[mapserver-dev] MS RFC 90: Enable/Disable Layers in OGC Web Services by IP Lists - Call For Vote

Daniel Morissette dmorissette at mapgears.com
Fri Mar 1 07:39:01 PST 2013

On 13-02-28 8:39 AM, Tamas Szekeres wrote:
> 2013/2/28 thomas bonfort <thomas.bonfort at gmail.com
> <mailto:thomas.bonfort at gmail.com>>
>     I agree that this is a complex area that in some case will need to be
>     handled by application specific methods. My point is that limiting by
>     ip only covers a tiny fraction of the AA
>     (authentication/authorization) scenarios, and that we will have to be
>     backwards compatible with it in the long run the day we have the
>     funds/needs for a full fledged AA component.
> We don't necessarily required to be backward between major version
> changes. Users should update their mapfiles so they could migrate their
> IP lists to some other places if required (Assuming we remain function
> compatible)

Thomas, Tamas,

For my part, I already tought about this issue and think that in a 
future iteration of AA support we would likely end up deprecating the 
new metadata introduced by RFC 90 and replace them with a more complete 

At Mapgars we have worked on the GeoPrisma project in the last few years 
(http://geoprisma.org/) and learned a lot about access control mechanism 
use cases around geospatial services. The project is mostly dormant now 
but the lessons learned are still in our mind. I also believe that a 
future iteration of GeoPrisma would look very different from what it is 
today. However before this happens we need to have the 
time/resources/funding so don't expect to see this happen in the short term.

I think what we'd need is a C lib/module (call it libgeoprisma or 
whatever) that can be plugged into MapServer or other geospatial 
services (TinyOWS, MapCache, etc.) to provide spatially-aware access 
control services around a commoon set of config directives (configured 
only once for all services). If MapServer was built with this extension 
then it would make some extra checks to control access to data at 
various levels of granularity, etc.

I do not have a clear picture yet of what this beast would be like in 
the end, but it is clear to me that this approach would involve 
deprecating what was introduced in RFC-90, which means that as much as I 
usually care a lot about backwards compatibility, in this specific case 
it is probably not that big a deal.

My 0.02$

Daniel Morissette
Provider of Professional MapServer Support since 2000

More information about the mapserver-dev mailing list