[Mapbender_dev] http_auth wrt layers and wms services

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Mapbender_dev] http_auth wrt layers and wms services

Michael Schulz
Hi Devs,

currently I am testing the http_auth module and I can say it is really
cool. I will soon update the wiki page since we discovered, that when
using php as a cgi module you will need one additional apache
rewriting rule in order for http_auth to work. I have a question,
about the general behaviour of the http_auth and the involved wms.php
script. Since the module was developped for the Geoportal RLP its
paradigm is a layer based approach to generating capabilities
documents.

In my use case a central mapbender installation shall be used to serve
different complete wms-services to the users, that themselves used
also either a mapbender or a desktop GIS to consume the services. For
this use-case it is not practical to have each layer of a wms served
by separate capabilities document.

That's why I would like to suggest an additional http_auth
configuration parameter in mapbender.conf, that switches between
either the layer based approach or a service based approach. In the
service based variant when a getcapabilities request is made to any
layer of a wms service the complete wms service with all layers is
returned to the caller.

At a first glance this is only a minimal change (atm if this wms based
approach is requested, I just dont append the layer id to the sql
querying a wms sublayers, wms.php line 775+), but I'm under the
impression that wms.php is currently not able to handle nested layers.
Can someone confirm this? If this is the case, I would have to look
into wms.php to be able to retrieve also nested layer structures in a
wms service, presumbly recursive.

Are there any major objections to such a change, because of
side-effects I haven't thought of? Armin, what do you think?

Cheers, Michael

--
-----------------------------------------------------------
Michael Schulz
[hidden email]

in medias res
Gesellschaft für Informationstechnologie mbH

Schwimmbadstraße 2
D-79100  Freiburg i. Br.

Tel:  +49 (0)761 705798-102
Tel:  +49 (0)761 705798-0
Fax: +49 (0)761 705798-09

http://www.webgis.de / http://www.zopecms.de
--------------------------------------------------------------
Geschäftsführer: Stefan Giese, Dr. Christof Lindenbeck
Eingetragen im Handelsregister HRB 5930 beim Amtsgericht Freiburg
_______________________________________________
Mapbender_dev mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapbender_dev
Reply | Threaded
Open this post in threaded view
|

Re: [Mapbender_dev] http_auth wrt layers and wms services

armin11
hi michael,

we have defined a task for the wheregroup last year, but there are too much
other things, so this task has not been done til now. we thought about adding
an additional get parameter to the wms script which control the behaviour. it
should say s.th. like 'with childs' or 'without'. so you can use it also for
requesting a special group of layers!
we must beware of the mapbender proxy authorization, cause it is possible to
give access to single layers.
the authorization component looks for guis. if an object with a special id is
activated in a gui and a user or a group have the right to access this gui,
the user and/or group have also the right to access the layer/wms thru the
security proxy. we discussed this approach 2 weeks ago when thinking about
mapbender30. unfortunately we have no solution til now :-(.

greetings from koblenz
armin


Am Mittwoch 01 Dezember 2010, um 10:05:01 schrieb Michael Schulz:

> Hi Devs,
>
> currently I am testing the http_auth module and I can say it is really
> cool. I will soon update the wiki page since we discovered, that when
> using php as a cgi module you will need one additional apache
> rewriting rule in order for http_auth to work. I have a question,
> about the general behaviour of the http_auth and the involved wms.php
> script. Since the module was developped for the Geoportal RLP its
> paradigm is a layer based approach to generating capabilities
> documents.
>
> In my use case a central mapbender installation shall be used to serve
> different complete wms-services to the users, that themselves used
> also either a mapbender or a desktop GIS to consume the services. For
> this use-case it is not practical to have each layer of a wms served
> by separate capabilities document.
>
> That's why I would like to suggest an additional http_auth
> configuration parameter in mapbender.conf, that switches between
> either the layer based approach or a service based approach. In the
> service based variant when a getcapabilities request is made to any
> layer of a wms service the complete wms service with all layers is
> returned to the caller.
>
> At a first glance this is only a minimal change (atm if this wms based
> approach is requested, I just dont append the layer id to the sql
> querying a wms sublayers, wms.php line 775+), but I'm under the
> impression that wms.php is currently not able to handle nested layers.
> Can someone confirm this? If this is the case, I would have to look
> into wms.php to be able to retrieve also nested layer structures in a
> wms service, presumbly recursive.
>
> Are there any major objections to such a change, because of
> side-effects I haven't thought of? Armin, what do you think?
>
> Cheers, Michael


--
Im Auftrag
--
Armin Retterath

Kompetenz- und Geschäftsstelle Geodateninfrastruktur Rheinland-Pfalz
beim
Landesamt für Vermessung und Geobasisinformation Rheinland-Pfalz

