[Geomoose-users] multiple applications from same GeoMoose code

Fri Nov 30 10:56:37 PST 2012

All,

I'll second a lot of What Jim has noted below.

The GISmo installation at the City still remains very flexible while at the same time providing for auth checks where needed.   Any new design efforts will most certainly be reusing this mentality when we start in on designing newer services.

One item Jim left out, was that the installat the City also can handle Auth tasks for attached services as well, not just data.  So tools can be added to the interface and have their respective limits in place based on auth for users and groups.

We never really did explore all of this to it's utmost however.  There are still even some ideas floating around related to this side of a GeoMoose install that haven't been generally published.  These types of system configuration are getting away somewhat from the core GeoMoose packagesand should be considered to some degree a part of a bigger vision of sorts for the implementation steps related to how one installs and runs GeoMoose.

Bobb

From: geomoose-users-bounces at lists.osgeo.org [mailto:geomoose-users-bounces at lists.osgeo.org] On Behalf Of Jim Klassen
Sent: Friday, November 30, 2012 11:45 AM
To: Brian Fischer
Cc: geomoose-users at lists.osgeo.org
Subject: Re: [Geomoose-users] multiple applications from same GeoMoose code

We've done this too with GeoMoose 1.x

Apache for Auth/Authz backed by LDAP.

A trick to secure MapServer is to not use mapserv.exe (annoying windows-ism).   Write a MapScript bit that checks the user's account (Apache already authenticated it and put it in an env variable) and verifies they have access before passing it to the OWS modules.  This part was done in our RoR app.

Another way to handle MapServer auth, that I rather like because it is all Apache, is to use Apache to limit access to the .map files based on user auth.  The user has NO access to the mapserv CGI.  There is a rewrite rule that proxies calls from [123456].map?... files to http://localhost:some-externally-blocked-port/cgi-bin/mapserv?map=/basepath/[123456].map&<http://localhost:some-externally-blocked-port/cgi-bin/mapserv?map=/basepath/%5b123456%5d.map&>...   Note: it is required to set the Environment variable per request to only allow access to that one map file, otherwise requests with an extra map= parameter (in GET or POST) will override what apache set and get around the security.

With any of these schemes you must be sure all the services (typically PHP) only access the data through the approved (via HTTP) means.  Going directly to files can bypass security.

Frankly, these last two paragraphs are in a large part why I was unhappy with how the services were implemented in GeoMoose vs. GISmo at St. Paul.  GISmo was designed to allow for security, multiple users, multiple mapbooks, etc. with one GeoMoose installation (code and datasets).  In the name of simplicity, all this was dropped from GeoMoose during the OpenMNND project.  I can't help but be amused that now, people are asking for these features.

On Nov 30, 2012, at 10:56 AM, Brian Fischer wrote:

At least I'm not alone.  Up to this point I have just used web server authentication through Apache or IIS.

I'm thinking something more at the application level, so I can store user settings and preferences.  This would likely mean needing a database backend and introducing more server side code (PHP/Python or whatever) along with session variables or cookies.

Brian Fischer, CFM
Principal | GIS Project Manager
Houston Engineering, Inc.
O 763.493.4522 | D 763.493.6664 | M 763.229.2734

From: Bistrais, Bob [mailto:Bob.Bistrais at maine.gov]<mailto:[mailto:Bob.Bistrais at maine.gov]>
Sent: Friday, November 30, 2012 10:40 AM
To: Brian Fischer; geomoose-users at lists.osgeo.org<mailto:geomoose-users at lists.osgeo.org>
Subject: RE: multiple applications from same GeoMoose code

Regarding the authentication- some thought, no action.  But I see a need in future projects to have some authentication.

From: geomoose-users-bounces at lists.osgeo.org<mailto:geomoose-users-bounces at lists.osgeo.org> [mailto:geomoose-users-bounces at lists.osgeo.org] On Behalf Of Brian Fischer
Sent: Friday, November 30, 2012 11:38 AM
To: geomoose-users at lists.osgeo.org<mailto:geomoose-users at lists.osgeo.org>
Subject: [Geomoose-users] multiple applications from same GeoMoose code

I was just curious if anyone else has thought about or tried any other methods to use multiple mapbooks and settings.ini files with one GeoMoose code folder.

In the past I have used this method and it works well. http://www.geomoose.org/wiki/index.php/Modification_to_Use_Multiple_Map_Books  With GeoMoose 2.6 there is another file that is introduced for local_settings.ini.

Also is anyone working on some type of authentication module for GeoMoose.  Basically what I'm thinking is depending on who you login as it would configure the catalog differently.

Just wanted to get a thread started if anyone else has worked on this or thinking about it.

Brian Fischer, CFM
Principal | GIS Project Manager

O 763.493.4522 | D 763.493.6664 | M 763.229.2734

<image001.jpg>

  6901 E Fish Lake Rd. , Suite 140 * Maple Grove, MN* 55369

www.houstoneng.com<http://www.houstoneng.com/>

This entire message (including all forwards and replies) and any attachments are for the sole use of the intended recipient(s) and may contain proprietary, confidential, trade secret, work-product, attorney-client or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited and may be a violation of law. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

_______________________________________________
Geomoose-users mailing list
Geomoose-users at lists.osgeo.org<mailto:Geomoose-users at lists.osgeo.org>
http://lists.osgeo.org/mailman/listinfo/geomoose-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geomoose-users/attachments/20121130/97d0b677/attachment-0001.html>