Access Control in MapServer

Kralidis,Tom [Burlington] Tom.Kralidis at EC.GC.CA
Tue Jan 23 10:57:13 EST 2007 

> 
> Daniel Morissette wrote:
> > Sean Gillies wrote:
> >> Daniel, one word:
> >>
> >> Middleware, baby.
> >>
> >> Okay, two words. Your customer's access control 
> requirements are probably going to be continually evolving, 
> so keeping access control out of MapServer means easier 
> development and maintenance. And it keeps a lot of 
> complicated logic (needed by very few) out of the MapServer 
> application itself.
> > 
> > Steve Lime wrote:
> >> I guess you can't do that level of access control outside of 
> >> MapServer can you. I ok with this even if it's not terribly high 
> >> priority personally.
> >> ACCESS...END
> >>
> > 
> > Some level of access control can be done outside of 
> MapServer, but not 
> > everything. For instance WMS layer level restrictions are easy to 
> > implement in a wrapper that simply checks the LAYERS=... 
> parameter of 
> > a WMS request and denies the request if an unauthorized 
> layer is requested.
> > 
> > However, things like attribute or bbox filtering can hardly be done 
> > outside of MapServer, e.g. users from group X can only 
> access features 
> > from layer L that match expression "AUTH_GROUP = X", or users from 
> > group Y can only access features inside a given BBOX or 
> that intersect 
> > with a given polygon.
> > 
> > Of course one could create separate layers for each class 
> of users and 
> > then simply do layer-level access control in a wrapper. That's the 
> > kind of workarounds they use now, but when the number of 
> > users/groups/restrictions combinations increase, the number 
> of layers 
> > become harder to manage and they are looking for something more 
> > integrated and more powerful.
> > 
> > Daniel
> 
> Daniel, I finally took a close look at DACS, and it doesn't 
> seem so bad. 
> It is middleware and has an Apache module. If you really have 
> to implement super fine grain permissions into feature access 
> and rendering, it might be a decent choice, but are you not 
> worried about the performance hit of checking permission for 
> every feature drawn on a map? Thousands of calls to the 
> access control API for every map drawn? 
> Decent performance is going to mandate pre-processed 
> shapefiles or PostGIS views, so attribute-level run-time 
> access control seems less useful the more I think about it.
> 
> Am I having an olfactory hallucination, or do I smell GeoDRM 
> around here? ;)

Another issue is that the DACS piece would have to be more neutral
w.r.t. platform and web server, to support Windows and IIS type
installs.

..Tom

More information about the mapserver-dev mailing list