[mapguide-internals] Alternate Security options for Mapguide
Trevor Wekel
trevor.wekel at autodesk.com
Wed Apr 2 12:16:16 EDT 2008
Hi Zac,
What about assigning each user a session id? There is a CREATESESSION HTTP operation that returns the session identifier. Session id's are guids. Create session does require a valid username / password.
Ideally, we should come up with a pluggable architecture for server-side authentication. If you are already familiar with LDAP and C++ programming, I don't think it would be too difficult to embed LDAP authentication into the MapGuide Server.
Thanks,
Trevor
-----Original Message-----
From: mapguide-internals-bounces at lists.osgeo.org [mailto:mapguide-internals-bounces at lists.osgeo.org] On Behalf Of Zac Spitzer
Sent: Wednesday, April 02, 2008 2:04 AM
To: MapGuide Internals Mail List
Subject: [mapguide-internals] Alternate Security options for Mapguide
I have just been playing with security here for an application, as i
was looking into
creating users and logging each user into mapguide, rather than using just the
Administrator account for all the users.
Anyway the issue I hit was storing a salted hash of my users passwords
made single sign on a bit more complex than if i just stored plain
text passwords.
So i was thinking about this and i came up with the idea of allowing
mapguide to
be configured to authenticate over http (against my application in this case).
something along the lines of defining an authentication url
http(s)://127.0.0.1/myApp/auth.php?username=Adminstrator&password=password
or using a POST request to keep the password out of the server logs
which would then return either 200 ok or (401 Unauthorized / 403 Forbidden)
That way it's pluggable, we could include examples in php for using OS
authentication or LDAP
The salted password issue i was having could be solved then by passing a
temp session token (UUID?) rather than the real password
z
--
Zac Spitzer -
http://zacster.blogspot.com (My Blog)
+61 405 847 168
_______________________________________________
mapguide-internals mailing list
mapguide-internals at lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapguide-internals
More information about the mapguide-internals
mailing list