[OSGeo-Discuss] AJAX Trust and security

Jan-Oliver Wagner jan-oliver.wagner at intevation.de
Mon Mar 12 14:47:47 PDT 2007

On Monday 12 March 2007 01:16, Cameron Shorter wrote:
> Simon Green is currently researching our alternatives and it would be
> good if we can align our solution with yours.

I've researched this topic a bit recently and also will give a presentation
about how to secure GDI with Free Software on FOSSGIS this week in Berlin.

In short: there are currently 2.5 Free Software solutions available:
deegree, 52N, MapBender.

Apart from solving the authentication and authorization at server
side, you need a clever helper-tool on the client side to filter
unsecure requests into secure requests.
This is because virtually no OWS client knows about SSL or authentication (how 
could they, there is no standard yet ;-).

There are two solutions for the client available, WSC of 52N (Java)
and InteProxy[1] (Python). The latter is what we are developing ourselves
for securing the GDI of lower saxony and another state of Germany.

On the server side solutions range from simple authentication methods
to complex ticketing-based ones. While the future belongs to the latter,
today they are expensive and lower service availability (more points of 
failure). At least if done right -- only few people seem to know how 
complicated using/mainting a PKI can get.

There are also differences in the authorization granularity,  naturally.

One observation of mine so far (also at FOSS4G Lausanne) is that
with regard to PKI people (if at all) take efford to ensure the guy requesting
OWS is the guy he should be. Neglected is to check wether the OWS service
is the one it should be (this type problem got some press with the term 
"Phishing"). Apart from getting interesting data from the user, I see 
especially problems for the military sector. Providing wrong maps for 
planning is surely a clever idea.

All the best


[1]  http://wald.intevation.org/projects/inteproxy/

Dr. Jan-Oliver Wagner                                   Intevation GmbH
Amtsgericht Osnabrück, HR B 18998             http://www.intevation.de/
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner

More information about the Discuss mailing list