[OpenLayers-Users] Control access to WMS
Daniel Morissette
dmorissette at mapgears.com
Tue Oct 13 14:23:18 EDT 2009
Christopher Schmidt wrote:
> On Tue, Oct 13, 2009 at 10:56:26AM -0400, Steve.Toutant at inspq.qc.ca wrote:
>>
>> I would like to control the access to this WMS, so people can use it via
>> my application, but can not "call" the WMS to use it in their client
>> application. The reason is there is a "context" that comes with this WMS.
>> Without it the data can be misinterpreted.
>
> It sounds like what you want is user access controls. Using Apache,
> it is possible to limit access to users with a username and password or
> other similar functionality. Without this type of limitation, there really
> isn't anything you can do to prevent other applications or users from
> accessing the data directly if there really is a desire to spread the
> data around.
>
One option to explore may be to use a wrapper script for your MapServer
WMS that checks the HTTP_REFERRER CGI environment variable value and
ensures that the WMS requests come from your openlayers website. If the
HTTP_REFERRER doesn't match the URL of the website hosting your
openlayers app then the WMS request would be rejected.
I am not 100% sure that an ill intentioned person could not bypass this
protection, but that could at least be used to prevent general access.
See the MapServer WMS HOWTO for examples of wrapper scripts for WMS
requests to help you get started:
http://mapserver.org/ogc/wms_server.html#more-about-the-online-resource-url
Actually, it may be possible to use a SetEnvIf directive directly in the
Apache config instead of a wrapper. The following (untested!) example
may do the trick
First add this to your Apache config:
# Force MapServer to accept mapfiles refs only using env vars
SetEnv MS_MAP_NOPATH "yes"
# And set MYMAP only if the Referrer is coming from this site
SetEnvIfNoCase Referer "www\.mydomain\.com" MYMAP=/path/to/mapfile.map
Then your WMS requests should refer to the mapfile using "map=MYMAP"
instead of a full path. If the referrer is not valid, then MYMAP will
not be set and MapServer will spit out an error.
For more info, see:
http://trac.osgeo.org/mapserver/wiki/EnvironmentVariables
and
http://httpd.apache.org/docs/2.0/mod/mod_setenvif.html
Daniel
--
Daniel Morissette
http://www.mapgears.com/
More information about the Users
mailing list