WMS/WFS Authentication

Kralidis,Tom [Burlington] Tom.Kralidis at EC.GC.CA
Sat May 26 19:06:19 EDT 2007 

> 
> Kralidis,Tom [Burlington] wrote:
> > I've used simple http authentication and x509 certificates in the 
> > past, although I'm sure there are other approaches.
> > 
> > I guess an initial question would be what/how do you want 
> secure your 
> > WMS/WFS w.r.t. granularity?  Do you want to protect the entire 
> > WMS/WFS?  Or specific layers/feature types?
> 
> I think initially I'm looking at a gate keeper functionality. 
> I think the big issue is that I don't know what clients I 
> need to support, and I don't think it is safe to assume it 
> will always be a browser.
> 
> Do you have a writeup on how you setup http authenication and 
> x509 certs wrt to WMS/WFS services? This sounds like it would 
> be worthwhile adding to the wiki.
>

I have nothing about PKI / x509 offhand.  For HTTP auth, it's nothing
more than setting your (say) Apache config.  Unless I've misread you
above, HTTP authentication can provide gatekeeper functionality and is
client agnostic (browser, curl, perl-lwp, etc.).
 
> I did a google search and found various reference to 
> discussions on this. Also found http://www.geoxacml.org/ 
> which seems to be a complex solution.
> 

GeoXACML / SAML definitely covers the second scenario I mentioned
previously.  The challenge here is integrating them into existing SDI
components, like MapServer.  Because stuff like GeoXACML gets into the
information (features, layers, geometry), there needs to be some
integration between the security and resource layer.  It would be
interesting to investigate how something like this can work w/
MapServer, as I'm sure there are a lot of folks out there with similar
requirements.

DACS (http://dacs.dss.ca/) offers similar functionality, and has been
used in some SDI projects (like NFIS -- http://nfis.org/) but
(currently) appears to be UNIX-only, and define their rules and controls
based in their own grammar.

Note that Daniel (Morissette) would have input here as well; I'm
basically paraphrasing a conversation we had recently on this :)

..Tom





> Thanks,
>    -Steve W
> 
> > If the latter:
> > 
> > - do you want want to assign roles / groups to specific 
> layers/feature 
> > types?  Do you want to further constrain by spatial 
> predicates? - this 
> > gets way more complicated.
> > 
> > ..Tom
> > 
> > 
> > -----Original Message----- From: UMN MapServer Users List 
> on behalf of 
> > Stephen Woodbridge Sent: Sat 26-May-07 11:00 To:
> > MAPSERVER-USERS at LISTS.UMN.EDU Cc: Subject: [UMN_MAPSERVER-USERS] 
> > WMS/WFS Authentication
> > 
> > Hi all,  What are people doing for WMS/WFS authentication when they 
> > set up a for fee service? Since this is not part of the 
> protocol, I'm 
> > wondering how you might be doing this or if anyone is doing this.
> > Thanks, -Steve
> > 
> 
>

More information about the mapserver-users mailing list