[Tilecache] Tilecache Authentication

Christopher Schmidt crschmidt at metacarta.com
Thu Jan 17 07:29:38 EST 2008

On Thu, Jan 17, 2008 at 10:44:54AM +0100, Attila Csipa wrote:
> On Thursday 17 January 2008 10:29:58 Eric Lemoine wrote:
> > automatically send the login/password for you. Do you know for how
> > long the browser will do that for you?
> Not to mention that if you are using several URL-s for simultaneously fetching 
> tiles, it will likely make you authenticate for EACH of them - a rather nasty 
> side effect. And of course logging out is also a nightmare in such 
> scenarios :(

Yep. HTTP Auth is somewhat lacking -- though at least FF has a 'clear
authenticated sessions' button now.

For cases where you have more complex needs, you'll need a more complex
solution. In the past, Ive implemented this as a mod_python access

def accesshandler(req):
    options = req.get_options()
    fields = util.FieldStorage(req)
    if fields['sess'] and fields['token']:
        sess = fields['sess']
        c = LocalCacheDict()
        stored = c.get("apisession:%s" % sess)
        if fields['token'] == md5.md5(str(stored['sesskey'])).hexdigest():
            return apache.OK
    return apache.HTTP_UNAUTHORIZED

LocalCacheDict is some kind of local semi-persistent storage --
memcached, sqlite, what have you -- that stores your list of
session/token pairs. Then, when the user loads the page itself, you'll
need to generate these session and token variables in the javascript and 
send them as params with the layer: Layer.WMS("name", "url", {'layers':'foo',
'sess':'blah','token':'bleh' }). LocalCacheDict will need to expire
after the time period that you think users are no longer likely to be
browsing actively -- say, 24 hours -- so that they can't be copied /
reused outside the context in which they're generated (if you care about

If your page itself is static, you will need to have *some*
authenticated way of having the user identify the first time -- either
logging in, and storing the seesion and token in a cookie that you can
access from your code, or something else like that.

Setting up an access handler like the above is just configuring your
directory with mod_python, then doing:

  PythonAccessHandler NameOfPythonModule

the 'accesshandler' is a 'magic' function name that will be checked

For my "LocalCacheDict", I use memcached.  

(And this is far more than I expected you would get out of me, but
squeak enough and I guess you still get the grease.)

The reason that this isn't *built in* to TileCache is clear to me: it's
too site specific. Everyone will want a different way of doing it. Some
will want some Java app to store their auth informtion, some will want
to write it out to a flat file on disk, etc. There's no way to embed all
that logic into TileCache -- and since mod_python makes it easy to
implement yourself, I don't see why TileCache should try. 

Christopher Schmidt

More information about the Tilecache mailing list