Authentication (Re: Feature polls...)

Mark J. MacLennan maclenna at VISI.COM
Sun Jan 15 18:22:37 EST 2006

Bart is referring to the scenario where the user has
already been authenticated but now there is a further
restriction as to what specific map layers they
are allowed to access - the issue of authorization.
For example, if you are using LDAP you may use
group membership to restrict access to a web site
and then use user_id to determine what data can
be accessed - this allows finer and more dynamic
This is NOT something that can easily be done with
mod_rewrite and probably shouldn't be done at the
web server level but rather controlled by the
application itself. This is a capability that would
be very nice to have in MapServer.

- Mark

> Bart,
> mod_rewrite allows us to match and even rewrite the query string.  
> This means you could rewrite a request for layer_a to a URL that  
> requires authentication.
> I think it's madness to reinvent the auth wheel. A CGI program should  
> be dumb, and rely on the webserver in this matter.
> Sean
> On Jan 14, 2006, at 6:04 AM, Bart van den Eijnden (OSGIS) wrote:
> > Hi Sean,
> > for authentication I agree with you, but for authorisation we  
> > really need a way to assign certain map layers to users/groups  
> > without duplicating map files.
> > Best regards,
> > Bart

More information about the mapserver-dev mailing list