[OpenLayers-Users] Control access to WMS

Guillaume Sueur no-reply at neogeo-online.net
Wed Oct 14 17:03:39 EDT 2009 

> 
> Thanks Robert, 
> Interesting. 
> If someone is using a client such as gaia or qgis, can he access the
> layers only by entering "http://10.64.20.120/cgi-bin/gsswms.exe?" as
> the URL 
> Or if we do a getMap request, what happen? 
> 

if it was a public server it should, yes, which doesn't give this
approach any control access solution, just a "hide map" solution. 

I think that mixing referer control (request must come from a specific
site) AND browser control (reject all perl, python, curl, wget stuffs
which can set a fake referer) can give a good control on the access,
without having to handle authentication. Am I wrong ? 

Guillaume


> I tried, but maybe it is not a public site 
> Steve 
> 
> Steve Toutant, M. Sc.
> Analyste en géomatique
> Secteur environnement
> Direction des risques biologiques, environnementaux et occupationnels
> Institut national de santé publique du Québec
> 945, avenue Wolfe
> Québec, Qc G1V 5B3 
> 
> Tél.: (418) 650-5115 #5281
> Fax.: (418) 654-3144
> steve.toutant at inspq.qc.ca
> http://www.inspq.qc.ca 
> 
>   
> 
> 
> 
> 
> "Robert Sanson"
> <SansonR at asurequality.com>@openlayers.org 
> Envoyé par :
> users-bounces at openlayers.org 
> 
> 14/10/2009 03:34 PM 
> 
> 
>                 A
> <Steve.Toutant at inspq.qc.ca>, "Daniel Morissette" <dmorissette at mapgears.com>, <users-bounces at openlayers.org> 
>                cc
> users at openlayers.org 
>             Objet
> Re:
> [OpenLayers-Users] Control access to WMS
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> I have made copies of mapserv.exe in my cgi-bin to other names such as
> gsswms.exe. I then have a line at the bottom of httpd.conf: 
>   
> SetEnvIf Request_URI "/cgi-bin/gsswms.exe?"
> MS_MAPFILE=/ms4w/apps/service/nztm.map 
>   
> So I then use a layer definition for OL such as : 
>   
> var topowms = new OpenLayers.Layer.WMS( "Topos",
>                         "http://10.64.20.120/cgi-bin/gsswms.exe?",
>                          {layers:
> ['nzislands','nznoaa','nz1mtm','nz250ktm','ci250k','nz50ktm','ci50kcitm'], transparent: 'true',format: "image/png"},
>                          {singleTile: true, isBaseLayer: false,
> minResolution: 2000, visibility: false} ); 
>   
> regards, 
>   
> Robert Sanson
> 
> >>> <Steve.Toutant at inspq.qc.ca> 15/10/2009 2:53 a.m. >>>
> 
> Thanks all for your help, 
> I'll have in a near future to implement a fully secured private site
> since I'm gonna have to publish VERY sensible data via WMS. I can tell
> that this issue scares the IT group. Story to follow... 
> But for now, obscurity is sufficient. 
> 
> I'm a bit in obscurity myself regardin http_referer...I need to know
> more about the mechanic... 
> It's not clear what I should do in the mapfile and in my OpenLayers
> code?
> 
> I added Daniel's code in Apache conf. 
> 
> "Then your WMS requests should refer to the mapfile using "map=MYMAP" 
> instead of a full path. If the referrer is not valid, then MYMAP will 
> not be set and MapServer will spit out an error."
> 
> Do I need to use the MYMAP environment variabble in the mapfile or in
> OL code, or both? 
> 
> I'm using OpenLayers to create a WMS layer with new
> OpenLayers.Layer.WMS(name, url, params, options); 
> Instead of the path of the mapfile should I use MYMAP (Environment
> variable MYMAP defined in the conf of Apache). If so, Is there some
> magic there to get the environment variable value? Should I get it
> with some php code?
> 
> Thanks 
> Steve 
> 
> 
> 
> 
> 
> Daniel Morissette
> <dmorissette at mapgears.com>@openlayers.org 
> Envoyé par :
> users-bounces at openlayers.org 
> 
> 13/10/2009 02:56 PM 
> 
> 
> 
>                 A
> users at openlayers.org 
>                cc
> 
>             Objet
> Re:
> [OpenLayers-Users] Control access to WMS
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Christopher Schmidt wrote:
> > 
> > If you care about people 'stumbling in', this would be sufficient.
> If you
> > actually want to ensure people can't use the data outside of your
> app,
> > it's not.
> > 
> [...]
> > 
> > Yeah, something like that is what I would probably do if I wanted
> something
> > taht was obscurity and not security. :)
> > 
> 
> I agree (and I never used the word security). But this may be
> sufficient 
> in some simple cases.  :)
> 
> And for a more complete Access Control solution, everyone is invited
> to 
> a presentation of the new GeoPrisma project in a conference near you:
> 
> FOSS4G 2009 (Sydney, 2009-10-23):
>  http://2009.foss4g.org/presentations/#presentation_146
> 
> Géomatique 2009 (Montréal, 2009-10-21):
>  http://www.geomatique2009.com/en/papers/program
> 
> Daniel
> -- 
> Daniel Morissette
> http://www.mapgears.com/
> _______________________________________________
> Users mailing list
> Users at openlayers.org
> http://openlayers.org/mailman/listinfo/users
> 
> 
> 
> 
> 
> 
>                Click hereto report this email as spam.
> 
> 
> 
> 
> ------------------------------------------------------------------
> The contents of this email are confidential to AsureQuality. If you
> have received this communication in error please notify the sender
> immediately and delete the message and any attachments. The opinions
> expressed in this email are not necessarily those of AsureQuality.
> This message has been scanned for known viruses before delivery.
> AsureQuality supports the Unsolicited Electronic Messages Act 2007. If
> you do not wish to receive similar communications in future, please
> notify the sender of this message.
> ------------------------------------------------------------------
> 
> 
> 
> 
> This message has been scanned for malware by SurfControl plc.
> www.surfcontrol.com_______________________________________________
> Users mailing list
> Users at openlayers.org
> http://openlayers.org/mailman/listinfo/users
> 
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at openlayers.org
> http://openlayers.org/mailman/listinfo/users

More information about the Users mailing list