hello, i've done the implementation so i think i've to explain the function of index.php:
Am Montag 05 Juli 2010, um 21:50:04 schrieb Karim Malhas: > Hi Vikas, > > > I have a couple of queries regarding the earlier implementation of http > > auth - > > 1) what is ows proxy? I found the article on OWS Proxy in Mapbender wiki > > but that is written in German. It would be really nice if somebody could > > explain me the concept in brief. > > I don' t think I have fully understood it either, so someone correct me > please. The general idea is to obscure which host a WMS is served by > > So > > "http://wms5.example.net/wms?version=1.0&service=wms&request=getCapabilite > s" > > becomes: > > > "http://www.example.com/owsproxy/87502jd23roc3hf3q?version=1.0&service=wms > &request=getCapabilites" > > All the client sees is the second url and won't know that the wms is > accessible via the other url as well . There's some black magic in the > that hashlike string, which somehow restricts access by user, but I > don't really know the details and for all I know it's easily replaced > by a HTTP Proxy requiring authentication. > i think the explaination is quit ok. the owsproxy module is a simple php based script which controls the incoming wms and wfs requests and decide if a user has the right to access the server. the decision is made by controlling the authorization which is stored in the mapbender database. mapbender uses a authorization which is defined over the guis. a person who have the right to access a gui, has also the right to access the included services in this gui. the script controls the session and the ip of the user but the problem is, that the user has to authenticate at mapbender before - to set the session! the redirecting of the dynamic services urls, as karim has shown above, to the script itself is done with apache url rewriting or proxy functions. with this function mapbender becomes a ogc webservice security proxy. the requests can be logged into the mapbender database. every owner of a ows in mapbender can decide to activate this function by checking a checkbox for this service in the administration menu. the problem was that the urls of this secured services are dynamic but the services should be integrated in desktop gis systems and the users dont want to alter the service urls when the mapbender session is not longer active. the solution is a stable url - which is somewhat restful - availalable from the mapbender 'service registry' by layerid: https://www.geoportal.rlp.de/http_auth/27421?REQUEST=GetCapabilities&VERSION=1.1.1&SERVICE=WMS the http_auth module - which you found is comparable to the ows proxy module but controls the access to the proxy secured resource by http_digest authentication. the users of the mapbender registry can easily integrate every registrated service in their desktop gis clients by using their mapbender accounts and http_digest authentication method. the services came from many different institutions but are all registrated in one mapbender database. the authorization is done decentral! Its an very simple but efficient way to handle a big group of different ows and to make it easy for the users and providers of this ows. > > 2) Earlier implementation assumes that there is a column in the mb-user > > table called digest which already contains the digest. Does any column > > already exist ? or there are plans to include them in the table? In my > > implementation I am calculating the hash each time authentication is > > required. the mb_user_digest is a standard column in mapbender_trunk. there are some functions which are not already integrated in mapbender (but in our application - http://www.geoportal.rlp.de - where typo3 wraps the mapbender user administration): setting the digest, changing the digest when changing mb_user_name, mb_user_email or realm. We cannot store the password in a cleartext way into the mapbender database - therefor we have to generate the digest before! > > I guess that's ok, we can alwas optimize later. > > Regards, > Karim > > _______________________________________________ > Mapbender_dev mailing list > [email protected] > http://lists.osgeo.org/mailman/listinfo/mapbender_dev -- Im Auftrag -- Armin Retterath Kompetenz- und Geschäftsstelle Geodateninfrastruktur Rheinland-Pfalz beim Landesamt für Vermessung und Geobasisinformation Rheinland-Pfalz Ferdinand-Sauerbruch-Straße 15 56073 Koblenz Telefon 0261/492-466 Telefax 0261/492-492 [email protected] http://www.geoportal.rlp.de _______________________________________________ Mapbender_dev mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/mapbender_dev
