<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Probably do have the same issue although there are other mechanisms to make layers not queryable etc… so it’s probably not as big an issue. I agree it would
be a nice addition following the same approach as with OWS. Would it make sense to move mode/request limiting and this other access control to an ACCESS … END block?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Steve<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Tamas Szekeres [mailto:szekerest@gmail.com]
<br>
<b>Sent:</b> Thursday, February 14, 2013 9:48 AM<br>
<b>To:</b> Lime, Steve D (MNIT)<br>
<b>Cc:</b> Daniel Morissette; mapserver-dev@lists.osgeo.org<br>
<b>Subject:</b> Re: [mapserver-dev] Enable/disable OWS layers by IP list<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Steve,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">With regards to disabling the stock CGI modes I wonder if we have the same issue for example when limiting access to certain WMS layers by using the wms_enable_request setting. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For a workaround, I think it would be easy to implement a similar parameter (for example ms_disable_modes) in the WEB section to control which modes are not to be handled.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">For example "ms_disable_modes" "*" would dispatch only those requests where explicit mode is not set by URL. I notice we also have a modeStrings array in mapservutil.c which could provide the option to disable the modes selectively, something
like:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">"ms_disable_modes" "MAP BROWSE LEGEND"<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">What is you opinion?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Best regards,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Tamas<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">2013/2/14 Lime, Steve D (MNIT) <<a href="mailto:Steve.Lime@state.mn.us" target="_blank">Steve.Lime@state.mn.us</a>><o:p></o:p></p>
<p class="MsoNormal">I think this needs an RFC... This isn't a trivial addition. For example, this mechanism needs to<br>
apply to stock CGI operations (mode=...) as well or someone could simply work around the OWS<br>
interfaces using their CGI equivalent.<br>
<br>
Which gets me thinking about being able to limit those via a mapfile or shut that functionality<br>
off altogether.<br>
<br>
Steve<br>
<br>
________________________________________<br>
From: <a href="mailto:mapserver-dev-bounces@lists.osgeo.org">mapserver-dev-bounces@lists.osgeo.org</a> [<a href="mailto:mapserver-dev-bounces@lists.osgeo.org">mapserver-dev-bounces@lists.osgeo.org</a>] on behalf of Daniel Morissette [<a href="mailto:dmorissette@mapgears.com">dmorissette@mapgears.com</a>]<br>
Sent: Wednesday, February 13, 2013 11:12 AM<br>
To: <a href="mailto:mapserver-dev@lists.osgeo.org">mapserver-dev@lists.osgeo.org</a><br>
Subject: Re: [mapserver-dev] Enable/disable OWS layers by IP list<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal"><br>
Thank you Steve for suggesting the support of subnet masks<br>
(a.b.c.d/mask), I was going to suggest the same thing.<br>
<br>
I also would like to suggest supporting both a list of addresses from a<br>
file, or the ability to provide the values directly in the mapfile. In<br>
cases where there are only a couple of IPs to list, being able to<br>
specify them directly in the mapfile would be much more user-friendly.<br>
<br>
e.g.<br>
<br>
space-delimited list of addresses:<br>
<br>
"ows_allowed_ip_list" "123.45.67.89 11.22.33.44"<br>
<br>
or ref to a file:<br>
<br>
"ows_allowed_ip_list" "file:/path/to/list_of_ips.txt"<br>
<br>
<br>
I think that long term we'll want more powerful access control<br>
mechanisms, we have discussed this several times here, but that is a<br>
much bigger issue to tackle and I think the proposed mechanism can<br>
easily be deprecated without important side-effects the day that we<br>
would have something more powerful in place.<br>
<br>
And finally, even if that is a simple and straightforward addition, I<br>
think that a short RFC to document it would be nice and I'd encourage<br>
you to produce one. RFCs are often the only reference for some features<br>
until they make it to the docs... there are even some features from a<br>
few releases ago for which the RFC is still the only/best docs available<br>
(unfortunately).<br>
<br>
<br>
Daniel<br>
<br>
<br>
On 13-02-13 10:18 AM, Tamas Szekeres wrote:<br>
> Hi Steve,<br>
><br>
> Thanks for the comments, using CIDR notation<br>
> <<a href="http://en.wikipedia.org/wiki/CIDR_notation" target="_blank">http://en.wikipedia.org/wiki/CIDR_notation</a>> to define ranges would be<br>
> reasonable. This would allow to define subnets in a single row. I think<br>
> it would work with both ipv4 and ipv6 addresses.<br>
><br>
> Best regards,<br>
><br>
> Tamas<br>
