Authentication (Re: Feature polls...)

Daniel Morissette dmorissette at DMSOLUTIONS.CA
Sun Jan 15 18:53:43 EST 2006

Personally I am not against seeing MapServer getting some smarts to 
handle access control to layers or data resources based on user ids, 
groups, etc, but since basic access control can be handled by the server 
already and I do not have a clear picture of the variety of needs for 
more advanced access control, I am not sure how that would work in 
practice and can't propose a solution.

I know this request comes back once in a while, so perhaps all those 
interested in this could work together on defining a set of requirements 
based on their respective environments and experience, perhaps even 
defining how that would work from the mapfile/user point of view. Then 
the developers could use this as a guide to plan and implement a solution.

My 0.02$


Mark J. MacLennan wrote:
> Bart is referring to the scenario where the user has
> already been authenticated but now there is a further
> restriction as to what specific map layers they
> are allowed to access - the issue of authorization.
> For example, if you are using LDAP you may use
> group membership to restrict access to a web site
> and then use user_id to determine what data can
> be accessed - this allows finer and more dynamic
> control.
> This is NOT something that can easily be done with
> mod_rewrite and probably shouldn't be done at the
> web server level but rather controlled by the
> application itself. This is a capability that would
> be very nice to have in MapServer.
> - Mark
>>mod_rewrite allows us to match and even rewrite the query string.  
>>This means you could rewrite a request for layer_a to a URL that  
>>requires authentication.
>>I think it's madness to reinvent the auth wheel. A CGI program should  
>>be dumb, and rely on the webserver in this matter.
>>On Jan 14, 2006, at 6:04 AM, Bart van den Eijnden (OSGIS) wrote:
>>>Hi Sean,
>>>for authentication I agree with you, but for authorisation we  
>>>really need a way to assign certain map layers to users/groups  
>>>without duplicating map files.
>>>Best regards,

  Daniel Morissette               dmorissette at
  DM Solutions Group    

More information about the mapserver-dev mailing list