adding support for user authentication within Mapserver for GetCapablities and GetMap

Ed McNierney ed at TOPOZONE.COM
Sat Sep 1 00:15:30 EDT 2007


Christopher -

Yes, but it is important to remember that the "perspective of the user"
is often more important than the "perspective of the web", and we need
to provide solutions users can actually use, not ones which impressively
adhere to all the aesthetically correct principles but don't actually
work.

     - Ed

-----Original Message-----
From: UMN MapServer Users List [mailto:MAPSERVER-USERS at LISTS.UMN.EDU] On
Behalf Of Christopher Schmidt
Sent: Saturday, September 01, 2007 12:10 AM
To: MAPSERVER-USERS at LISTS.UMN.EDU
Subject: Re: [UMN_MAPSERVER-USERS] adding support for user
authentication within Mapserver for GetCapablities and GetMap

On Fri, Aug 31, 2007 at 11:05:23PM -0400, Ed McNierney wrote:
> So we need to compromise to live in the real world.  The "wrapper"
script is one way to do that.  If I create a wrapper PHP script such
that my WMS Resource URI changes from:
> 
> http://my.server.com/mapserv?map=my.map&
> 
> to:
> 
> http://my.server.com/mapserv.php?user=me&password=secret&
> 
> then I'm really not doing anything different than what HTTP Basic
authentication is doing, except for putting a few of the bytes in
different places in the HTTP request.  It is hard to see that using HTTP
Basic authentication is fundamentally the Right Way and the querystring
parameters is the Evil Way, since they are almost identical.  Perhaps
the wrapper approach even has the benefit of reminding the user that
their id and password are being sent as clear text!

Actually, clear-text passwords in the URL string are certainly the
'wrong way' from the perspective of the web -- because they can be
cached by proxies. So, your credentials will now be stored in a proxy
somewhere, and if the logs of the server are web accessible (even in
limited form, as is often the case with web log analyzers) your password
and username are accessible that way, etc.

Now, whether the mechanism described here makes the situation more
possible to use in various clients is a different question entirely, but
it is clear that there are a number of reasons why embedding the
username and password in a GET request string is bad for users. 

Passing something along in clear text is different from putting it in
the URL string, because the URL string is, by the nature of the way the 
web works, designed to be public + sharable, which is something silghtly
different.

Regards,
-- 
Christopher Schmidt
MetaCarta



More information about the mapserver-users mailing list