Ferdinand-Sauerbruch-Straße 15
56073 Koblenz
Telefon 0261/492-466
Telefax 0261/492-492
[hidden email]
http://www.geoportal.rlp.de
_______________________________________________
Mapbender_dev mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapbender_dev
Reply | Threaded
Open this post in threaded view
|

Re: [Mapbender_dev] http_auth wrt layers and wms services

Michael Schulz
Hi Armin,

yeah, that is true. I also though about adding an additional request
parameter, but this should already be present at the call via the
http_auth url, right? Sth. like .../http_auth/layer/42235 or
.../http_auth/service/34345 maybe? Another option would be to return
the complete service with all layers, when the root layer is requested
and otherwise only the layer and its children. The layer permissions
should be taken into account and not allowed i.e. not activated layers
in a users gui should be omitted.

Actually I like the second option better. I am not sure whether its
useful to return only the requested layer, if that layer has children,
esp. when the requested layer may be only a layer container and could
even not be drawn separately.

Cheers, Michael

Am 1. Dezember 2010 10:20 schrieb Armin Retterath
<[hidden email]>:

> hi michael,
>
> we have defined a task for the wheregroup last year, but there are too much
> other things, so this task has not been done til now. we thought about adding
> an additional get parameter to the wms script which control the behaviour. it
> should say s.th. like 'with childs' or 'without'. so you can use it also for
> requesting a special group of layers!
> we must beware of the mapbender proxy authorization, cause it is possible to
> give access to single layers.
> the authorization component looks for guis. if an object with a special id is
> activated in a gui and a user or a group have the right to access this gui,
> the user and/or group have also the right to access the layer/wms thru the
> security proxy. we discussed this approach 2 weeks ago when thinking about
> mapbender30. unfortunately we have no solution til now :-(.
>
> greetings from koblenz
> armin
>
>
> Am Mittwoch 01 Dezember 2010, um 10:05:01 schrieb Michael Schulz:
>> Hi Devs,
>>
>> currently I am testing the http_auth module and I can say it is really
>> cool. I will soon update the wiki page since we discovered, that when
>> using php as a cgi module you will need one additional apache
>> rewriting rule in order for http_auth to work. I have a question,
>> about the general behaviour of the http_auth and the involved wms.php
>> script. Since the module was developped for the Geoportal RLP its
>> paradigm is a layer based approach to generating capabilities
>> documents.
>>
>> In my use case a central mapbender installation shall be used to serve
>> different complete wms-services to the users, that themselves used
>> also either a mapbender or a desktop GIS to consume the services. For
>> this use-case it is not practical to have each layer of a wms served
>> by separate capabilities document.
>>
>> That's why I would like to suggest an additional http_auth
>> configuration parameter in mapbender.conf, that switches between
>> either the layer based approach or a service based approach. In the
>> service based variant when a getcapabilities request is made to any
>> layer of a wms service the complete wms service with all layers is
>> returned to the caller.
>>
>> At a first glance this is only a minimal change (atm if this wms based
>> approach is requested, I just dont append the layer id to the sql
>> querying a wms sublayers, wms.php line 775+), but I'm under the
>> impression that wms.php is currently not able to handle nested layers.
>> Can someone confirm this? If this is the case, I would have to look
>> into wms.php to be able to retrieve also nested layer structures in a
>> wms service, presumbly recursive.
>>
>> Are there any major objections to such a change, because of
>> side-effects I haven't thought of? Armin, what do you think?
>>
>> Cheers, Michael
>
>
> --
> Im Auftrag
> --
> Armin Retterath
>
> Kompetenz- und Geschäftsstelle Geodateninfrastruktur Rheinland-Pfalz
> beim
> Landesamt für Vermessung und Geobasisinformation Rheinland-Pfalz
>
> Ferdinand-Sauerbruch-Straße 15
> 56073 Koblenz
> Telefon 0261/492-466
> Telefax 0261/492-492
> [hidden email]
> http://www.geoportal.rlp.de
> _______________________________________________
> Mapbender_dev mailing list
> [hidden email]
> http://lists.osgeo.org/mailman/listinfo/mapbender_dev
>



--
-----------------------------------------------------------
Michael Schulz
[hidden email]

in medias res
Gesellschaft für Informationstechnologie mbH

Schwimmbadstraße 2
D-79100  Freiburg i. Br.

Tel:  +49 (0)761 705798-102
Tel:  +49 (0)761 705798-0
Fax: +49 (0)761 705798-09

http://www.webgis.de / http://www.zopecms.de
--------------------------------------------------------------
Geschäftsführer: Stefan Giese, Dr. Christof Lindenbeck
Eingetragen im Handelsregister HRB 5930 beim Amtsgericht Freiburg
_______________________________________________
Mapbender_dev mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapbender_dev