<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
All,<br>
<br>
I've run into the same design problems as Ed is describing here as
well. There just doesn't seem to be an easy way to add in
Authentication to any of the spatial standards that have been set up.<br>
<br>
I'm really having a hard time trying to decide just how to add
authentication. I also need to add it at the layer level which makes
things a bit more complicated. I'm not fond of the clear-text
parameter method either, and managing things on the server side is too
much admin overhead.<br>
<br>
I have some ideas, but they all seem overly complicated.<br>
<br>
bobb<br>
<br>
<br>
<br>
Ed McNierney wrote:
<blockquote
cite="mid:4BF377919225F449BB097CB76FFE9BC80198838F@ptolemy.topozone.com"
type="cite">
<pre wrap="">Sean -
While I agree with you in theory, we need to acknowledge that our WMS servers need (in some cases) to be easily accessible to the WMS clients our users want to or need to use. I cannot tell my ArcGIS customers that my server uses HTTP Basic authentication, because their client software provides no support for it and no place for them to type their username and password.
For better or worse, the WMS specification is completely silent on the subject of authentication, and therefore set no expectations on what a well-behaved client is supposed to do. It is unreasonable to expect, in the absence of guidance in the specification, that all WMS clients will support the complete HTTP protocol suite in all its flavors, with the required user interfaces to make that happen.
So we need to compromise to live in the real world. The "wrapper" script is one way to do that. If I create a wrapper PHP script such that my WMS Resource URI changes from:
<a class="moz-txt-link-freetext"
href="http://my.server.com/mapserv?map=my.map&">http://my.server.com/mapserv?map=my.map&</a>
to:
<a class="moz-txt-link-freetext"
href="http://my.server.com/mapserv.php?user=me&password=secret&">http://my.server.com/mapserv.php?user=me&password=secret&</a>
then I'm really not doing anything different than what HTTP Basic authentication is doing, except for putting a few of the bytes in different places in the HTTP request. It is hard to see that using HTTP Basic authentication is fundamentally the Right Way and the querystring parameters is the Evil Way, since they are almost identical. Perhaps the wrapper approach even has the benefit of reminding the user that their id and password are being sent as clear text!
- Ed
Ed McNierney
Chief Mapmaker
Demand Media / TopoZone.com
73 Princeton Street, Suite 305
North Chelmsford, MA 01863
Phone: 978-251-4242, Fax: 978-251-1396
<a class="moz-txt-link-abbreviated" href="mailto:ed@topozone.com">ed@topozone.com</a>
-----Original Message-----
From: UMN MapServer Users List [<a class="moz-txt-link-freetext"
href="mailto:MAPSERVER-USERS@LISTS.UMN.EDU">mailto:MAPSERVER-USERS@LISTS.UMN.EDU</a>] On Behalf Of Sean Gillies
Sent: Friday, August 31, 2007 6:49 PM
To: <a class="moz-txt-link-abbreviated"
href="mailto:MAPSERVER-USERS@LISTS.UMN.EDU">MAPSERVER-USERS@LISTS.UMN.EDU</a>
Subject: Re: [UMN_MAPSERVER-USERS] adding support for user authentication within Mapserver for GetCapablities and GetMap
Gerry Creager wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Gregor Mosheh wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Sean Gillies wrote:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">Gerry Creager wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Rights management is now well into the investigatory and
specification stages in OGC.
</pre>
</blockquote>
<pre wrap="">He, that's excellent to hear. Thanks for the tip.
</pre>
</blockquote>
<pre wrap="">No, it's not excellent. DRM is defective by design.
</pre>
</blockquote>
<pre wrap="">Hrm, perhaps I misunderstood. I read "access control" as in password
protection to get into my WMS/WFS server.
Gerry, did you mean access control at the application layer, so I can
have Mapserver manage user accounts and access to my WMS layers, or
something deeper such as DRM on the imagery, copy-protection on
GeoTIFFs, and the like?
(yeah, it's off the topic of Mapserver; so's a lot of educational and
interesting stuff we talk about :)
</pre>
</blockquote>
<pre wrap="">The working group title is GeoDRM. I am not real happy with that but
the bigger organizations are thinking of the resources they've put into
their datasets and/or products. Some governments fail to see the
benefits to their citizens of making geospatial data widely available,
and thus are supporting this sort of thing. It's gonna be an
interesting period, but I'm trying to get them to see the benefits of
authentication/authorization/capabilities control. They keep thinking
the RIAA/MPAA model is good and working. We have interesting debates.
I can't tell if I'm making headway or not.
The National Middelware Initiative (NSF funded, Internet2/SURA
implemented) covers a lot of this via federation and credential exchange
in their Shibboleth software initiative.
gerry
</pre>
</blockquote>
<pre wrap=""><!---->
Gerry, I'm all for security too, but I think it's already addressed for
web services by HTTP Basic + SSL/TLS. In my opinion, adding a spatial
and time dimensions to auth (user 'joe' can only use a service between
9am-5pm originating from Larimer County, Colorado) is pure geo-wankery.
The "GeoDRM" name -- it's clearly pandering to the non-technical guys in
suits who (like you say) still think the RIAA is the good guy.
Cheers,
Sean
</pre>
</blockquote>
</body>
</html>