[OpenLayers-Users] Control access to WMS

Christopher Schmidt crschmidt at metacarta.com
Tue Oct 13 14:39:18 EDT 2009 

On Tue, Oct 13, 2009 at 02:23:18PM -0400, Daniel Morissette wrote:
> Christopher Schmidt wrote:
> > On Tue, Oct 13, 2009 at 10:56:26AM -0400, Steve.Toutant at inspq.qc.ca wrote:
> >>
> >> I would like to control the access to this WMS, so people can use it via 
> >> my application, but can not "call" the WMS to use it in their client 
> >> application. The reason is there is a "context" that comes with this WMS. 
> >> Without it the data can be misinterpreted.
> > 
> > It sounds like what you want is user access controls. Using Apache,
> > it is possible to limit access to users with a username and password or
> > other similar functionality. Without this type of limitation, there really
> > isn't anything you can do to prevent other applications or users from 
> > accessing the data directly if there really is a desire to spread the
> > data around.
> > 
> 
> One option to explore may be to use a wrapper script for your MapServer 
> WMS that checks the HTTP_REFERRER CGI environment variable value and 
> ensures that the WMS requests come from your openlayers website. If the 
> HTTP_REFERRER doesn't match the URL of the website hosting your 
> openlayers app then the WMS request would be rejected.
> 
> I am not 100% sure that an ill intentioned person could not bypass this 
> protection, but that could at least be used to prevent general access.

Two flaws in this:
 * Sometimes browsers are configured not to send referers
 * Any ill-intentioned person can fake the referer.

If you care about people 'stumbling in', this would be sufficient. If you
actually want to ensure people can't use the data outside of your app,
it's not.

> Actually, it may be possible to use a SetEnvIf directive directly in the 
> Apache config instead of a wrapper. The following (untested!) example 
> may do the trick
> 
> First add this to your Apache config:
> 
> # Force MapServer to accept mapfiles refs only using env vars
> SetEnv MS_MAP_NOPATH "yes"
> # And set MYMAP only if the Referrer is coming from this site
> SetEnvIfNoCase Referer "www\.mydomain\.com" MYMAP=/path/to/mapfile.map
> 
> Then your WMS requests should refer to the mapfile using "map=MYMAP" 
> instead of a full path. If the referrer is not valid, then MYMAP will 
> not be set and MapServer will spit out an error.
> 
> For more info, see:
>    http://trac.osgeo.org/mapserver/wiki/EnvironmentVariables
> and
>    http://httpd.apache.org/docs/2.0/mod/mod_setenvif.html

Yeah, something like that is what I would probably do if I wanted something
taht was obscurity and not security. :)

Regards,
-- 
Christopher Schmidt
MetaCarta

More information about the Users mailing list