[Mapbender-users] Secure a WMS

Stephan Holl stephan.holl at intevation.de
Fri Dec 5 05:30:12 EST 2008 

Hallo Johannes,

"Hr. Johannes Loose" <loose at lwf.uni-muenchen.de>, [20081203 - 14:23:44]

probably it is not the stuff you want to hear on a mapbender-list, but
I like to bring in another piece of software in here for your task;
deegree iGeosecurity[1]. 

We use this software very successfully since this allows to separate
the proxy-software from the OWS-services. The needed
service-configuration can also kept separate from all of them, which
scales quite nicely on large installations. The communication is done
SSL-encrypted.

[...]

The nice thing is that the capabilities gets manupulated based on the
layer-access of the querrying user.

Best regards

	Stephan

[1]
http://wald.intevation.org/plugins/scmsvn/viewcvs.php/docs/documentation/igeosecurity/deegree_owsproxy_documentation_en.pdf?rev=14255&root=deegree&view=log
> Am 3 Dec 2008 um 14:00 hat Ronald Woita geschrieben:
> 
> > you can't use unix file permission, because the map-file is a
> > parameter of the mapserv(er) cgi. 
> > And the cgi-script uses the webserver-user (wwwrun for apache)
> > permissions for file access. so if the webserver can work with the
> > mapfile, 
> > anybody else can see it too (via http).
> > 
> > If I understand it in the correct manner, the ows-proxy only
> > generates a 'normal' getmap-request and if 
> > WMS Server and Mapbender are installed on the same machine, this
> > request comes from localhost. So capsulate your
> > WMS (you have to do it, see above) and then give only localhost
> > access to these files by the apache configuration.
> > The only Problem- no one must know your local filesystem :-(
> > 
> > 
> > Ronald
> > 
> > 
> > > <FILES ows_map1>
> > >   order deny, allow
> > >   deny from all
> > >   allow from localhost
> > > </FILES>
> > 
> > Ronald
> > 
> > --
> > Ronald Woita
> > http://geoportal.rostock.de
> > Hansestadt Rostock
> > Kataster-, Vermessungs- und Liegenschaftsamt
> > Holbeinplatz 14, 18069 Rostock
> > email: ronald.woita at rostock.de 
> > phone: +49 (0)381 - 381 6256
> > 
> > >>> loose at lwf.uni-muenchen.de 03.12.2008 13:27 >>>
> > Hello Ronald,
> > 
> > Thanks for your quick answer. Indeed I am using UMN Mapserver so my
> > question is the 
> > related to that software. 
> > 
> > The possibility to capsulate the map= parameter is nice to hide the
> > absolute path of the 
> > mapfile, but can not be seen as a way to secure a wms, because a
> > user can call the wms 
> > through the wrapper, too. The mapfile itself is not viewable from
> > the outside anyway.
> > 
> > To secure the WMS using the webserver configuration is a
> > possibility if I want to make the 
> > wms accessible for certain IPs or networks only. In that case I
> > don't need the owsproxy at all. 
> > Am I wrong?
> > 
> > What I am looking for is a possibility to deny all direct accesses
> > to the WMS, but allow the access via the owsproxy only. 
> > That way one could ensure that only verified users may use the
> > service.
> > 
> > What I thought of is a way to use the linux file permissions (user
> > /group) settings to achieve 
> > that. But I am not clear ernough how that could work.
> > 
> > Any suggestions?
> > 
> > Thank you
> > 
> > Johannes
> > 
> > 
> > Am 3 Dec 2008 um 12:39 hat Ronald Woita geschrieben:
> > 
> > > Hi Johannes,
> > > 
> > > in my opinion the only solution is to protect your ows services
> > > depending on the software you use.
> > > With mapserver UMN first you can hide the path details from your
> > local
> > > file system by this instruction
> > >
> > http://www.mapbender.org/Kapseln_der_MapServer_Konfigurationsparameter
> > 
> > > 
> > > The second step is to protect the resulting cgi for the ows
> > > service with the functionality of your web server
> > > Here is an example for Apache :
> > > <FILES ows_map1>
> > >   order deny, allow
> > >   deny from all
> > >   allow from 192.3.0.123
> > > </FILES>
> > > 
> > > Another interesting approach I'm testing at the moment is the
> > > layer-level-security by GeoServer.
> > > http://geoserver.org/display/GEOSDOC/Layer+level+security 
> > > 
> > > greetings
> > > Ronald
> > > 
> > > 
> > > 
> > > 
> > > 
> > > --
> > > Ronald Woita
> > > http://geoportal.rostock.de 
> > > Hansestadt Rostock
> > > Kataster-, Vermessungs- und Liegenschaftsamt
> > > Holbeinplatz 14, 18069 Rostock
> > > email: ronald.woita at rostock.de 
> > > phone: +49 (0)381 - 381 6256
> > > 
> > > >>> loose at lwf.uni-muenchen.de 03.12.2008 11:29 >>>
> > > Hello List,
> > > 
> > > Maybe my mail some days ago has been too complex or too many
> > questions
> > > in one thread, 
> > > so that there have been no replies so far. I'll try to ask my main
> > > question again, but shorter:
> > > 
> > > What is the recommendet was to secure a geodata service (WMS)? The
> > > mapbender wiki 
> > > tells how to set up the owsproxy and use it to access a service.
> > > It also points out the 
> > > neccesity to secure the service for unauthorized access independet
> > of
> > > the mapbender, but it 
> > > does not tell how that can be done.
> > > 
> > > Could anyone point me to docs about that issue or give me a small
> > > example on how to 
> > > achieve that?
> > > 
> > > Thanks in advance
> > > 
> > > Johannes
> > > _______________________________________________
> > > Mapbender_users mailing list
> > > Mapbender_users at lists.osgeo.org 
> > > http://lists.osgeo.org/mailman/listinfo/mapbender_users 
> > > _______________________________________________
> > > Mapbender_users mailing list
> > > Mapbender_users at lists.osgeo.org 
> > > http://lists.osgeo.org/mailman/listinfo/mapbender_users 
> > _______________________________________________
> > Mapbender_users mailing list
> > Mapbender_users at lists.osgeo.org 
> > http://lists.osgeo.org/mailman/listinfo/mapbender_users
> > _______________________________________________
> > Mapbender_users mailing list
> > Mapbender_users at lists.osgeo.org
> > http://lists.osgeo.org/mailman/listinfo/mapbender_users
> 


-- 
Stephan Holl <stephan.holl at intevation.de>, http://intevation.de/~stephan
Tel: +49 (0)541-33 50 8 32 | Intevation GmbH | AG Osnabrück - HR B 18998
Geschäftsführer:  Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.osgeo.org/pipermail/mapbender_users/attachments/20081205/567b5b39/signature.bin

More information about the Mapbender_users mailing list