[Mapbender_dev] Regarding http digest authetication

Armin Retterath armin.retterath at lvermgeo.rlp.de
Tue Jul 6 02:22:30 EDT 2010 

hello,

i've done the implementation so i think i've to explain the function of 
index.php:


Am Montag 05 Juli 2010, um 21:50:04 schrieb Karim Malhas:
> Hi Vikas,
> 
> > I have a couple of queries regarding the earlier implementation of 
http
> > auth -
> > 1) what is ows proxy? I found the article on OWS Proxy in 
Mapbender wiki
> > but that is written in German. It would be really nice if somebody 
could
> > explain me the concept in brief.
> 
> I don' t think I have fully understood it either, so someone correct me
> please. The general idea is to obscure which host a WMS is served by
> 
> So
>  
> 
"http://wms5.example.net/wms?version=1.0&service=wms&request=getCapabilite
> s"
> 
> becomes:
> 
>  
> 
"http://www.example.com/owsproxy/87502jd23roc3hf3q?version=1.0&service=wms
> &request=getCapabilites"
> 
> All the client sees is the second url and won't know that the wms is
> accessible via the other url as well . There's some black magic in the
> that hashlike string, which somehow restricts access by user, but I
> don't really know the details and for all I know it's easily replaced
> by a HTTP Proxy requiring authentication.
> 
i think the explaination is quit ok. the owsproxy module is a simple php 
based script which controls the incoming wms and wfs requests and 
decide if a user has the right to access the server. the decision is made 
by controlling the authorization which is stored in the mapbender 
database. mapbender uses a authorization which is defined over the 
guis. a person who have the right to access a gui, has also the right to 
access the included services in this gui. 
the script controls the session and the ip of the user but the problem is, 
that the user has to authenticate at mapbender before - to set the 
session! the redirecting of the dynamic services urls, as karim has 
shown above, to the script itself is done with apache url rewriting or 
proxy functions.

with this function mapbender becomes a ogc webservice security proxy. 
the requests can be logged into the mapbender database.

every owner of a ows in mapbender can decide to activate this function 
by checking a checkbox for this service in the administration menu.

the problem was that the urls of this secured services are dynamic but 
the services should be integrated in desktop gis systems and the users 
dont want to alter the service urls when the mapbender session is not 
longer active. the solution is a stable url - which is somewhat restful - 
availalable from the mapbender 'service registry' by layerid:
 
https://www.geoportal.rlp.de/http_auth/27421?REQUEST=GetCapabilities&VERSION=1.1.1&SERVICE=WMS

the http_auth module - which you found is comparable to the ows proxy 
module but controls the access to the proxy secured resource by 
http_digest authentication. the users of the mapbender registry can 
easily integrate every registrated service in their desktop gis clients by 
using their mapbender accounts and http_digest authentication 
method. the services came from many different institutions but are all 
registrated in one mapbender database. the authorization is done 
decentral!

Its an very simple but efficient way to handle a big group of different 
ows and to make it easy for the users and providers of this ows. 

 
> > 2) Earlier implementation assumes that there is a column in the 
mb-user
> > table called digest which already contains the digest. Does any 
column
> > already exist ? or there are plans to include them in the table? In 
my
> > implementation I am calculating the hash each time authentication 
is
> > required.

the mb_user_digest is a standard column in mapbender_trunk. there 
are some functions which are not already integrated in mapbender (but 
in our application - http://www.geoportal.rlp.de - where typo3 wraps the 
mapbender user administration): setting the digest, changing the 
digest when changing mb_user_name, mb_user_email or realm. We 
cannot store the password in a cleartext way into the mapbender 
database - therefor we have to generate the digest before!

> 
> I guess that's ok, we can alwas optimize later.
> 
> Regards,
> Karim
> 
> _______________________________________________
> Mapbender_dev mailing list
> Mapbender_dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapbender_dev


-- 
Im Auftrag
--
Armin Retterath

Kompetenz- und Geschäftsstelle Geodateninfrastruktur Rheinland-Pfalz
beim
Landesamt für Vermessung und Geobasisinformation Rheinland-Pfalz

Ferdinand-Sauerbruch-Straße 15
56073 Koblenz
Telefon 0261/492-466
Telefax 0261/492-492
armin.retterath at lvermgeo.rlp.de
http://www.geoportal.rlp.de

More information about the Mapbender_dev mailing list