Access Control in MapServer
Daniel Morissette
dmorissette at MAPGEARS.COM
Sun Jan 21 14:18:25 EST 2007
Sean Gillies wrote:
> Daniel, one word:
>
> Middleware, baby.
>
> Okay, two words. Your customer's access control requirements are probably going to be continually evolving, so keeping access control out of MapServer means easier development and maintenance. And it keeps a lot of complicated logic (needed by very few) out of the MapServer application itself.
Steve Lime wrote:
> I guess you can't do that level of access control outside of MapServer
> can you. I
> ok with this even if it's not terribly high priority personally.
> ACCESS...END
>
Some level of access control can be done outside of MapServer, but not
everything. For instance WMS layer level restrictions are easy to
implement in a wrapper that simply checks the LAYERS=... parameter of a
WMS request and denies the request if an unauthorized layer is requested.
However, things like attribute or bbox filtering can hardly be done
outside of MapServer, e.g. users from group X can only access features
from layer L that match expression "AUTH_GROUP = X", or users from group
Y can only access features inside a given BBOX or that intersect with a
given polygon.
Of course one could create separate layers for each class of users and
then simply do layer-level access control in a wrapper. That's the kind
of workarounds they use now, but when the number of
users/groups/restrictions combinations increase, the number of layers
become harder to manage and they are looking for something more
integrated and more powerful.
Daniel
--
Daniel Morissette
http://www.mapgears.com/
More information about the mapserver-dev
mailing list