[mapguide-internals] Alternate Security options for Mapguide
trevor.wekel at autodesk.com
Wed Apr 2 12:16:16 EDT 2008
What about assigning each user a session id? There is a CREATESESSION HTTP operation that returns the session identifier. Session id's are guids. Create session does require a valid username / password.
Ideally, we should come up with a pluggable architecture for server-side authentication. If you are already familiar with LDAP and C++ programming, I don't think it would be too difficult to embed LDAP authentication into the MapGuide Server.
From: mapguide-internals-bounces at lists.osgeo.org [mailto:mapguide-internals-bounces at lists.osgeo.org] On Behalf Of Zac Spitzer
Sent: Wednesday, April 02, 2008 2:04 AM
To: MapGuide Internals Mail List
Subject: [mapguide-internals] Alternate Security options for Mapguide
I have just been playing with security here for an application, as i
was looking into
creating users and logging each user into mapguide, rather than using just the
Administrator account for all the users.
Anyway the issue I hit was storing a salted hash of my users passwords
made single sign on a bit more complex than if i just stored plain
So i was thinking about this and i came up with the idea of allowing
be configured to authenticate over http (against my application in this case).
something along the lines of defining an authentication url
or using a POST request to keep the password out of the server logs
which would then return either 200 ok or (401 Unauthorized / 403 Forbidden)
That way it's pluggable, we could include examples in php for using OS
authentication or LDAP
The salted password issue i was having could be solved then by passing a
temp session token (UUID?) rather than the real password
Zac Spitzer -
http://zacster.blogspot.com (My Blog)
+61 405 847 168
mapguide-internals mailing list
mapguide-internals at lists.osgeo.org
More information about the mapguide-internals