[mapguide-internals] Alternate Security options for Mapguide

Zac Spitzer zac.spitzer at gmail.com
Wed Apr 2 20:37:05 EDT 2008 

On Thu, Apr 3, 2008 at 3:16 AM, Trevor Wekel <trevor.wekel at autodesk.com> wrote:
> Hi Zac,
>
>  What about assigning each user a session id?  There is a CREATESESSION HTTP operation that returns the session identifier.  Session id's are guids.  Create session does require a valid username / password.

I am already doing that (using the API, not http), my main motivation
was to make the error logs
clearer, ie rather than every log being against a single user

Being able to create a session su style for another user if you have
Administrator level access would be good

>  >  Ideally, we should come up with a pluggable architecture for server-side authentication.  If you are already familiar with LDAP and C++ programming, I don't think it would be too difficult to embed LDAP authentication into the MapGuide Server.

Alas i'm not very up to speed with C++ :(

>
>  Thanks,
>  Trevor
>
>
>
>  -----Original Message-----
>  From: mapguide-internals-bounces at lists.osgeo.org [mailto:mapguide-internals-bounces at lists.osgeo.org] On Behalf Of Zac Spitzer
>  Sent: Wednesday, April 02, 2008 2:04 AM
>  To: MapGuide Internals Mail List
>  Subject: [mapguide-internals] Alternate Security options for Mapguide
>
>  I have just been playing with security here for an application, as i
>  was looking into
>  creating users and logging each user into mapguide, rather than using just the
>  Administrator account for all the users.
>
>  Anyway the issue I hit was storing a salted hash of my users passwords
>  made single sign on a bit more complex than if i just stored plain
>  text passwords.
>
>  So i was thinking about this and i came up with the idea of allowing
>  mapguide to
>  be configured to authenticate over http (against my application in this case).
>
>  something along the lines of defining an authentication url
>  http(s)://127.0.0.1/myApp/auth.php?username=Adminstrator&password=password
>
>  or using a POST request to keep the password out of the server logs
>
>  which would then return either 200 ok or (401 Unauthorized / 403 Forbidden)
>
>  That way it's pluggable, we could include examples in php for using OS
>  authentication or LDAP
>
>  The salted password issue i was having could be solved then by passing a
>  temp session token (UUID?) rather than the real password
>
>  z
>
>  --
>  Zac Spitzer -
>  http://zacster.blogspot.com (My Blog)
>  +61 405 847 168
>  _______________________________________________
>  mapguide-internals mailing list
>  mapguide-internals at lists.osgeo.org
>  http://lists.osgeo.org/mailman/listinfo/mapguide-internals
>  _______________________________________________
>  mapguide-internals mailing list
>  mapguide-internals at lists.osgeo.org
>  http://lists.osgeo.org/mailman/listinfo/mapguide-internals
>



-- 
Zac Spitzer -
http://zacster.blogspot.com (My Blog)
+61 405 847 168

More information about the mapguide-internals mailing list