/usr/share/doc/mapproxy/html/auth.html is in mapproxy-doc 1.9.0-3+deb9u1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 | <!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Authentication and Authorization — MapProxy 1.8.2a0 Docs</title>
<link rel="stylesheet" href="_static/basic.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="stylesheet" href="_static/bootstrap-3.3.6/css/bootstrap.min.css" type="text/css" />
<link rel="stylesheet" href="_static/bootstrap-3.3.6/css/bootstrap-theme.min.css" type="text/css" />
<link rel="stylesheet" href="_static/bootstrap-sphinx.css" type="text/css" />
<link rel="stylesheet" href="_static/mapproxy.css" type="text/css" />
<script type="text/javascript">
var DOCUMENTATION_OPTIONS = {
URL_ROOT: './',
VERSION: '1.8.2a0',
COLLAPSE_INDEX: false,
FILE_SUFFIX: '.html',
HAS_SOURCE: true
};
</script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<script type="text/javascript" src="_static/js/jquery-1.11.0.min.js"></script>
<script type="text/javascript" src="_static/js/jquery-fix.js"></script>
<script type="text/javascript" src="_static/bootstrap-3.3.6/js/bootstrap.min.js"></script>
<script type="text/javascript" src="_static/bootstrap-sphinx.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="top" title="MapProxy 1.8.2a0 Docs" href="index.html" />
<link rel="next" title="Decorate Image" href="decorate_img.html" />
<link rel="prev" title="WMS Labeling" href="labeling.html" />
<meta charset='utf-8'>
<meta http-equiv='X-UA-Compatible' content='IE=edge,chrome=1'>
<meta name='viewport' content='width=device-width, initial-scale=1.0, maximum-scale=1'>
<meta name="apple-mobile-web-app-capable" content="yes">
</head>
<body role="document">
<div id="navbar" class="navbar navbar-default ">
<div class="container">
<div class="navbar-header">
<!-- .btn-navbar is used as the toggle for collapsed navbar content -->
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".nav-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="index.html" class="pull-left"><img src="_static/logo.png" height="50">
</a>
<a class="navbar-brand" href="index.html">
<span>
MapProxy</span>
<span>1.8.2a0</span>
</a>
</div>
<div class="collapse navbar-collapse nav-collapse">
<form class="navbar-form navbar-right" action="search.html" method="get">
<div class="form-group">
<input type="text" name="q" class="form-control" placeholder="Search" />
</div>
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="col-md-3">
<div id="sidebar" class="bs-sidenav" role="complementary"><ul class="current">
<li class="toctree-l1"><a class="reference internal" href="install.html">Installation</a></li>
<li class="toctree-l1"><a class="reference internal" href="install_windows.html">Installation on Windows</a></li>
<li class="toctree-l1"><a class="reference internal" href="install_osgeo4w.html">Installation on OSGeo4W</a></li>
<li class="toctree-l1"><a class="reference internal" href="tutorial.html">Tutorial</a></li>
<li class="toctree-l1"><a class="reference internal" href="configuration.html">Configuration</a></li>
<li class="toctree-l1"><a class="reference internal" href="services.html">Services</a></li>
<li class="toctree-l1"><a class="reference internal" href="sources.html">Sources</a></li>
<li class="toctree-l1"><a class="reference internal" href="caches.html">Caches</a></li>
<li class="toctree-l1"><a class="reference internal" href="seed.html">Seeding</a></li>
<li class="toctree-l1"><a class="reference internal" href="coverages.html">Coverages</a></li>
<li class="toctree-l1"><a class="reference internal" href="mapproxy_util.html">mapproxy-util</a></li>
<li class="toctree-l1"><a class="reference internal" href="mapproxy_util_autoconfig.html">mapproxy-util autoconfig</a></li>
<li class="toctree-l1"><a class="reference internal" href="deployment.html">Deployment</a></li>
<li class="toctree-l1"><a class="reference internal" href="configuration_examples.html">Configuration examples</a></li>
<li class="toctree-l1"><a class="reference internal" href="inspire.html">INSPIRE View Service</a></li>
<li class="toctree-l1"><a class="reference internal" href="labeling.html">WMS Labeling</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">Authentication and Authorization</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#authentication-authorization-middleware">Authentication/Authorization Middleware</a></li>
<li class="toctree-l2"><a class="reference internal" href="#mapproxy-authorization-api">MapProxy Authorization API</a></li>
<li class="toctree-l2"><a class="reference internal" href="#wms-service">WMS Service</a></li>
<li class="toctree-l2"><a class="reference internal" href="#tms-tile-service">TMS/Tile Service</a></li>
<li class="toctree-l2"><a class="reference internal" href="#kml-service">KML Service</a></li>
<li class="toctree-l2"><a class="reference internal" href="#wmts-service">WMTS Service</a></li>
<li class="toctree-l2"><a class="reference internal" href="#demo-service">Demo Service</a></li>
<li class="toctree-l2"><a class="reference internal" href="#multimapproxy">MultiMapProxy</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="decorate_img.html">Decorate Image</a></li>
