[Mapbender_dev] Regarding http digest authetication
Armin Retterath
armin.retterath at lvermgeo.rlp.de
Tue Jul 6 02:22:30 EDT 2010
hello,
i've done the implementation so i think i've to explain the function of
index.php:
Am Montag 05 Juli 2010, um 21:50:04 schrieb Karim Malhas:
> Hi Vikas,
>
> > I have a couple of queries regarding the earlier implementation of
http
> > auth -
> > 1) what is ows proxy? I found the article on OWS Proxy in
Mapbender wiki
> > but that is written in German. It would be really nice if somebody
could
> > explain me the concept in brief.
>
> I don' t think I have fully understood it either, so someone correct me
> please. The general idea is to obscure which host a WMS is served by
>
> So
>
>
"http://wms5.example.net/wms?version=1.0&service=wms&request=getCapabilite
> s"
>
> becomes:
>
>
>
"http://www.example.com/owsproxy/87502jd23roc3hf3q?version=1.0&service=wms
> &request=getCapabilites"
>
> All the client sees is the second url and won't know that the wms is
> accessible via the other url as well . There's some black magic in the
> that hashlike string, which somehow restricts access by user, but I
> don't really know the details and for all I know it's easily replaced
> by a HTTP Proxy requiring authentication.
>
i think the explaination is quit ok. the owsproxy module is a simple php
based script which controls the incoming wms and wfs requests and
decide if a user has the right to access the server. the decision is made
by controlling the authorization which is stored in the mapbender
database. mapbender uses a authorization which is defined over the
guis. a person who have the right to access a gui, has also the right to
access the included services in this gui.
the script controls the session and the ip of the user but the problem is,
that the user has to authenticate at mapbender before - to set the
session! the redirecting of the dynamic services urls, as karim has
shown above, to the script itself is done with apache url rewriting or
proxy functions.
with this function mapbender becomes a ogc webservice security proxy.
the requests can be logged into the mapbender database.
every owner of a ows in mapbender can decide to activate this function
by checking a checkbox for this service in the administration menu.
the problem was that the urls of this secured services are dynamic but
the services should be integrated in desktop gis systems and the users
dont want to alter the service urls when the mapbender session is not
longer active. the solution is a stable url - which is somewhat restful -
availalable from the mapbender 'service registry' by layerid:
https://www.geoportal.rlp.de/http_auth/27421?REQUEST=GetCapabilities&VERSION=1.1.1&SERVICE=WMS
the http_auth module - which you found is comparable to the ows proxy
module but controls the access to the proxy secured resource by
http_digest authentication. the users of the mapbender registry can
easily integrate every registrated service in their desktop gis clients by
using their mapbender accounts and http_digest authentication
method. the services came from many different institutions but are all
registrated in one mapbender database. the authorization is done
decentral!
Its an very simple but efficient way to handle a big group of different
ows and to make it easy for the users and providers of this ows.
> > 2) Earlier implementation assumes that there is a column in the
mb-user
> > table called digest which already contains the digest. Does any
column
> > already exist ? or there are plans to include them in the table? In
my
> > implementation I am calculating the hash each time authentication
is
> > required.
the mb_user_digest is a standard column in mapbender_trunk. there
are some functions which are not already integrated in mapbender (but
in our application - http://www.geoportal.rlp.de - where typo3 wraps the
mapbender user administration): setting the digest, changing the
digest when changing mb_user_name, mb_user_email or realm. We
cannot store the password in a cleartext way into the mapbender
database - therefor we have to generate the digest before!
>
> I guess that's ok, we can alwas optimize later.
>
> Regards,
> Karim
>
> _______________________________________________
> Mapbender_dev mailing list
> Mapbender_dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapbender_dev
--
Im Auftrag
--
Armin Retterath
Kompetenz- und Geschäftsstelle Geodateninfrastruktur Rheinland-Pfalz
beim
Landesamt für Vermessung und Geobasisinformation Rheinland-Pfalz
Ferdinand-Sauerbruch-Straße 15
56073 Koblenz
Telefon 0261/492-466
Telefax 0261/492-492
armin.retterath at lvermgeo.rlp.de
http://www.geoportal.rlp.de
More information about the Mapbender_dev
mailing list