Cascading external WMS using basic authentication over https

Rahkonen Jukka Jukka.Rahkonen at MMMTIKE.FI
Mon Jan 28 08:28:22 EST 2008 

 Frank Warmerdam wrote 
>Rahkonen Jukka wrote:
>>> Frank Warmerdam wrote
>>> Rahkonen Jukka wrote:
>>>> Hi,
>>>>
>>>> Is it possible to make MapServer to cascade another WMS
>>> service that
>>>> must be accessed through https and that wants to get
>>> username/password
>>>> for authentication? How?
>>> Jukka,
>>>
>>> I'm not sure what others ways are possible, but I found that to get 
>>> MapServer able to talk to a password protected WMS (or perhaps WFS?)

>>> I had to hack the code to pass some extra options to curl.  Ideally 
>>> we would provide a mechanism to do this directly from the mapserver 
>>> if there is no better way.
> 
>> Direct way from mapserver would be very convenient for us.  Should I 
>> make make a feature request and hope for the best or what?

> Jukka,
> I would be willing to implement this if you are willing to help with 
> some research, RFC writing and testing.  In particular we need to 
> isolate what extra curl options such as, but possibly not limited to, 
> userid and password we should be able to pass through.  Then we can 
> write up an RFC based on doing this through layer metadata.  Then - 
> once approved - I can implement and you could test.
> As I think back, I realize the other time I did something like this it

> was actually using a digital certificate rather than simple 
> userid/password protection.  Ideally we would address both cases.
> If this effort level exceeds the amount of effort you want to invest, 
> then filing an enhancement ticket at least summarizing some of these 
> ideas would be a good start.
> PS. If implemented we would presumably do it in a way that applied to 
> WFS and WMS client layers.


Hi, 
I got the following answer from our developer:

"I don't see anything special here, in addition to pass on the username
and password, but to check if the server certificate is to be trusted.
If Mapserver is using curl then it is possible to give a (list of ?)
certificate provider(s) whos certificates should be accepted."

And then he sent me an excerpt from curl manual


       --cacert <CA certificate>
              (HTTPS) Tells curl to use the specified certificate file
to verify the peer.
              The file may contain multiple CA certificates. The
certificate(s) must
              be in PEM format.
 
His conclusion was that in order to use https / basic-auth combination
these three items would be needed:
- username
- password
- file that contains the trusted certificates.

I hope this makes sense.

-Jukka-

More information about the mapserver-users mailing list