An approach that is increasingly common in such situations is to use something like OAuth - http://oauth.net/documentation/getting-started .
The basic idea is to add a "signature" to the request that is a hash of service+operation+timestamp with a secret-key. This is passed in request header along with access-key and timestamp - then on the server side, you compare timestamps (diff < some delta) and then generate a test signature based on request, request-header timestamp, secret-key (which server looks up based on access-key) ; if these match, perform the operation. Many will recognize that this is the approach used by many Amazon services including S3, SQS, SimpleDB, etc. If you do this is some server wrapper or middle layer, you can then issue the backend request complete w/ http-auth on a secure and/or private connection after successful OAuth, then return the results. I guess you'd call this an OAuth-to-HttpAuth proxy... Cheers, [email protected] On Tue, Feb 17, 2009 at 12:59 PM, mmf <[email protected]> wrote: > > warden, do you mean by "validation" checking the referer of the user > client to see if the user client operates based on my website? Is that > a secure way? I heard that there are browser plugins which allow to > supress the transmission of the referer ... > > On 17 Feb., 17:22, "warden [Andrew Leach - Maps API Guru]" > <[email protected]> wrote: > > On Feb 17, 4:13 pm, mmf <[email protected]> wrote: > > > > > Thank you for this information. But how can I then access tiles from > > > an authenticated OGC-Server without exposing my login credentials?? > > > The server requires httpd authentication. There is no way around that. > > > > I suppose you could use a proxy. Anonymous requests go to the proxy > > which handles the authentication with the OGC server. Your proxy > > script would need to do *some* validation or you run the risk of > > others misusing your OGC account. > > > > Andrew > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Maps API" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Maps-API?hl=en -~----------~----~----~----~------~----~------~--~---
