Tyler Erickson ha scritto:
Andrea,
I was thinking more about the tests that I ran on the per-layer security, and I think that I overlooked a potential issue. When an anonymous user tries to make a WMS request against a secured service using a browser, they currently receive a ServiceExceptionReport with code="LayerNotDefined" response. I would have expected that the browser would have presented the user with a dialog box for entering the HTTP Basic Authentication information. How would such a user go about authenticating?
Tyler,
you're bringing up a very good point, I wonderered about this too
when implementing the code.
Basically when dealing with data that the current user cannot even
read there are two approaches:
a) don't show the data at all, if the user did not authenticate, the
data is not there
b) list the data the user cannot access in the capabilities documents,
but throw a security error prompting the user to authenticate himself.
In the code I implemented approach a) because it was somewhat simpler,
and because it implements a stronger security than b). With a) you
cannot even infer that data is there, whilst with b) you gain access
to the fact the data is there, and there is some way to get to it
(think brute force attack).
On the other side, client software such as uDig does not let you
authenticate during the connection setup, but expects a http 401
code in order to prompt the user for a username/password request.
Hard question: blue pill or red pill? Or maybe a configurable pill,
with blue and red buttons?
Cheers
Andrea