New Security Filters (was: re: [MapServer-Users] User control)

[Jan Hartmann]

One solution would be to create multiple virtual hosts under the same 
WebServer. Each can have its own HTML pages and mapfiles (with their own 
access rights), but the MapServer executables and source files can be 
shared. The new security  filters in MapServer make this possible. It 
works like this:

For each virtual host you define an environment variable called 
MS_MAPFILE_PATTERN. With Apache this is done with the SetEnv directive 
in httpd.conf. This variable should contain a regular expression, and 
only mapfiles with names agreeing with that expression can be accessed 
by MapServer via that particular virtual host.

Additionally you can use DATAPATTERN and TEMPLATEPATTERN in the mapfile, 
to restrict scripted access to datafiles and templates. By default, no 
access is allowed, so these don't have to be set if datafiles and 
templates are hardcoded in the mapfile. However, access to mapfiles is 
*NOT* restricted, unless you set MS_MAPFILE_PATTERN, so don't forget to 
set it in a security-aware environment.

This way you can restrict access to layers. I'm not sure if it is 
possible to restrict access to parts of a layer's extent.

This is all very new and experimental, so if you succeed in setting up 
something like this, please share your experiences.

There is some documentation on this in the Wiki:

http://mapserver.gis.umn.edu/cgi-bin/wiki.pl?MigrationGuide

Jan

Petur Kirke wrote:
> We are building a WMS Service, and we want to control the access, that the
> users will get. Some users should only see some layers, and a part of the
> map area.
> 
> I am wondering how others are implementing access control of this kind ? I
> would be greatful for some information.
> 
> _______________________________________________
> Mapserver-users mailing list
> Mapserver-users at lists.gis.umn.edu
> http://lists.gis.umn.edu/mailman/listinfo/mapserver-users
> 
Jan Hartmann
Department of Geography
University of Amsterdam
jhart at frw.uva.nl