[Geomoose-users] multiple applications from same GeoMoose code
Jim Klassen
klassen.js at gmail.com
Fri Nov 30 09:45:17 PST 2012
We've done this too with GeoMoose 1.x
Apache for Auth/Authz backed by LDAP.
A trick to secure MapServer is to not use mapserv.exe (annoying windows-ism). Write a MapScript bit that checks the user's account (Apache already authenticated it and put it in an env variable) and verifies they have access before passing it to the OWS modules. This part was done in our RoR app.
Another way to handle MapServer auth, that I rather like because it is all Apache, is to use Apache to limit access to the .map files based on user auth. The user has NO access to the mapserv CGI. There is a rewrite rule that proxies calls from [123456].map?... files to http://localhost:some-externally-blocked-port/cgi-bin/mapserv?map=/basepath/[123456].map&... Note: it is required to set the Environment variable per request to only allow access to that one map file, otherwise requests with an extra map= parameter (in GET or POST) will override what apache set and get around the security.
With any of these schemes you must be sure all the services (typically PHP) only access the data through the approved (via HTTP) means. Going directly to files can bypass security.
Frankly, these last two paragraphs are in a large part why I was unhappy with how the services were implemented in GeoMoose vs. GISmo at St. Paul. GISmo was designed to allow for security, multiple users, multiple mapbooks, etc. with one GeoMoose installation (code and datasets). In the name of simplicity, all this was dropped from GeoMoose during the OpenMNND project. I can't help but be amused that now, people are asking for these features.
On Nov 30, 2012, at 10:56 AM, Brian Fischer wrote:
> At least I’m not alone. Up to this point I have just used web server authentication through Apache or IIS.
>
> I’m thinking something more at the application level, so I can store user settings and preferences. This would likely mean needing a database backend and introducing more server side code (PHP/Python or whatever) along with session variables or cookies.
>
> Brian Fischer, CFM
> Principal | GIS Project Manager
> Houston Engineering, Inc.
> O 763.493.4522 | D 763.493.6664 | M 763.229.2734
>
> From: Bistrais, Bob [mailto:Bob.Bistrais at maine.gov]
> Sent: Friday, November 30, 2012 10:40 AM
> To: Brian Fischer; geomoose-users at lists.osgeo.org
> Subject: RE: multiple applications from same GeoMoose code
>
> Regarding the authentication- some thought, no action. But I see a need in future projects to have some authentication.
>
> From: geomoose-users-bounces at lists.osgeo.org [mailto:geomoose-users-bounces at lists.osgeo.org] On Behalf Of Brian Fischer
> Sent: Friday, November 30, 2012 11:38 AM
> To: geomoose-users at lists.osgeo.org
> Subject: [Geomoose-users] multiple applications from same GeoMoose code
>
> I was just curious if anyone else has thought about or tried any other methods to use multiple mapbooks and settings.ini files with one GeoMoose code folder.
>
> In the past I have used this method and it works well. http://www.geomoose.org/wiki/index.php/Modification_to_Use_Multiple_Map_Books With GeoMoose 2.6 there is another file that is introduced for local_settings.ini.
>
> Also is anyone working on some type of authentication module for GeoMoose. Basically what I’m thinking is depending on who you login as it would configure the catalog differently.
>
> Just wanted to get a thread started if anyone else has worked on this or thinking about it.
>
>
>
> Brian Fischer, CFM
> Principal | GIS Project Manager
> O 763.493.4522 | D 763.493.6664 | M 763.229.2734
>
> <image001.jpg>
> 6901 E Fish Lake Rd. , Suite 140 • Maple Grove, MN• 55369
> www.houstoneng.com
> This entire message (including all forwards and replies) and any attachments are for the sole use of the intended recipient(s) and may contain proprietary, confidential, trade secret, work-product, attorney-client or privileged information. Any unauthorized review, use, disclosure or distribution is prohibited and may be a violation of law. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
>
>
> _______________________________________________
> Geomoose-users mailing list
> Geomoose-users at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/geomoose-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geomoose-users/attachments/20121130/2424ddcd/attachment-0001.html>
More information about the Geomoose-users
mailing list