Archive for the ‘security’ Category
Setting up a Secure Cascading WMS on MapServer
There a number of benefits to using a cascading WMS service – a WMS service that is read and then forwarded on through an intermediary WMS server:
-
you can cache the service (for example with TileCache) to greatly improve performance
-
your application need only worry about a single point of connection, using WMS layers aggregated from many different sources
-
you can add additional metadata missing from the source
-
services can be reprojected (using GDAL)
-
you can merge WMS layers together and server them out as a new map layer
There are also some negatives:
-
you have additional server configuration to set up and maintain
-
if you are not adding or changing the WMS service you should probably connect to the WMS service directly in the client applications, otherwise there will be a performance hit
-
caching may contravene the licensing agreement of the original WMS source
The rest of this post details the steps in setting up a cascading WMS using MapServer. You need MapServer 5.4.1 or higher to implement a secure cascaded WMS service. This example uses a 64-bit version of MapServer 5.6 taken from Tamas Szekeres’s autobuilds site installed in a C:\ms4w64 folder. It also assumes MapServer has been configured with SSL as detailed in another post. In this example I use IIS and Windows Server 2003.
Web Mapping Services & Security
For the majority of public GIS systems I’ve worked on all the data in a database is available to users via the mapping interface. If someone wanted to hack in and “steal” data the only concern would be the bandwidth they took up. Security for these systems is fairly low down on the list of priorities, if it’s on the list at all.
GIS systems with organisational data are often only accessible (in theory) through an Intranet, so if the network is well protected then so isthe GIS.
There have only been a few mapping systems I’ve worked on where there is a mix of public data and datasets with restrictive access in the same database. The location of rare bird species (people will go to some lengths for a rare egg) and hallucinogenic mushrooms in a Biodiversity GIS being an example.
I’m currenty designing a MapServer system that will serve out WMS layers to the public, and a few which are limited to certain IP address ranges. WMS and security was something I had never previously investigated. The rest of this post outlines the current situation, and an attempt to restrict WMS access on my server.