<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<TITLE>Message</TITLE>
<META content="MSHTML 6.00.2900.2627" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>Hi James,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>Some options:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>Make sure the embedded accounts only have select against
the tables that they</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>need. Create a client account with the minumum prvileges
required to function.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>Configure your webserver to not allow users to access map
files, for Apache</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>you could either set up a server wide directive to disallow
"\.map$", or put all</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>your map files in a directory outside the webroot or one
that uses .htaccess</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>to deny HTTP access (Mapserver will read them via the
filesystem).</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>Use Mapscript to dynamically create connection values
from elsewhere at call time.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>Depending on your environment, it's not a whole lot
different to how a lot of server side</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>scripting environments already handle database
connectivity:</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006>
</SPAN><SPAN class=464101104-08032006><FONT face=Arial color=#0000ff size=2><A
href="http://mavweb.net/asp-samples/database-connection-strings.asp">http://mavweb.net/asp-samples/database-connection-strings.asp</A></FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>(no-one has wobblies about .asp or .cfm pages containing
connect strings)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>Also, if your DB is configured to only allow local
connections, by the stage someone</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>can actually use the purloined details they probably own
your host system anyway.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>Regards,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2>Antti</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=464101104-08032006><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> UMN MapServer Users List
[mailto:MAPSERVER-USERS@LISTS.UMN.EDU] <B>On Behalf Of </B>Léveillé,
James<BR><B>Sent:</B> Wednesday, 8 March 2006 7:26 AM<BR><B>To:</B>
MAPSERVER-USERS@LISTS.UMN.EDU<BR><B>Subject:</B> [UMN_MAPSERVER-USERS] Security
issue<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV><FONT face=Verdana size=2><SPAN class=760191520-07032006>Hi
all,</SPAN></FONT></DIV>
<DIV><FONT face=Verdana size=2><SPAN
class=760191520-07032006></SPAN></FONT> </DIV>
<DIV><FONT face=Verdana size=2><SPAN class=760191520-07032006>I've been using
MapServer for a few weeks (on a "development" server).</SPAN></FONT></DIV>
<DIV><FONT face=Verdana size=2><SPAN class=760191520-07032006>I now have to set
it up on a "production" server.</SPAN></FONT></DIV>
<DIV><FONT face=Verdana size=2><SPAN
class=760191520-07032006></SPAN></FONT> </DIV>
<DIV><FONT face=Verdana size=2><SPAN class=760191520-07032006>My problem is the
<SPAN class=760191520-07032006>CONNECTION tag in the MapFile
(Oracle).</SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Verdana size=2><SPAN class=760191520-07032006><SPAN
class=760191520-07032006>Guys from the IT really don't like to see the
connection string in the flat file ...</SPAN></SPAN></FONT></DIV>
<DIV><FONT face=Verdana size=2><SPAN class=760191520-07032006><SPAN
class=760191520-07032006></SPAN></SPAN></FONT> </DIV>
<DIV><FONT face=Verdana size=2><SPAN class=760191520-07032006>What are the
different solutions I have ?</SPAN></FONT></DIV>
<DIV><FONT face=Verdana size=2><SPAN class=760191520-07032006>Can the <A
href="mailto:user/pw@instance">user/pw@instance</A> string be encrypted on the
server side ?</SPAN></FONT></DIV>
<DIV><FONT face=Verdana size=2><SPAN
class=760191520-07032006></SPAN></FONT> </DIV>
<DIV><FONT face=Verdana size=2><SPAN
class=760191520-07032006>Regards</SPAN></FONT><FONT face=Verdana size=2><SPAN
class=760191520-07032006></SPAN></FONT></DIV>
<DIV> </DIV>
<DIV align=left><FONT face=Verdana
size=2>__________________________________________</FONT></DIV>
<DIV align=left><FONT face=Verdana size=2><STRONG>James
Léveillé</STRONG></FONT></DIV>
<DIV align=left><FONT face=Verdana size=2><FONT size=1><FONT
face=Verdana> </DIV></FONT></FONT></FONT>
<DIV align=left><FONT face=Verdana color=#0000a0 size=2><STRONG>Intélec
Géomatique</STRONG></FONT></DIV>
<DIV align=left><FONT face=Verdana size=1>420, boul. Charest Est<BR>Bureau
400<BR>Québec (QC), Canada<BR>G1K 8M4</FONT></DIV>
<DIV align=left><FONT face=Verdana size=1></FONT> </DIV>
<DIV align=left>
<DIV align=left><FONT face=Verdana color=#c0c0c0
size=1></FONT></DIV></DIV></BODY></HTML>
<BR>
<P><FONT SIZE=2 FACE="Arial">---------------------------------------------------------------------- </FONT></P>
<P><FONT SIZE=2 FACE="Arial">IMPORTANT - This message has been issued by The Department of Agriculture, Fisheries and Forestry (DAFF). The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material. It is your responsibility to check any attachments for viruses and defects before opening or sending them on. </FONT></P>
<P><FONT SIZE=2 FACE="Arial">Any reproduction, publication, communication, re-transmission, disclosure, dissemination or other use of the information contained in this e-mail by persons or entities other than the intended recipient is prohibited. The taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you have received this e-mail in error please notify the sender and delete all copies of this transmission together with any attachments. If you have received this e-mail as part of a valid mailing list and no longer want to receive a message such as this one advise the sender by return e-mail accordingly. Only e-mail correspondence which includes this footer, has been authorised by DAFF </FONT></P>
<P><FONT SIZE=2 FACE="Arial">----------------------------------------------------------------------</FONT></P>