Authentication (Re: Feature polls...)

Philip Mark Donaghy philip.donaghy at GMAIL.COM
Thu Jan 19 16:30:54 EST 2006

Oops, I sent this only to Steve the first time.

Yes, I am interested in putting this in writing. I'll help any way I can.

I can say now that I would like to have one or more REALM definition
in the map file.

A realm processor would have an isUserInRole function. Realms types
could be ldap, database, or file. Different realm processors would be
invoked according to the realm TYPE.

MapServer users could configure any layer with one or more ROLES.

There is the notion of the Principal. That is the current user making
the request. Getting the principal from the request will be possible
using Basic authentication since the username and password is sent
with every request following authentication. In the Tomcat/AppServer
world this can be done otherways, one of which is by using a session
to store the user credentials. But correct me if I am wrong MapServer
does not maintain a session accross requests.

I can't really think of anyway to do this without using https or
sessions. Any ideas?

On 1/19/06, Steve Lime <steve.lime at> wrote:
> We'll hold you to Monday- only 4 days left. ;-)
> Are you or someone else willing to do a bit of research on the subject and possibly author an RFC?
> Steve
> >>> Philip Mark Donaghy <philip.donaghy at GMAIL.COM> 01/17/06 6:55 PM >>>
> This is a very interesting topic. I have some experience working with
> application servers and web application frameworks at Apache
> Jakarta(yes this is java but the theory is the same for any language).
> Application servers define realms that are configured and made
> available to the applications running in it. The realm is an
> abstraction of the user, group, and role authentication mechanism
> backed by any number of storage mechanisms (db, ldap, xml file). The
> realm must define at least one critical function, isUserInRole(user,
> roles). Applications are then configured to accept or deny resources
> based on the current users roles.
> What is important here is the authorization mechanism is simply
> delegated to a third party tool. MapServer needs the ability to
> configure different kinds of realms and apply authorization model to
> any type of layer or feature. MapServer users can then configure roles
> for layers or features(or rules applied to attributes of features).
> So all this has to be used in conjunction with authentication so that
> map server knows who is the current user making the request.
> I'll have this done by monday :)
> On 1/16/06, Mark MacLennan <maclenna at> wrote:
> > At 10:39 PM 1/15/2006 -0500, Kralidis,Tom [Burlington] wrote:
> > >Has anyone checked out DACS (  They have a
> > C/C++ toolkit/API in which one can build modules to stuff like do per layer
> > authorization, etc.
> > >I've seen this successfully integrated with CubeWerx WMS/WFS.  Would be
> > neat to see as a pluggable Apache module for use w/ MapServer.
> >
> > Very interesting! I had not come across DACS and it is exactly the
> > functionality I had in mind :-)
> >
> > A related project I was aware of, although I am not sure how it might apply
> > to MapServer per se, is GeoXACML ( A demonstraton
> > has been implemented for a OGC Web Map Service. An OGC discussion paper for
> > GeoXACML also exists
> > (
> > related to the topic of authorization for digital rights management in the
> > geospatial domain.
> >
> > thanks!
> > Mark
> >
> --
> Philip Donaghy
> Skype: philipmarkdonaghy
> Office: +33 5 56 60 88 02
> Mobile: +33 6 20 83 22 62

Philip Donaghy
Skype: philipmarkdonaghy
Office: +33 5 56 60 88 02
Mobile: +33 6 20 83 22 62

More information about the mapserver-dev mailing list