><br>
><br>
><br>
> 2013/2/13 Stephen Woodbridge <<a href="mailto:woodbri@swoodbridge.com">woodbri@swoodbridge.com</a><br>
> <mailto:<a href="mailto:woodbri@swoodbridge.com">woodbri@swoodbridge.com</a>>>:<br>
> > On 2/13/2013 8:45 AM, Tamas Szekeres wrote:<br>
> >><br>
> >> Hi Devs,<br>
> >><br>
> >> I got a requirement from Faunalia (<a href="http://www.faunalia.it" target="_blank">http://www.faunalia.it</a>) to<br>
> >> establish option to Enable/disable OWS layers by IP list.<br>
> >> We need to add two new parameters to the WEB section of the mapfile,<br>
> >> and/or in the METADATA section of every single layer:<br>
> >><br>
> >> 1. "ows_allowed_ip_list"<br>
> >> 2. "ows_denied_ip_list"<br>
> >><br>
> >> Both should point to a file with a list of IP addresses.<br>
> ><br>
> ><br>
> > If you are pointing to a file then these should be<br>
> ><br>
> > ows_allowed_ip_file<br>
> > ows_denied_ip_file<br>
> ><br>
> > to avoid confusion. Using "list" implies that a item target should be<br>
> a list<br>
> > of ip addrs and not a file.<br>
> ><br>
> > These should not allow parameter substitution as that would be a simple<br>
> > defeat of the mechanism.<br>
> ><br>
> > Do you plan to support address ranges like:<br>
> ><br>
> > 192.168.1.1-192.168.1.10<br>
> > <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> <<a href="http://192.168.1.0/24" target="_blank">http://192.168.1.0/24</a>><br>
> ><br>
> > Otherwise looks fine.<br>
> ><br>
> > -Steve W<br>
> ><br>
> >> The aim is to let the admin to define list of users, identified<br>
> >> through their IPs to<br>
> >> allow or deny access to one or more specific WMS or WFS layers.<br>
> >><br>
> >> I've prepared an implementation to this requirement which appears to<br>
> >> be a fairly simple addition to the code:<br>
> >><br>
> >><br>
> <a href="https://github.com/szekerest/mapserver/commit/4b7c203a1782cd56d01c34e1079a184c04e51207" target="_blank">
https://github.com/szekerest/mapserver/commit/4b7c203a1782cd56d01c34e1079a184c04e51207</a><br>
> >><br>
> >> In my approach if both the allowed list and the denied list contains<br>
> >> the current endpoint IP then the denied list will take precedence.<br>
> >> If allowed_ip_list or ows_denied_ip_list is not specified or the<br>
> >> specified files are not readable then the current behaviour will<br>
> >> continue to work.<br>
> >><br>
> >> Issue has also been added for this addition:<br>
> >> <a href="https://github.com/mapserver/mapserver/issues/4588" target="_blank">
https://github.com/mapserver/mapserver/issues/4588</a><br>
> >><br>
> >><br>
> >> Let me know about your opinion whether this change is reasonable.<br>
> >> Would that require an RFC to be added?<br>
> >><br>
> >> Deadline of this addition is close, so I'd prefer to include this as<br>
> >> soon as possible.<br>
> >><br>
> >><br>
> >> Best regards,<br>
> >><br>
> >> Tamas<br>
> >> _______________________________________________<br>
> >> mapserver-dev mailing list<br>
> >> <a href="mailto:mapserver-dev@lists.osgeo.org">mapserver-dev@lists.osgeo.org</a> <mailto:<a href="mailto:mapserver-dev@lists.osgeo.org">mapserver-dev@lists.osgeo.org</a>><br>
> >> <a href="http://lists.osgeo.org/mailman/listinfo/mapserver-dev" target="_blank">
http://lists.osgeo.org/mailman/listinfo/mapserver-dev</a><br>
> >><br>
> ><br>
> > _______________________________________________<br>
> > mapserver-dev mailing list<br>
> > <a href="mailto:mapserver-dev@lists.osgeo.org">mapserver-dev@lists.osgeo.org</a> <mailto:<a href="mailto:mapserver-dev@lists.osgeo.org">mapserver-dev@lists.osgeo.org</a>><br>
> > <a href="http://lists.osgeo.org/mailman/listinfo/mapserver-dev" target="_blank">
http://lists.osgeo.org/mailman/listinfo/mapserver-dev</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> mapserver-dev mailing list<br>
> <a href="mailto:mapserver-dev@lists.osgeo.org">mapserver-dev@lists.osgeo.org</a><br>
> <a href="http://lists.osgeo.org/mailman/listinfo/mapserver-dev" target="_blank">
http://lists.osgeo.org/mailman/listinfo/mapserver-dev</a><br>
><br>
<br>
<br>
--<br>
Daniel Morissette<br>
<a href="http://www.mapgears.com/" target="_blank">http://www.mapgears.com/</a><br>
Provider of Professional MapServer Support since 2000<br>
<br>
_______________________________________________<br>
mapserver-dev mailing list<br>
<a href="mailto:mapserver-dev@lists.osgeo.org">mapserver-dev@lists.osgeo.org</a><br>
<a href="http://lists.osgeo.org/mailman/listinfo/mapserver-dev" target="_blank">http://lists.osgeo.org/mailman/listinfo/mapserver-dev</a><br>
<br>
<br>
_______________________________________________<br>
mapserver-dev mailing list<br>
<a href="mailto:mapserver-dev@lists.osgeo.org">mapserver-dev@lists.osgeo.org</a><br>
<a href="http://lists.osgeo.org/mailman/listinfo/mapserver-dev" target="_blank">http://lists.osgeo.org/mailman/listinfo/mapserver-dev</a><o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>