<li class="toctree-l1"><a class="reference internal" href="development.html">Development</a></li>
<li class="toctree-l1"><a class="reference internal" href="mapproxy_2.html">MapProxy 2.0</a></li>
</ul>
</div>
</div>
<div class="col-md-8">
<div class="section" id="authentication-and-authorization">
<h1>Authentication and Authorization<a class="headerlink" href="#authentication-and-authorization" title="Permalink to this headline">¶</a></h1>
<p>Authentication is the process of mapping a request to a user. There are different ways to do this, from simple HTTP Basic Authentication to cookies or token based systems.</p>
<p>Authorization is the process that defines what an authenticated user is allowed to do. A datastore is required to store this authorization information for everything but trivial systems. These datastores can range from really simple text files (all users in this text file are allowed to do everything) to complex schemas with relational databases (user A is allowed to do B but not C, etc.).</p>
<p>As you can see, the options to choose when implementing a system for authentication and authorization are diverse. Developers (of SDIs, not the software itself) often have specific constraints, like existing user data in a database or an existing login page on a website for a Web-GIS. So it is hard to offer a one-size-fits-all solution.</p>
<p>Therefore, MapProxy does not come with any embedded authentication or authorization. But it comes with a flexible authorization interface that allows you (the SDI developer) to implement custom tailored systems.</p>
<p>Luckily, there are lots of existing toolkits that can be used to build systems that match your requirements. For authentication there is the <a class="reference external" href="http://docs.repoze.org/who/">repoze.who</a> package with <a class="reference external" href="http://pypi.python.org/pypi?:action=search&term=repoze.who">plugins for HTTP Basic Authentication, HTTP cookies, etc</a>. For authorization there is the <a class="reference external" href="http://docs.repoze.org/what/">repoze.what</a> package with <a class="reference external" href="http://pypi.python.org/pypi?:action=search&term=repoze.what">plugins for SQL datastores, etc</a>.</p>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">Developing custom authentication and authorization system requires a bit Python programming and knowledge of <a class="reference external" href="http://wsgi.org">WSGI</a> and WSGI middleware.</p>
</div>
<div class="section" id="authentication-authorization-middleware">
<h2>Authentication/Authorization Middleware<a class="headerlink" href="#authentication-authorization-middleware" title="Permalink to this headline">¶</a></h2>
<p>Your auth system should be implemented as a WSGI middleware. The middleware sits between your web server and the MapProxy.</p>
<div class="section" id="wsgi-filter-middleware">
<h3>WSGI Filter Middleware<a class="headerlink" href="#wsgi-filter-middleware" title="Permalink to this headline">¶</a></h3>
<p>A simple middleware that authorizes random requests might look like:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="k">class</span> <span class="nc">RandomAuthFilter</span><span class="p">(</span><span class="nb">object</span><span class="p">):</span>
<span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">app</span><span class="p">,</span> <span class="n">global_conf</span><span class="p">):</span>
<span class="bp">self</span><span class="o">.</span><span class="n">app</span> <span class="o">=</span> <span class="n">app</span>
<span class="k">def</span> <span class="nf">__call__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">environ</span><span class="p">,</span> <span class="n">start_reponse</span><span class="p">):</span>
<span class="k">if</span> <span class="n">random</span><span class="o">.</span><span class="n">randint</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="o">==</span> <span class="mi">1</span><span class="p">:</span>
<span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">app</span><span class="p">(</span><span class="n">environ</span><span class="p">,</span> <span class="n">start_reponse</span><span class="p">)</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">start_reponse</span><span class="p">(</span><span class="s1">'403 Forbidden'</span><span class="p">,</span>
<span class="p">[(</span><span class="s1">'content-type'</span><span class="p">,</span> <span class="s1">'text/plain'</span><span class="p">)])</span>
<span class="k">return</span> <span class="p">[</span><span class="s1">'no luck today'</span><span class="p">]</span>
</pre></div>
</div>
<p>You need to wrap the MapProxy application with your custom auth middleware. For deployment scripts it might look like:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">application</span> <span class="o">=</span> <span class="n">make_wsgi_app</span><span class="p">(</span><span class="s1">'./mapproxy.yaml'</span><span class="p">)</span>
<span class="n">application</span> <span class="o">=</span> <span class="n">RandomAuthFilter</span><span class="p">(</span><span class="n">application</span><span class="p">)</span>
</pre></div>
</div>
