adding support for user authentication within Mapserver for GetCapablities and GetMap

Christopher Schmidt crschmidt at METACARTA.COM
Fri Aug 31 21:09:57 PDT 2007


On Fri, Aug 31, 2007 at 11:05:23PM -0400, Ed McNierney wrote:
> So we need to compromise to live in the real world.  The "wrapper" script is one way to do that.  If I create a wrapper PHP script such that my WMS Resource URI changes from:
> 
> http://my.server.com/mapserv?map=my.map&
> 
> to:
> 
> http://my.server.com/mapserv.php?user=me&password=secret&
> 
> then I'm really not doing anything different than what HTTP Basic authentication is doing, except for putting a few of the bytes in different places in the HTTP request.  It is hard to see that using HTTP Basic authentication is fundamentally the Right Way and the querystring parameters is the Evil Way, since they are almost identical.  Perhaps the wrapper approach even has the benefit of reminding the user that their id and password are being sent as clear text!

Actually, clear-text passwords in the URL string are certainly the
'wrong way' from the perspective of the web -- because they can be
cached by proxies. So, your credentials will now be stored in a proxy
somewhere, and if the logs of the server are web accessible (even in
limited form, as is often the case with web log analyzers) your password
and username are accessible that way, etc.

Now, whether the mechanism described here makes the situation more
possible to use in various clients is a different question entirely, but
it is clear that there are a number of reasons why embedding the
username and password in a GET request string is bad for users. 

Passing something along in clear text is different from putting it in
the URL string, because the URL string is, by the nature of the way the 
web works, designed to be public + sharable, which is something silghtly
different.

Regards,
-- 
Christopher Schmidt
MetaCarta



More information about the MapServer-users mailing list