[mapserver-dev] MS RFC 90: Enable/Disable Layers in OGC Web Services by IP Lists - Call for Comments

Tamas Szekeres szekerest at gmail.com
Wed Feb 20 07:05:39 PST 2013 

Hi Daniel & All,

I've updated RFC-90 to follow the concept mentioned.

http://mapserver.org/development/rfc/ms-rfc-90.html

Here is a commit containing the proposed changes according to the recent
version:
https://github.com/szekerest/mapserver/commit/5d7ec08292e4b790d219082f7ea6ced83fc5c336

Since I'm using msOWSParseRequestMetadata to implement the logic behind
ms_enable_modes, the concept of defining the conditions is pretty much the
same as for ows_enable_request.

ms_enable_modes for LAYER and further sophisticated ideas cannot be
included to this RFC due to the limits of the available budget and the
upcoming  deadlines.

Let me know if you have further comments.

Best regards,

Tamas




2013/2/19 Daniel Morissette <dmorissette at mapgears.com>

> Hello again,
>
> I just realized that my suggestion to implement full support for
> ms_enable_modes with all the flexibility provided by ows_enable_requests
> might be quite a bit more work that you have available in your budget, so
> perhaps a compromise would be to simply implement the following at the
> map-level:
>
>   "ms_enable_modes" "*" # Enable all CGI modes
>
> or
>
>   "ms_enable_modes" "!*" # Block all CGI modes
>
> This would be sufficient to allow someone using ows_allowed/denied_ip_list
> to disable use of the CGI modes, and would leave open the possibility to
> implement full support for the same logic as ows_enable_requests down the
> road when one has time/funding to do it.
>
> Daniel
>
>
>
>
> On 13-02-19 11:20 AM, Daniel Morissette wrote:
>
>> On 13-02-15 12:43 PM, Tamas Szekeres wrote:
>>
>>> Hi Devs,
>>>
>>> I've prepared an RFC including most of the suggestions received with
>>> regards to this addition.
>>> http://mapserver.org/**development/rfc/ms-rfc-90.html<http://mapserver.org/development/rfc/ms-rfc-90.html>
>>>
>>> Let me know if you have further things to be taken into account before
>>> calling a vote on it.
>>>
>>>
>>>
>> Hi Tamas,
>>
>> A few questions/comments:
>>
>> - It is not clear if setting ows_allowed_ip_list implicitly means that
>> all addresses are blocked, and then only the specified addresses are
>> enabled, and vice-versa that setting ows_denied_ip_list means that any
>> address has access by default, except for those listed in the deny list.
>> I believe this is the implied behavior, but if yes then I think that
>> should be made clear, and perhaps some examples provided with
>> explanation of the corresponding behavior.
>>
>> - Is it possible to set both ows_allowed_ip_list and ows_denied_ip_list
>> and if yes in this case which one takes precedence? Or do they interact
>> with each other (i.e. Could I block a range of IPs with the deny list
>> and then open up specific workstation addresses with the allow list? or
>> the reverse: open up a range of IP addresses with the allow list and
>> block a subset with the deny list?)
>>
>>
>> - With respect to the ms_disable_modes, I don't like a logic where we
>> need to explicitly list what we block. I prefer the other way around
>> where we list what we enable to reduce the risk of leaving open holes in
>> your server configuration.
>>
>> Actually, perhaps one way to deal with this would be to switch to a
>> "ms_enable_modes" and use the same kind of logic as ows_enable_requests,
>> with "!*" meaning disable all, and "!MAP" meaning disable MAP mode, and
>> then allowing the use of ms_enable_modes at the layer-level as well.
>>
>> e.g.
>>
>> MAP
>>    WEB
>>      METADATA
>>        # Block all CGI modes except MAP and LEGEND
>>        "ms_enable_modes" "!* MAP LEGEND"
>>        ...
>>      END
>>      ...
>>    END
>>    ...
>> END
>>
>> using inheritance one could then block all modes at the top-level and
>> re-enable a given mode only for specific layers:
>>
>> MAP
>>    WEB
>>      METADATA
>>        # Block all CGI modes by default for this mapfile
>>        "ms_enable_modes" "!*"
>>        ...
>>      END
>>      ...
>>    END
>>
>>    LAYER
>>      METADATA
>>        # Enable MAP and LEGEND requests for this layer
>>        "ms_enable_modes" "MAP LEGEND"
>>      END
>>      ...
>>    END
>> END
>>
>> or one could be more open by default and selectively disable some
>> requests at the layer level:
>>
>> MAP
>>    WEB
>>      METADATA
>>        # Open up ALL CGI modes by default for this mapfile
>>        "ms_enable_modes" "*"
>>        ...
>>      END
>>      ...
>>    END
>>
>>    LAYER
>>      METADATA
>>        # But allow only MAP requests on this layer
>>        "ms_enable_modes" "!* MAP"
>>      END
>>      ...
>>    END
>> END
>>
>>
>>
>
> --
> Daniel Morissette
> http://www.mapgears.com/
> Provider of Professional MapServer Support since 2000
>
> ______________________________**_________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> http://lists.osgeo.org/**mailman/listinfo/mapserver-dev<http://lists.osgeo.org/mailman/listinfo/mapserver-dev>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapserver-dev/attachments/20130220/44bb3c06/attachment.html>

More information about the mapserver-dev mailing list