[Mapbender-dev] idea: http_digest_authentication to secure services
in mapbender registries
Armin Retterath
armin.retterath at lvermgeo.rlp.de
Mon Aug 10 05:35:38 EDT 2009
hello,
we plan to extent mapbenders owsproxy function to support http_digest
authentication (http://www.ietf.org/rfc/rfc2617.txt) too. with this
possibility and the use of https we can make a relativ secure connection
between different mapbender installations or between mapbender and clients
who support the http_digest authentication. we think, it will be easy to
extent clients to support the http_digest. one critical performance problem
will be, that mapbender must control the authorization at every getmap,
getfeatureinfo, getlegendgraphics and getcap request. this maybe solved by
caching the authorization info in an indexed version (lucene or textfile).
for supporting the http_digest, we have to store the digest (md5
('username:realm:password')) in the mb_user table. this hash must be updated
every time the username or the password changes (cannot be done by db
trigger, cause the password is stored as md5 hash in the mb_user table).
for the mapbender http_digest client side the wms table has to be extented for
username and digest columns. when someone upload a http_digest secured wms he
has to give a username and a password which will be used to create the
secured connection to this service (by the use of curl). the viewing of such
a service can only be done by using the mapbender owsproxy.
this is the idea and should be realized until end of september.
any ideas or suggestions to this are welcome. please send them to the
dev-list.
regards
armin
--
Im Auftrag
--
Armin Retterath
Kompetenz- und Geschäftsstelle Geodateninfrastruktur Rheinland-Pfalz
beim
Landesamt für Vermessung und Geobasisinformation Rheinland-Pfalz
Ferdinand-Sauerbruch-Straße 15
56073 Koblenz
Telefon 0261/492-466
Telefax 0261/492-492
armin.retterath at lvermgeo.rlp.de
http://www.geoportal.rlp.de
More information about the Mapbender_dev
mailing list