Authentication (Re: Feature polls...)
Attila Csipa
plists at PROMETHEUS.ORG.YU
Fri Jan 20 10:46:52 EST 2006
... oops, clicked on send by mistake.
On Friday 20 January 2006 16:04, José Luis Campanello wrote:
> As an example, i was thinking of a (single) layer that contains some public
> and some private information. I really see no simple method to implement
> that kind of access control using an external security tool. While it is
It should make no difference HOW an authuser(credentials) function is
performed. Of course some methods have limitations but then again, you should
take this into account when designing the system and not forcing a
technically unfeasible security policy. In this spirit it would be suboptimal
to set a combined security layer - it means you would be doing access
checking in the most computation-expensive level, the features. Of course you
could always put in a hook into mapserver for feature level authentication,
but it would most likely mean a huge performance hit, especially if that
overhead cannot be offloaded to a RDBMS, which is more often the case than it
is not (shapefile data, for example).
Another point of consideration that is perhaps not that apparent - it's not
the same to think about security realms that have data assigned to them, as
opposed to data sets that have security realms assigned to them. Generally I
think in mapserver applications data sets change qualitatively far less often
than security realms - this means you should build your security around your
data, and not the other way around.
> I think that security should be built into the product in a way that
> ensures the same set of functionality in every platform (keep in mind that
> even user ids vary in size and type from OS to OS).
I strongly disagree. With this approach you get the smallest compatible subset
of possible functionality, while you actually want the largest possible
subset for the given platform. Imagine MapServer is ported to, say,
Windows95. With a compatible subset, it would mean that Mapserver should not
have any user-authentication, since Win95 makes no (practical) difference
among its users.
More information about the mapserver-dev
mailing list