Context Navigation

← Previous Ticket
Next Ticket →

#180 closed enhancement (fixed)

AccessFilter addition

Reported by:	jlacroix	Owned by:	jlacroix
Priority:	major	Milestone:
Component:	server	Version:
Keywords:		Cc:

Description

I would like to add a new notion in GeoPrisma: AccessFilter.

This would be a tool to add some intelligence to Resource access. This would GP to look in the session or in a DB or in the URL for specific information before authorizing a resource and, optionally, modify the request to be sent to the service. This go beyond the ACL authorization since it can modify the request to the service.

Here's an example:

Allow a WMS resource only to a user only if the session variable 'MY_PARAM' is set.
Add to the URL of every WMS call &URLVAR=CONTENT_OF_MYPARAM.

Another example:

Allow access to a resource only if the request is inside a specific BBox

What I have in mind is:

Add a <AccessFilters> node
Add one or more <AccessFilter> to a resource in the <Resource> tag.

Let me know if you have any comment.

Change History (2)

comment:1 by jlacroix, 13 years ago

Owner:	set to jlacroix

A new tag in the config will be added: <accessfilter>

They will have a <name> and one or more <condition>

<condition> will have a specific syntax to describe an AccessFilter behavior. There will be 4 tags separated by ##. The tags will be: the filter type, the input to valid, the behavior on a valid filter and the behavior on an invalid filter.

Here's the possible values of each tags:

filter type

ISSET: validate the the input is set and true.
BBOX: validate that the input is a valid BBox and make sure the BBox requested is inside it.

Input

SESSION: To get a value from the session use the format: SESSION:session_variable
Everything else is plain text

Behaviors

URLPARAM: Add a parameter in a URL
IMG: Replace the request to the server by another URL
ACL: Throw an ACL exception error

Here's some examples:

This will change the URL of the request to display icon_ok.png if the filter is valid or icon_cancel.png if the filter is invalid.

<condition>BBOX##-2200000,-712631,3072800,3840000##IMG:icon_ok.png##IMG:icon_cancel.png</condition>

This will add the user name (from the session) to the URL of every call for this resource or throw an exception.

<condition>ISSET##SESSION:login_username##URLPARAM:user##</condition>

This will make sure the BBOX of every call to this resource is within the BBOX in the SESSION for this user. If it's not, it will return a blank image otherwise, nothing happen.

<condition>BBOX##SESSION:user_bbox####a_pixel.gif</condition>

comment:2 by jlacroix, 13 years ago

Resolution:	→ fixed
Status:	new → closed

Implemented like the comment above. r963
A sample was also added in the ACL category. r964

Marking as FIXED any bugs or enhancement should be in a separate ticket

Note: See TracTickets for help on using tickets.

Download in other formats: