[mapserver-dev] spatial restriction for queries

Sat Oct 3 15:44:04 EDT 2009

Hi Tamas,
my intention is to have a simple access control mechanism (so a clipping 
mechanism per layer based on user credentials or other id-like data) 
inside MapServer. For now this plan is limited to raster data, so for 
wms and browse mode. Currently, I have an access control system (a kind 
of cascading wms) in front of MapServer which increases response times 
noticeable.

What I have done so far:

* user credentials: In order to use the ID of a user accessing MapServer 
(no, I don't want to have a single mapfile for each potential user) I 
found it handy to have access to environment variables in the DATA 
statement such as remote_ip, remote_user or other things one could set 
before running MapServer. This is done in 
http://trac.osgeo.org/mapserver/ticket/3122 and - from my point of view 
- only needs some syntax discussion and a solution to validate such 
variables as it's done for url substitution. This will then allow 
interesting solutions: drawing/querying only a subset of a sql 
datasource by using a joined credentials-table in the where clause 
(actually, I haven't tried this way round).

* clipping mechanism: As #3122 only works for sql data sources and I 
have a couple of raster data sources which have to be clipped based on 
user-id, I use a special layer which holds the area a user have access 
to (using #3122). This layer is referenced by the real data-layer 
similar to a tile-index layer. The negative of the referenced layer is 
drawn other the already rendered data-layer. The patch is enclosed to 
http://trac.osgeo.org/mapserver/ticket/3116. Contrary to #3122 this 
solution has the advantage that it works for all data sources. Up to now 
it's not perfect, but it works as expected.

What I am missing: you can still query a clipped area. And this is where 
my question was aimed at. _I think_, I'll have to check if the 
query-shape(s) is/are inside the polygons of the referenced layer used 
for clipping. But there are so many different msQuery.. functions; if 
avoidable, I don't want to alter them all and currently looking for the 
some 'core functions'.

In reply to your 2nd question: The reason why - as far I know - I cannot 
use different mapfiles for each spatial restriction is that I have tiff 
files as data source and polygons for restrictions. And personally, I 
don't feel it's a good idea to have tons of similar mapfiles for each 
combination of about 20 areas.

Querymaps: I must say I didn't use this feature for now. But it's only 
for drawing pre-selected shapes (so vector data sources only), right? 
How could querymaps be used in wms mode (not only highlighting but 
clipping out the rest)? Can I use it in order to limit queries to given 
polygons? Reading the docs, I think querymaps have another target.

What is your (and other MapServer devs') opinion about a having a 
spatial access control system inside MapServer?

Kind regards! Martin

Tamas Szekeres wrote:
> Martin,
>
> I think you should flash out further information about your objectives
> there are a couple of things not obvious for me with this proposal;
>
> 1. I'm not sure where are the user identities stored when restricting
> their access to regions. It seems like the mapfile would contain
> constant restrictions independent from the users. How the users are
> assigned to regions?
>
> 2. If we are thinking about static mapfiles (different mapfile for
> each user) it seems like this problem is running out of the scope of
> mapserver. You may pre-define those mapfiles by setting up different
> spatial filters for each regions. The upper level application (ie. a
> WEB application) would identify the user any refer to different
> mapfiles accordingly.
>
> 3. It looks like you'd implement to render only a subset of the
> features per-layer within a spatial query. How this option is
> different as what the QUERYMAP setting with STYLE=selected would
> normally provide? (http://mapserver.org/mapfile/querymap.html) the
> query maps could be drawn by the cgi mapserver or by using a custom
> script (mapscript) within your application.
>
>
> Best regards,
>
> Tamas
>
>
>
>
>
> 2009/10/2 Martin Kofahl <M.Kofahl at gmx.net>:
>   
>> Hello!
>> I'm trying to complete enhancement #3116 (spatial oblogation per layer basis). Queries should be limited to the are a user is allowed to access. Because of the number of query functions, I need some help to figure out where the best place for checking access rights is. I'd manage this using msGEOSWithin().
>>
>> For vector data all query function seem to depend on msLayerWhichShapes. If so, could MapServer 'simply' filter the list of shapes to be queried?
>>
>> For raster data I'm still looking if there's a single core function where the check could be done.
>>
>> On the other hand, I could extend the msQuery functions in mapquery.c in order to check the incoming selectshape or - for attribute search etc. - removing some items from the resultset afterwards.
>>
>> Can you give me some advice? Thanks!
>> Martin
>> _______________________________________________
>> mapserver-dev mailing list
>> mapserver-dev at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
>>
>>     