Access Control in MapServer

Sean Gillies sgillies at FRII.COM
Wed Jan 17 16:48:32 EST 2007 

Daniel Morissette wrote:
> We are working on a proposal that, if it is accepted, would lead to the 
> addition of access control in MapServer. More specifically, we need to 
> provide the ability for MapServer to control which data layers, shapes 
> or attributes can be accessed by a given authenticated user. This would 
> be mostly useful when accessing data through OGC interfaces (WMS, WFS, 
> WCS and SOS), but if possible we should look at how this can also apply 
> in the regular CGI mode.
> 
> Here are some example of access control rules that might become 
> available through this for a given authenticated user:
> 
> 1- Layer-level restrictions:
>    - GetCapabilities and other OGC Web Service (OWS) operations would
>      filter the list of available layers based on the privileges of
>      the authenticated user.
> 
> 2- BBOX-baed restrictions:
>    - Restrict users to a bbox which is a subset of the extents of a
>      whole map or of given layers
> 
> 3- Geometry-based restrictions:
>    - Restrict users to access features that intersect with a given
>      polygon
> 
> 4- Shape-level restrictions:
>     - Restrict users to shapes that match a given attribute expression
> 
> 5- Attribute restrictions:
>     - Restrict the list of attribute fields that a given user can see
>       in a given layer
> 
> We could also imagine other rules based on scale, etc. The complete list 
> of rules that would be supported remain to be determined in light of the 
> use cases that will be provided by the partners of the project.
> 
> For this we are considering the integration of DACS 
> (http://dacs.dss.ca/what_is_dacs.html) in MapServer since this is what 
> is used already by some of the partners in the project. DACS would be 
> used to define rules that would be evaluated as MapServer is executing a 
> request. However if possible we would like to setup a generic access 
> layer on top of DACS so that other access control systems can also be 
> integrated in the future.
> 
> I am writing to ask the opinion of other PSC members on this, and 
> perhaps get a motion of support for this feature from the PSC if there 
> is enough interest. I realize that we cannot get a final commitment to 
> integrate the feature in MapServer at this point, but at least we would 
> like to know whether the PSC would be supportive of the idea... and then 
> getting a formal motion of support could help our proposal.
> 
> Also, if you or your organization has deployed OGC services with 
> MapServer and has a need for this kind access control then we might be 
> interested in hearing from you, possibly even to include your group as a 
> partner in the proposal to define the use-cases that need to be 
> supported, help with testing, etc. Of course financial support from 
> interested parties would also be welcome since this is not a fully 
> funded proposal.
> 
> Looking forward to your feedback...
> 
> Daniel

Daniel, one word:

Middleware, baby.

Okay, two words. Your customer's access control requirements are 
probably going to be continually evolving, so keeping access control out 
of MapServer means easier development and maintenance. And it keeps a 
lot of complicated logic (needed by very few) out of the MapServer 
application itself.

Cheers,
Sean

-- 
Sean Gillies
http://zcologia.com/news

More information about the mapserver-dev mailing list