adding support for user authentication within Mapserver for GetCapablities and GetMap

Ed McNierney ed at TOPOZONE.COM
Fri Aug 31 23:05:23 EDT 2007 

Sean -

While I agree with you in theory, we need to acknowledge that our WMS servers need (in some cases) to be easily accessible to the WMS clients our users want to or need to use.  I cannot tell my ArcGIS customers that my server uses HTTP Basic authentication, because their client software provides no support for it and no place for them to type their username and password.

For better or worse, the WMS specification is completely silent on the subject of authentication, and therefore set no expectations on what a well-behaved client is supposed to do.  It is unreasonable to expect, in the absence of guidance in the specification, that all WMS clients will support the complete HTTP protocol suite in all its flavors, with the required user interfaces to make that happen.

So we need to compromise to live in the real world.  The "wrapper" script is one way to do that.  If I create a wrapper PHP script such that my WMS Resource URI changes from:

http://my.server.com/mapserv?map=my.map&

to:

http://my.server.com/mapserv.php?user=me&password=secret&

then I'm really not doing anything different than what HTTP Basic authentication is doing, except for putting a few of the bytes in different places in the HTTP request.  It is hard to see that using HTTP Basic authentication is fundamentally the Right Way and the querystring parameters is the Evil Way, since they are almost identical.  Perhaps the wrapper approach even has the benefit of reminding the user that their id and password are being sent as clear text!

     - Ed

Ed McNierney
Chief Mapmaker
Demand Media / TopoZone.com
73 Princeton Street, Suite 305
North Chelmsford, MA  01863
Phone: 978-251-4242, Fax: 978-251-1396
ed at topozone.com



-----Original Message-----
From: UMN MapServer Users List [mailto:MAPSERVER-USERS at LISTS.UMN.EDU] On Behalf Of Sean Gillies
Sent: Friday, August 31, 2007 6:49 PM
To: MAPSERVER-USERS at LISTS.UMN.EDU
Subject: Re: [UMN_MAPSERVER-USERS] adding support for user authentication within Mapserver for GetCapablities and GetMap

Gerry Creager wrote:
> Gregor Mosheh wrote:
>> Sean Gillies wrote:
>>>> Gerry Creager wrote:
>>>>> Rights management is now well into the investigatory and 
>>>>> specification stages in OGC.
>>>> He, that's excellent to hear. Thanks for the tip.
>>> No, it's not excellent. DRM is defective by design.
>> Hrm, perhaps I misunderstood. I read "access control" as in password 
>> protection to get into my WMS/WFS server.
>>
>> Gerry, did you mean access control at the application layer, so I can 
>> have Mapserver manage user accounts and access to my WMS layers, or 
>> something deeper such as DRM on the imagery, copy-protection on 
>> GeoTIFFs, and the like?
>>
>> (yeah, it's off the topic of Mapserver; so's a lot of educational and 
>> interesting stuff we talk about :)
> 
> The working group title is GeoDRM.  I am not real happy with that but 
> the bigger organizations are thinking of the resources they've put into 
> their datasets and/or products. Some governments fail to see the 
> benefits to their citizens of making geospatial data widely available, 
> and thus are supporting this sort of thing.  It's gonna be an 
> interesting period, but I'm trying to get them to see the benefits of 
> authentication/authorization/capabilities control.  They keep thinking 
> the RIAA/MPAA model is good and working.  We have interesting debates. 
> I can't tell if I'm making headway or not.
> 
> The National Middelware Initiative (NSF funded, Internet2/SURA 
> implemented) covers a lot of this via federation and credential exchange 
> in their Shibboleth software initiative.
> 
> gerry

Gerry, I'm all for security too, but I think it's already addressed for 
web services by HTTP Basic + SSL/TLS. In my opinion, adding a spatial 
and time dimensions to auth (user 'joe' can only use a service between 
9am-5pm originating from Larimer County, Colorado) is pure geo-wankery.

The "GeoDRM" name -- it's clearly pandering to the non-technical guys in 
suits who (like you say) still think the RIAA is the good guy.

Cheers,
Sean

More information about the mapserver-users mailing list