[Mapbender-dev] idea: http_digest_authentication to secure services in mapbender registries

Armin Retterath armin.retterath at lvermgeo.rlp.de
Mon Aug 10 05:35:38 EDT 2009


we plan to extent mapbenders owsproxy function to support http_digest 
authentication (http://www.ietf.org/rfc/rfc2617.txt) too.  with this 
possibility and the use of https we can make a relativ secure connection 
between different mapbender installations or between mapbender and clients 
who support the http_digest authentication. we think, it will be easy to 
extent clients to support the http_digest. one critical performance problem  
will be, that mapbender must control the authorization at every getmap, 
getfeatureinfo, getlegendgraphics and getcap request. this maybe solved by 
caching the authorization info in an indexed version (lucene or textfile). 
for supporting the http_digest, we have to store the digest (md5
('username:realm:password')) in the mb_user table. this hash must be updated 
every time the username or the password changes (cannot be done by db 
trigger, cause the password is stored as md5 hash in the mb_user table).
for the mapbender http_digest client side the wms table has to be extented for 
username and digest columns. when someone upload a http_digest secured wms he 
has to give a username and a password which will be used to create the 
secured connection to this service (by the use of curl). the viewing of such 
a service can only be done by using the mapbender owsproxy. 
this is the idea and should be realized until end of september.
any ideas or suggestions to this are welcome. please send them to the 


Im Auftrag
Armin Retterath

Kompetenz- und Geschäftsstelle Geodateninfrastruktur Rheinland-Pfalz
Landesamt für Vermessung und Geobasisinformation Rheinland-Pfalz

Ferdinand-Sauerbruch-Straße 15
56073 Koblenz
Telefon 0261/492-466
Telefax 0261/492-492
armin.retterath at lvermgeo.rlp.de

More information about the Mapbender_dev mailing list