[mapserver-users] Variable Substitution -- using environment variables (#3122)

Martin Kofahl M.Kofahl at gmx.net
Thu Sep 17 02:41:19 EDT 2009 

[Crossposting to dev-list in case that someone is interested.]


Hi Julien!
I have a separate access control system for ows in use. But for the reason of performance, it might be valuable to have some simple access control mechanisms inside mapserver. Such as using the REMOTE_USER environment variable for a substitution in the DATA statement.

I did add a new enhancement #3122 to the tracking system. The included patch simply expands msDecryptStringTokens() in order to avoid multiple search runs. No-hex tokens will be treated as environment variable, but this should be improved to avoid confusions.

Martin


-------- Original-Nachricht --------
> Datum: Thu, 10 Sep 2009 09:36:30 -0400
> Von: Julien-Samuel Lacroix <jlacroix at mapgears.com>
> An: Martin Kofahl <M.Kofahl at gmx.net>
> CC: mapserver-users at lists.osgeo.org
> Betreff: Re: [mapserver-users] Variable Substitution

> Hi,
> 
> You can't pass authentication information through cookies anyway. They 
> can easily be overwriten by the user. You should probably have a proxy 
> in front of your mapserver that does the authentication.
> 
> There's a couple of access control systems that will be presented at 
> FOSS4G in october. There may be one that may interest you.
> 
> Julien
> 
> Martin Kofahl wrote:
> > Hi Julien,
> > I think I missed something in my configuration as I thought, a cookie
> set using apaches rewrite mechanism is already visible for mapserv in the
> first request.
> > 
> > But now there's a general problem when using this technique with
> separate authentication mechanisms: a cookie is handled equate with
> get/post-request parameters and is processed last. Thus, when using a variable in a data
> statement, e.g. 'select ... where uid=%user%', one can easily override a
> cookie holding the username by adding '&user=foreign_account' to the
> request_uri.
> > 
> > So I'm not perfectly satisfied using this for authorization purposes.
> What do you think?
> > 
> > Martin
> > 
> > 
> > 
> > -------- Original-Nachricht --------
> >> Datum: Wed, 09 Sep 2009 09:44:14 -0400
> >> Von: Julien-Samuel Lacroix <jlacroix at mapgears.com>
> >> An: Martin Kofahl <M.Kofahl at gmx.net>
> >> CC: mapserver-users at lists.osgeo.org
> >> Betreff: Re: [mapserver-users] Variable Substitution
> > 
> >> Hi,
> >>
> >> Looking at the code in loadParams() in cgiutil.c, the cookies are added
> >> to the GET or POST variables automatically. There's nothing special to
> do.
> >>
> >> Julien
> >>
> >> Martin Kofahl wrote:
> >>> Hi,
> >>> the documentation at http://mapserver.org/mapfile/variable_sub.html
> >> tells about using cookies for variable substitution. Can someone
> provide a
> >> working example? I can get substitution working by using get/post
> request
> >> parameters only.
> >>> Martin
> >>>
> > 
> 
> -- 
> Julien-Samuel Lacroix
> Mapgears
> http://www.mapgears.com/

More information about the mapserver-users mailing list