Access Control in MapServer

[Daniel Morissette]

Sean Gillies wrote:
> 
> Daniel, I finally took a close look at DACS, and it doesn't seem so bad. 
> It is middleware and has an Apache module. If you really have to 
> implement super fine grain permissions into feature access and 
> rendering, it might be a decent choice, but are you not worried about 
> the performance hit of checking permission for every feature drawn on a 
> map? Thousands of calls to the access control API for every map drawn? 
> Decent performance is going to mandate pre-processed shapefiles or 
> PostGIS views, so attribute-level run-time access control seems less 
> useful the more I think about it.
> 

I agree with you 100% on the possible performance hit if this is not 
used properly. This can be lightweight if only used to filter layers or 
attributes, but can become quite heavy if a filter is applied to every 
shape of a large resultset.

However this can still be useful in several cases, for instance a WFS 
GetFeature call which would normally return a set of 100 shapes which is 
filtered down to about 20 shapes by a DACS rule. Even if the source 
dataset contains thousands of shapes, we need to place the DACS hooks in 
MapServer so that they are evaluated only after the initial 100 shapes 
were extracted from the layer. This way the filter is evaluated only 100 
times which is not quite as bad.

Anyway, you got a very good point that performance can be quite bad if 
this is misused and applied to thousands of shapes per map drawn.


BTW, an update on this, we have decided to put our proposal plans on 
hold, mainly because of bad timing, but the idea has not been completely 
abandoned so it's good to continue to have this discussion.

Daniel
-- 
Daniel Morissette
http://www.mapgears.com/