Tyler Erickson ha scritto: > Andrea, > > Sorry for the delayed reply... I just returned to the office. > > How about the following (purple pill) approach: > c) prompt the user to authenticate (or reply with a 401 error) if a user > tries to read a protected data layer; and list the data in the > capabilities document only when the user is authenticated and authorized > > That way, an outside user would not be able to determine the name of the > layer for a brute force attack.
Well, with a brute force attack they'll eventually be able to, but given we have no limits to the number of chars in the layer name, it's actually quite hard to spot. Seems a reasonable compromise to me. What do other people think? Cheers Andrea ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
