[OpenLayers-Users] secure WMS and WFS

[Eric Lemoine]

On 2/14/07, Christopher Schmidt <crschmidt at metacarta.com> wrote:
> On Wed, Feb 14, 2007 at 06:39:10PM +0100, Eric Lemoine wrote:
> > Christopher,
> >
> > On 2/14/07, Christopher Schmidt <crschmidt at metacarta.com> wrote:
> > >On Wed, Feb 14, 2007 at 11:03:23AM +0100, Eric Lemoine wrote:
> > >> Hi there!
> > >>
> > >> Does anyone have experience with securing access to WMS and WFS
> > >> layers? Say, in the same way it's done in google maps, with a key
> > >> associated with some directory of one's website.
> > >
> > >Eric --
> > >
> > >I've done a variety of different things, each depending on the:
> > > * Level of security you need
> > > * Level of hassle your users can go through
> > >
> > >Assuming that you're not trying to *protect* your WMS data -- that is,
> > >assuming that it's public information -- what you want to do is limit
> > >the use of it. Note that Google does not do this at the tile level:
> > >instead, tiles are open for anyone to see, and they use legal means to
> > >track down and stop anyone using the tiles outside their mapping div.
> > >
> > >If the information is public, then the best way to do it is probably to
> > >implement a mechanism whereby a temporary token can be granted. That
> > >token is then set as a parameter on the layer, and is  checked before
> > >the WMS image is returned. This can be done using an authentication
> > >handler in Apache, or a wrapper script around your WMS server.
> > >
> > >If your information is not public, then you need to set up actual user
> > >authentication. This is actually really simple (again, in Apache) --
> > >simply set up Basic Authentication around the location where the WMS is
> > >served, and the browser will require users to login (via a popup-like
> > >box, see http://developers.metacarta.com/account/) before the tiles will
> > >be displayed.
> >
> > Two things regarding that solution:
> >
> > (1) To me if the information isn't public one needs to encrypt that
> > information. Authentication isn't sufficient.
>
> Depends entirely on your needs. In my case, I care only that someone is
> able to get results to a specific query. If they cache that query for
> all time and give it out to other people, I don't really care, so long
> as when they want to ask a new question, they have to come back to the
> source (me). In that case, I don't care about security, other than for
> protection of the actual credentials.
>
> > (2) For that solution to work the actual WMS server needs to support
> > authentication. From what I've read so far, neither geoserver nor
> > mapserver support it.
>
> For Basic Authorization, the *webserver* needs to support
> authentication, but not the WMS server. Simply set up basic auth for
> /cgi-bin/mapserv:
>
> http://httpd.apache.org/docs/1.3/howto/auth.html#basicconfig

I understand that this works with mapserver, because mapserver runs as
an Apache CGI script.

But, as I understand it, this is a different story with geoserver:
geoserver doesn't require Apache or any other web server, it is a
standalone server. And current geoserver doesn't support
authentication.

>
> The browser will then take care of all the authentication for you: the
> initial request for the image will be received with a 401, which will
> result in the user being prompted for a password. Each subsequent image
> load will then use the cached password. So long as you can establish
> that users typing in a password to get access to the data is acceptable,
> this is the best way to go about it.
>
> Regards,
> --
> Christopher Schmidt
> MetaCarta
>


-- 
Eric