[mapguide-users] Fusion security (or lack of)

[Jason Birch]

As Kenneth said, the Fusion maps use the Anonymous user by default.  It
will also accept Username/Password variables (look in
fusion/MapGuide/php/Common.php) but I'm not sure what happens if these
fail.  Ideally, this component would fail with a 501 HTTP response.  I'm
not sure what effect this would have on Fusion though.

 

The security issue isn't at the Fusion level; you have the same access
to maps using raw MapAgent calls once you have a username/password or
Session ID, and could obtain that via the other viewers as well.
Basically, if you want your site to be secure you need to manage access
to the resources.  Maestro doesn't allow you to do this yet (I believe)
but it's on the enhancement list.

 

Jason

 

From: Andrew DeMerchant
Subject: [mapguide-users] Fusion security (or lack of)

 

I've asked about this before - it seems as though there basically is no
security when it comes to Fusion maps. Is there a way to force a login
when viewing a Fusion map? Also, am I right in thinking that basically,
a Fusion app could act as a backdoor to any 'secured' dwf/ajax app? It
seems as though you can access any map in your library (or someone
else's), in theory...I'm more concerned with figuring out a way to force
a login, at the moment - but this all may be something to consider
heavily for the next release. 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.osgeo.org/pipermail/mapguide-users/attachments/20080527/db54cfa2/attachment.html