editor | Primary clauses modified | Description |
|---|---|---|---|---|
| 2022-11-08 | 0.1 | Andreas Matheus | all | Initial version |
| 2022-12-19 | 0.2 | Andreas Matheus | all | Support for additional properties in Attribute element; JSON schema added |
| 2022-12-22 | 0.3 | Andreas Matheus | all | Simplification of requirements classes and conformance classes |
| 2023-01-12 | 0.4 | Andreas Matheus | all | Align requirements, requirements classes, conformance classes, conformance tests using the new Metanorma annotations |
| 2023-01-13 | 0.5 | Andreas Matheus | all | Applied OGC NA-Policy to Metanorma annotations |
| 2023-02-06 | 0.6 | Andreas Matheus | all | Carl Reed comments incorporated |
| 2023-05-02 | 0.7 | Andreas Matheus | all | Comments from RFC incorporated and OGC-NA URN resolution applied |
Bibliography
[1] Edward Huang: 5 JSON Denial Attack that Every Hacker Take Advantage Of (2021), https://edward-huang.com/programming/2021/03/09/5-json-denial-attack-that-every-hacker-take-advantage-of/