adding support for user authentication within Mapserver for GetCapablities and GetMap

Sean Gillies sgillies at FRII.COM
Sat Sep 1 16:12:13 EDT 2007 

Christopher Schmidt wrote:
> On Fri, Aug 31, 2007 at 11:05:23PM -0400, Ed McNierney wrote:
>> So we need to compromise to live in the real world.  The "wrapper" script is one way to do that.  If I create a wrapper PHP script such that my WMS Resource URI changes from:
>>
>> http://my.server.com/mapserv?map=my.map&
>>
>> to:
>>
>> http://my.server.com/mapserv.php?user=me&password=secret&
>>
>> then I'm really not doing anything different than what HTTP Basic authentication is doing, except for putting a few of the bytes in different places in the HTTP request.  It is hard to see that using HTTP Basic authentication is fundamentally the Right Way and the querystring parameters is the Evil Way, since they are almost identical.  Perhaps the wrapper approach even has the benefit of reminding the user that their id and password are being sent as clear text!
> 
> Actually, clear-text passwords in the URL string are certainly the
> 'wrong way' from the perspective of the web -- because they can be
> cached by proxies. So, your credentials will now be stored in a proxy
> somewhere, and if the logs of the server are web accessible (even in
> limited form, as is often the case with web log analyzers) your password
> and username are accessible that way, etc.
> 
> Now, whether the mechanism described here makes the situation more
> possible to use in various clients is a different question entirely, but
> it is clear that there are a number of reasons why embedding the
> username and password in a GET request string is bad for users. 
> 
> Passing something along in clear text is different from putting it in
> the URL string, because the URL string is, by the nature of the way the 
> web works, designed to be public + sharable, which is something silghtly
> different.
> 
> Regards,

Good points.

Ed, I appreciate the need to be pragmatic. At the same time, we need to 
start pushing back against crappy client software, and start advocating 
for and implementing with best practices or the situation is just going 
to get worse. (The cynic in me feels that service providers like 
proprietary auth for its potential to lock-in customers. Free services 
are interchangeable, for-fee services less so.)

I've got some great ideas for making per-layer CGI auth issues go away 
(or at least move them to a more appropriate layer of your system). Look 
me up at FOSS4G and fill my beer glass if you want to hear them ;)

Cheers,
Sean

More information about the mapserver-users mailing list