[Qgis-developer] qgis-mapserver: user authentication

[Niccolo Rigacci]

Here it is my opinion about WMS access control (not only QGIS 
Mapserver). This is mainly to Giovanni Manghi, which has to solve 
the problem: I think you can choose between solution #1 (short 
term) and solution #3 (mid term).

Three different approaches:

1) Authentication and redirect by the web server: users with
different privileges will be redirected to different backends
(different QGIS projects, in QGIS Mapserver case). All the work
is to make different projects with different views of the data.

2) QGIS Mapserver will implement some sort of Access Control: it
will give diffferent results for the same project/query, based on
the authenticated user. This seems simple, but an alarm bell is
that no WMS server exists which do that (except for Geoserver,
but I did not investigated how).
This approach is hard: whe have a standard protocol (WMS) and we
want to add some out-of-standard features (Access Control). As
far as I understand UMN-MapServer developers have avoided this at
all, will QGIS Mapserver developers endorse it instead?
Is not so simple even to define what is access control: layer
access? Attribute access? Vector? Raster? Read/Write? All of this
will be buried intimately into the WMS code: I don't like it
very much.

3) A "proxy" approach can leave the WMS code intact: an http
proxy will receive the query, parses it, apply Access Control and
pass the (eventually modified) query to the WMS. The response
will be eventually modified (e.g. stripping data from the XML
GetCapabilities response) and passes it to the client.
The granularity of the Access Control will be very rude, because 
the WMS protocol has a rude query syntax (layer on/off, not much 
more), but proxying is the only "right" way to filter a protocol 
without rewriting it.

All the software cited by Pirim uses the third approach, as far I 
can understand.

-- 
Niccolo Rigacci
Firenze - Italy
Tel. ufficio: 055-0118525