Authentication (Re: Feature polls...)

Jos é Luis Campanello jcampanello at FIBERTEL.COM.AR
Fri Jan 20 10:04:22 EST 2006

Hi all!

My opinion on this subject (both authentication and authorization) is very different.

I'm certain that there are many users out there not using apache (for example: MS IIS).

I don't know exactly how these apache modules work and i don't know if MS ISS has some similar functionality, but i'm sure that it is very very unlikely that both will work the same (if MS version exists).

There is also the issue of some other (more strange) http servers (even IBM AS/400 has one) that will have none of these modules.

I think this road will end up with a product that supports security in one platform and does not supports it for the others. Even more, security will be supported in a "general" way because it is defined by people with other, more general, goals in mind.

As an example, i was thinking of a (single) layer that contains some public and some private information.
I really see no simple method to implement that kind of access control using an external security tool.
While it is possible to fragment this single layer into more layers, this approach becomes unpractical very fast.

I think that security should be built into the product in a way that ensures the same set of functionality in every platform (keep in mind that even user ids vary in size and type from OS to OS).


----- Mensaje original -----
From: Steve Lime <steve.lime at DNR.STATE.MN.US>
Date: Jueves, Enero 19, 2006 0:45 am
Subject: Re: [UMN_MAPSERVER-DEV] Authentication (Re: Feature polls...)

> We'll hold you to Monday- only 4 days left. ;-)
> Are you or someone else willing to do a bit of research on the 
> subject and possibly author an RFC?
> Steve
> >>> Philip Mark Donaghy <philip.donaghy at GMAIL.COM> 01/17/06 6:55 
> PM >>>
> This is a very interesting topic. I have some experience working with
> application servers and web application frameworks at Apache
> Jakarta(yes this is java but the theory is the same for any language).
> Application servers define realms that are configured and made
> available to the applications running in it. The realm is an
> abstraction of the user, group, and role authentication mechanism
> backed by any number of storage mechanisms (db, ldap, xml file). The
> realm must define at least one critical function, isUserInRole(user,
> roles). Applications are then configured to accept or deny resources
> based on the current users roles.
> What is important here is the authorization mechanism is simply
> delegated to a third party tool. MapServer needs the ability to
> configure different kinds of realms and apply authorization model to
> any type of layer or feature. MapServer users can then configure roles
> for layers or features(or rules applied to attributes of features).
> So all this has to be used in conjunction with authentication so that
> map server knows who is the current user making the request.
> I'll have this done by monday :)
> On 1/16/06, Mark MacLennan <maclenna at> wrote:
> > At 10:39 PM 1/15/2006 -0500, Kralidis,Tom [Burlington] wrote:
> > >Has anyone checked out DACS (  
> They have a
> > C/C++ toolkit/API in which one can build modules to stuff like 
> do per layer
> > authorization, etc.
> > >I've seen this successfully integrated with CubeWerx WMS/WFS.  
> Would be
> > neat to see as a pluggable Apache module for use w/ MapServer.
> >
> > Very interesting! I had not come across DACS and it is exactly the
> > functionality I had in mind :-)
> >
> > A related project I was aware of, although I am not sure how it 
> might apply
> > to MapServer per se, is GeoXACML ( A 
> demonstraton> has been implemented for a OGC Web Map Service. An 
> OGC discussion paper for
> > GeoXACML also exists
> > 
> (> related to the topic of authorization for digital rights management in the
> > geospatial domain.
> >
> > thanks!
> > Mark
> >
> --
> Philip Donaghy
> Skype: philipmarkdonaghy
> Office: +33 5 56 60 88 02
> Mobile: +33 6 20 83 22 62

More information about the mapserver-dev mailing list