[mapguide-internals] Alternate Security options for Mapguide

[Zac Spitzer]

I have just been playing with security here for an application, as i
was looking into
creating users and logging each user into mapguide, rather than using just the
Administrator account for all the users.

Anyway the issue I hit was storing a salted hash of my users passwords
made single sign on a bit more complex than if i just stored plain
text passwords.

So i was thinking about this and i came up with the idea of allowing
mapguide to
be configured to authenticate over http (against my application in this case).

something along the lines of defining an authentication url
http(s)://127.0.0.1/myApp/auth.php?username=Adminstrator&password=password

or using a POST request to keep the password out of the server logs

which would then return either 200 ok or (401 Unauthorized / 403 Forbidden)

That way it's pluggable, we could include examples in php for using OS
authentication or LDAP

The salted password issue i was having could be solved then by passing a
temp session token (UUID?) rather than the real password

z

-- 
Zac Spitzer -
http://zacster.blogspot.com (My Blog)
+61 405 847 168