Access Control in MapServer

Daniel Morissette dmorissette at MAPGEARS.COM
Mon Jan 22 15:54:27 EST 2007 

Bart van den Eijnden (OSGIS) wrote:
> 
> this could be a very interesting feature. Also, BBOX filters with 
> reprojection included would be hard to do in DACS I guess, without 
> running some command-line program.
> 

We're thinking of using some kind of callback system to handle that. 
MapServer would register a "bbox filter evaluator" with DACS, actually 
just a C function pointer with a predefined prototype that would be 
provided by MapServer to DACS. Then when time comes to evaluate a rule 
that contains a BBOX filter, MapServer would call DACS asking "evaluate 
access control rules for current user" ... and then DACS would find that 
the rule contains a BBOX filter and call the registered MapServer 
function to evaluate the BBOX part of the rule.


> We (as in Dutch government agency called Rijkswaterstaat) have played a 
> bit with DACS recently, but found it too complicated in the end. Also 
> the lack of a good web-based management tool to define the permissions 
> made us leave the DACS path.
> 

Yeah, user-friendliness doesn't seem to be one of DACS strenghts, that 
bugged me a bit too. I was hoping that we could build a good 
tutorial/HOWTO that documents the most common usage scenarios and users 
would just need to copy and adapt one of the examples to configure their 
services.

> Would it be possible to set permissions on CONNECTIONTYPE WMS/WFS 
> layers? Ofcourse with WMS you can't have fine-grained control, but with 
> WFS you could I guess.  But I don't know if this is at all in the scope 
> of the project.
> 

That's cascaded authentication? I don't think I would want to go there, 
at least not in a first round. However, one of the features that's been 
requested is cascading DACS authentication tokens (actually cookies in 
the default implementation). So if a registered users connects to your 
webmapping site, MapServer could forward the DACS cookie to the remote 
WMS/WFS servers and the cascaded servers could use the DACS cookie to 
trigger their own rule evaluation if they are DACS-enabled.

Daniel
-- 
Daniel Morissette
http://www.mapgears.com/

More information about the mapserver-dev mailing list