[mapguide][MG446][Modified] DWF Viewer security

Walt Welton-Lair walt.welton-lair at autodesk.com
Tue Nov 14 09:49:12 EST 2006


You can view the artifact detail at the following URL:

    https://mapguide.osgeo.org/servlets/Scarab/id/MG446

Type:
Defect

Artifact ID:
MG446 (DWF Viewer security)

Modified by:
Walt Welton-Lair
waltweltonlair (walt.welton-lair at autodesk.com)

The following modifications were made to this artifact:
---------------------------------------------------------------------

-- Artifact Status changed:
Old value:
New
New value:
Assigned
-- Target milestone set to new value:
1.1.0
-- Testing Notes set to new value:
Verified that the DWF-based layout now authenticates immediately, and that for the specific example above (user with read-only permission) the layout loads correctly.

-- Developer Notes set to new value:
Old value:
I tested this a little more, and here's what I found.
 
When opening a web layout using AJAX viewer, the login prompt appears immediately, before *any* server request is even made.  The first server operation then ends up being an authentication request (OpAuthenticate).  After this come the requests for resources - the web layout, etc.  These succeed because we have provided credentials.
 
When opening a web layout using DWF viewer, the behavior is different.  There's a couple of authentication requests that get made using "anonymous" user, but no login prompt has yet been displayed.  Then comes a request to get the web layout resource, again using "anonymous".  This fails because user "anonymous" does not have access to the library.  The browser then displays the exception message.
 
At this point the web layout hasn't been loaded and DWF Viewer hasn't yet entered into the picture.  So this is a MapGuide web tier issue...

New value:
I tested this a little more, and here's what I found.
 
When opening a web layout using AJAX viewer, the login prompt appears immediately, before *any* server request is even made.  The first server operation then ends up being an authentication request (OpAuthenticate).  After this come the requests for resources - the web layout, etc.  These succeed because we have provided credentials.
 
When opening a web layout using DWF viewer, the behavior is different.  There's a couple of authentication requests that get made using "anonymous" user, but no login prompt has yet been displayed.  Then comes a request to get the web layout resource, again using "anonymous".  This fails because user "anonymous" does not have access to the library.  The browser then displays the exception message.
 
At this point the web layout hasn't been loaded and DWF Viewer hasn't yet entered into the picture.  So this is a MapGuide web tier issue...

The fix is to simply make DWF-based web layouts authenticate the same way as AJAX-based layouts.




---------------------------------------------------------------------
This message was automatically generated by Project Tracker.








More information about the Mapguide_issues mailing list