Antw: Re: [Mapbender-users] Secure a WMS

Ronald Woita Ronald.Woita at rostock.de
Wed Dec 3 08:00:10 EST 2008 

you can't use unix file permission, because the map-file is a parameter
of the mapserv(er) cgi. 
And the cgi-script uses the webserver-user (wwwrun for apache)
permissions for file access. so if the webserver can work with the
mapfile, 
anybody else can see it too (via http).

If I understand it in the correct manner, the ows-proxy only generates
a 'normal' getmap-request and if 
WMS Server and Mapbender are installed on the same machine, this
request comes from localhost. So capsulate your
WMS (you have to do it, see above) and then give only localhost access
to these files by the apache configuration.
The only Problem- no one must know your local filesystem :-(


Ronald


> <FILES ows_map1>
>   order deny, allow
>   deny from all
>   allow from localhost
> </FILES>

Ronald

--
Ronald Woita
http://geoportal.rostock.de
Hansestadt Rostock
Kataster-, Vermessungs- und Liegenschaftsamt
Holbeinplatz 14, 18069 Rostock
email: ronald.woita at rostock.de 
phone: +49 (0)381 - 381 6256

>>> loose at lwf.uni-muenchen.de 03.12.2008 13:27 >>>
Hello Ronald,

Thanks for your quick answer. Indeed I am using UMN Mapserver so my
question is the 
related to that software. 

The possibility to capsulate the map= parameter is nice to hide the
absolute path of the 
mapfile, but can not be seen as a way to secure a wms, because a user
can call the wms 
through the wrapper, too. The mapfile itself is not viewable from the
outside anyway.

To secure the WMS using the webserver configuration is a possibility if
I want to make the 
wms accessible for certain IPs or networks only. In that case I  don't
need the owsproxy at all. 
Am I wrong?

What I am looking for is a possibility to deny all direct accesses to
the WMS, but allow the access via the owsproxy only. 
That way one could ensure that only verified users may use the
service.

What I thought of is a way to use the linux file permissions (user
/group) settings to achieve 
that. But I am not clear ernough how that could work.

Any suggestions?

Thank you

Johannes


Am 3 Dec 2008 um 12:39 hat Ronald Woita geschrieben:

> Hi Johannes,
> 
> in my opinion the only solution is to protect your ows services
> depending on the software you use.
> With mapserver UMN first you can hide the path details from your
local
> file system by this instruction
>
http://www.mapbender.org/Kapseln_der_MapServer_Konfigurationsparameter

> 
> The second step is to protect the resulting cgi for the ows service
> with the functionality of your web server
> Here is an example for Apache :
> <FILES ows_map1>
>   order deny, allow
>   deny from all
>   allow from 192.3.0.123
> </FILES>
> 
> Another interesting approach I'm testing at the moment is the
> layer-level-security by GeoServer.
> http://geoserver.org/display/GEOSDOC/Layer+level+security 
> 
> greetings
> Ronald
> 
> 
> 
> 
> 
> --
> Ronald Woita
> http://geoportal.rostock.de 
> Hansestadt Rostock
> Kataster-, Vermessungs- und Liegenschaftsamt
> Holbeinplatz 14, 18069 Rostock
> email: ronald.woita at rostock.de 
> phone: +49 (0)381 - 381 6256
> 
> >>> loose at lwf.uni-muenchen.de 03.12.2008 11:29 >>>
> Hello List,
> 
> Maybe my mail some days ago has been too complex or too many
questions
> in one thread, 
> so that there have been no replies so far. I'll try to ask my main
> question again, but shorter:
> 
> What is the recommendet was to secure a geodata service (WMS)? The
> mapbender wiki 
> tells how to set up the owsproxy and use it to access a service. It
> also points out the 
> neccesity to secure the service for unauthorized access independet
of
> the mapbender, but it 
> does not tell how that can be done.
> 
> Could anyone point me to docs about that issue or give me a small
> example on how to 
> achieve that?
> 
> Thanks in advance
> 
> Johannes
> _______________________________________________
> Mapbender_users mailing list
> Mapbender_users at lists.osgeo.org 
> http://lists.osgeo.org/mailman/listinfo/mapbender_users 
> _______________________________________________
> Mapbender_users mailing list
> Mapbender_users at lists.osgeo.org 
> http://lists.osgeo.org/mailman/listinfo/mapbender_users 
_______________________________________________
Mapbender_users mailing list
Mapbender_users at lists.osgeo.org 
http://lists.osgeo.org/mailman/listinfo/mapbender_users

More information about the Mapbender_users mailing list