1. Copyright Information Here Junaid Arshad 1, Wei Jie 2, Andy Turner 1 University of Leeds 1, University of Manchester 2, UK sc06ja@leeds.ac.uk Securing Confidential e-Social Science Resources using Guanxi Shibboleth: A Geo-Linking Service example Acknowledgements The Census Tool Key requirements: Secure Data, User Friendly The Census Tool is based on Geo-linking technology developed during the Open Geospatial Consortium Geolinking Interoperability Experiment 8 as a collaboration of the SEE-GEO project 9 involving MoSeS 10, Edina 11 and Mimas 12. Edina and Mimas provided services for serving out data to be linked. The Geo-Linking Service (GLS) negotiated with these to provide data to a user as requested. The GLS comprises a client and server, the client (developed by MoSeS) provides a basic user interface and is implemented using Restlet 13 as a JSR-168 standard 4 compliant portlet. The server (developed by Edina) handles all the negotiations between the client and data servers and formats and provides the data as requested to the user via the client.. Overall GLS architecture GLS Client Snapshot Sakai provides a one-stop user-friendly environment to get users authenticated and grant them access to resources. To ensure data is kept secure, a custom shibboleth based solution was developed. This solution is deployed as a proxy servlet in tomcat and is agnostic of the Sakai technology. It facilitates fine grained access control based on the attributes supplied by Shibboleth. GSK PortalSakai GuardEngine GX IdP User authentication Attributes retrieval Attributes forwarding Sakai Portal FilterUserDirectoryProvider SakaiUserDirectoryProvider Shib user Sakai user Guanxi GSK Sakai access control GuanxiUserDirectoryProvider Census Tool Pluto portlet container GSK Pod … Pod Manager Sakai System Access request UDP chaining Grant or deny access User info retrieval User attribute retrieval User attributes & Census attributes Sakai user, role, etc Access control Authorization engine Role Management We use Guanxi Shibboleth Kit with our custom proxy servlet to provide fine grained access control Overall System Architecture This work was funded by: The UK Economic and Social Research Council (ESRC) under the NCeSS e- Infrastructure for the Social Sciences Project (RES-149-25-1063) The UK Joint Information Systems Committee (JISC) under the OGC Grid Collision Programme (http://www.jisc.ac.uk/whatwedo/programmes/eresearchgridogccollision.aspx)http://www.jisc.ac.uk/whatwedo/programmes/eresearchgridogccollision.aspx Introduction The Security Framework Census Tool Proxy AuthZ Servlet References The National Centre for e-Social Science (NCeSS) e-Infrastructure for the Social Sciences Project 1 is developing e-infrastructure to provide integrated and secure access to a variety of social science resources (datasets, tools and services). For this, an instance of the portal based user environment Sakai is being used as the main interface to and framework for the resources being developed by NCeSS. This NCeSS Sakai Portal 2 instance is supported by an administrator that is also a Sakai 3 software developer. Various resources hosted in the portal require sophisticated security mechanisms governed by their distinctive security requirements. One such resource is called the Census Tool. Essentially, it provides a web interface to link data about the human population of the UK from the 2001 census 5. Some of these data are not publicly available and users have to subscribe to licenses and agreements before they are allowed access to them. There is a general license covering most of the data and specific terms and conditions of use for various datasets. For a user to get access to the data they must be eligible and agree to the terms on conditions of its use. In this way, the data are regarded as confidential. To secure the Census Tool, Guanxi Shibboleth 6 was used to facilitate federated access to the resource along with a customized solution for providing fine grained access control using attributes provided by Shibboleth 7. This provides a user-friendly and generic solution for security, a security infrastructure, that can be used to secure other resources. [1] Daw, M., et al. (2007) Developing an e-Infrastructure for Social Science. Paper presented at The third International Conference on e-Social Science. http://ess.si.umich.edu/papers/paper127.pdf http://ess.si.umich.edu/papers/paper127.pdf [2] NCeSS Sakai Portal http://portal.ncess.ac.ukhttp://portal.ncess.ac.uk [3] The Sakai Project. http://sakaiproject.org/portalhttp://sakaiproject.org/portal [4] Java Portlet Specification http://jcp.org/en/jsr/detail?id=168http://jcp.org/en/jsr/detail?id=168 [5] 2001 Census http://www.statistics.gov.uk/census2001/census2001.asphttp://www.statistics.gov.uk/census2001/census2001.asp [6] Guanxi, http://www.guanxi.uhi.ac.uk/index.php/Guanxihttp://www.guanxi.uhi.ac.uk/index.php/Guanxi [7] Shibboleth Project, http://shibboleth,internet2.edu.http://shibboleth,internet2.edu [8] Geolinking Interoperability Experiment http://www.opengeospatial.org/projects/initiatives/geolinkie [9] SEE-GEO Project, http://edina.ac.uk/projects/seesaw/seegeohttp://edina.ac.uk/projects/seesaw/seegeo [10] MoSeS Project http://portal.ncess.ac.uk/access/wiki/site/moses/home.htmlhttp://portal.ncess.ac.uk/access/wiki/site/moses/home.html [11] EDINA http://edina.ac.uk/http://edina.ac.uk/ [12] MIMAS http://www.mimas.ac.uk/http://www.mimas.ac.uk/ [13] Restlet http://www.restlet.org/http://www.restlet.org/