[OpenLayers-Users] secure WMS and WFS

Christopher Schmidt crschmidt at metacarta.com
Wed Feb 14 14:55:01 EST 2007 

On Wed, Feb 14, 2007 at 06:39:10PM +0100, Eric Lemoine wrote:
> Christopher,
> 
> On 2/14/07, Christopher Schmidt <crschmidt at metacarta.com> wrote:
> >On Wed, Feb 14, 2007 at 11:03:23AM +0100, Eric Lemoine wrote:
> >> Hi there!
> >>
> >> Does anyone have experience with securing access to WMS and WFS
> >> layers? Say, in the same way it's done in google maps, with a key
> >> associated with some directory of one's website.
> >
> >Eric --
> >
> >I've done a variety of different things, each depending on the:
> > * Level of security you need
> > * Level of hassle your users can go through
> >
> >Assuming that you're not trying to *protect* your WMS data -- that is,
> >assuming that it's public information -- what you want to do is limit
> >the use of it. Note that Google does not do this at the tile level:
> >instead, tiles are open for anyone to see, and they use legal means to
> >track down and stop anyone using the tiles outside their mapping div.
> >
> >If the information is public, then the best way to do it is probably to
> >implement a mechanism whereby a temporary token can be granted. That
> >token is then set as a parameter on the layer, and is  checked before
> >the WMS image is returned. This can be done using an authentication
> >handler in Apache, or a wrapper script around your WMS server.
> >
> >If your information is not public, then you need to set up actual user
> >authentication. This is actually really simple (again, in Apache) --
> >simply set up Basic Authentication around the location where the WMS is
> >served, and the browser will require users to login (via a popup-like
> >box, see http://developers.metacarta.com/account/) before the tiles will
> >be displayed.
> 
> Two things regarding that solution:
> 
> (1) To me if the information isn't public one needs to encrypt that
> information. Authentication isn't sufficient.

Depends entirely on your needs. In my case, I care only that someone is
able to get results to a specific query. If they cache that query for
all time and give it out to other people, I don't really care, so long
as when they want to ask a new question, they have to come back to the
source (me). In that case, I don't care about security, other than for
protection of the actual credentials. 

> (2) For that solution to work the actual WMS server needs to support
> authentication. From what I've read so far, neither geoserver nor
> mapserver support it.

For Basic Authorization, the *webserver* needs to support
authentication, but not the WMS server. Simply set up basic auth for
/cgi-bin/mapserv:

http://httpd.apache.org/docs/1.3/howto/auth.html#basicconfig

The browser will then take care of all the authentication for you: the
initial request for the image will be received with a 401, which will
result in the user being prompted for a password. Each subsequent image
load will then use the cached password. So long as you can establish
that users typing in a password to get access to the data is acceptable,
this is the best way to go about it. 

Regards,
-- 
Christopher Schmidt
MetaCarta

More information about the Users mailing list