<p>For <a class="reference external" href="http://pythonpaste.org/deploy/">PasteDeploy</a> you can use the <code class="docutils literal"><span class="pre">filter-with</span></code> option. The <code class="docutils literal"><span class="pre">config.ini</span></code> looks like:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">app</span><span class="p">:</span><span class="n">mapproxy</span><span class="p">]</span>
<span class="n">use</span> <span class="o">=</span> <span class="n">egg</span><span class="p">:</span><span class="n">MapProxy</span><span class="c1">#app</span>
<span class="n">mapproxy_conf</span> <span class="o">=</span> <span class="o">%</span><span class="p">(</span><span class="n">here</span><span class="p">)</span><span class="n">s</span><span class="o">/</span><span class="n">mapproxy</span><span class="o">.</span><span class="n">yaml</span>
<span class="nb">filter</span><span class="o">-</span><span class="k">with</span> <span class="o">=</span> <span class="n">auth</span>
<span class="p">[</span><span class="nb">filter</span><span class="p">:</span><span class="n">auth</span><span class="p">]</span>
<span class="n">paste</span><span class="o">.</span><span class="n">filter_app_factory</span> <span class="o">=</span> <span class="n">myauthmodule</span><span class="p">:</span><span class="n">RandomAuthFilter</span>
<span class="p">[</span><span class="n">server</span><span class="p">:</span><span class="n">main</span><span class="p">]</span>
<span class="o">...</span>
</pre></div>
</div>
<p>You can implement simple authentication systems with that method, but you should look at <a class="reference external" href="http://docs.repoze.org/who/">repoze.who</a> before reinventing the wheel.</p>
</div>
<div class="section" id="authorization-callback">
<h3>Authorization Callback<a class="headerlink" href="#authorization-callback" title="Permalink to this headline">¶</a></h3>
<p>Authorization is a bit more complex, because your middleware would need to interpret the request to get information required for the authorization (e.g. layer names for WMS GetMap requests). Limiting the GetCapabilities response to certain layers would even require the middleware to manipulate the XML document. So it’s obvious that some parts of the authorization should be handled by MapProxy.</p>
<p>MapProxy can call the middleware back for authorization as soon as it knows what to ask for (e.g. the layer names of a WMS GetMap request). You have to pass a callback function to the environment so that MapProxy knows what to call.</p>
<p>Here is a more elaborate example that denies requests to all layers that start with a specific prefix. These layers are also hidden from capability documents.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="k">class</span> <span class="nc">SimpleAuthFilter</span><span class="p">(</span><span class="nb">object</span><span class="p">):</span>
<span class="sd">"""</span>
<span class="sd"> Simple MapProxy authorization middleware.</span>
<span class="sd"> It authorizes WMS requests for layers where the name does</span>
<span class="sd"> not start with `prefix`.</span>
<span class="sd"> """</span>
<span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">app</span><span class="p">,</span> <span class="n">prefix</span><span class="o">=</span><span class="s1">'secure'</span><span class="p">):</span>
<span class="bp">self</span><span class="o">.</span><span class="n">app</span> <span class="o">=</span> <span class="n">app</span>
<span class="bp">self</span><span class="o">.</span><span class="n">prefix</span> <span class="o">=</span> <span class="n">prefix</span>
<span class="k">def</span> <span class="nf">__call__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">environ</span><span class="p">,</span> <span class="n">start_reponse</span><span class="p">):</span>
<span class="c1"># put authorize callback function into environment</span>
<span class="n">environ</span><span class="p">[</span><span class="s1">'mapproxy.authorize'</span><span class="p">]</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">authorize</span>
<span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">app</span><span class="p">(</span><span class="n">environ</span><span class="p">,</span> <span class="n">start_reponse</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">authorize</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">service</span><span class="p">,</span> <span class="n">layers</span><span class="o">=</span><span class="p">[],</span> <span class="n">environ</span><span class="o">=</span><span class="kc">None</span><span class="p">,</span> <span class="o">**</span><span class="n">kw</span><span class="p">):</span>
<span class="n">allowed</span> <span class="o">=</span> <span class="n">denied</span> <span class="o">=</span> <span class="kc">False</span>
<span class="k">if</span> <span class="n">service</span><span class="o">.</span><span class="n">startswith</span><span class="p">(</span><span class="s1">'wms.'</span><span class="p">):</span>
<span class="n">auth_layers</span> <span class="o">=</span> <span class="p">{}</span>
<span class="k">for</span> <span class="n">layer</span> <span class="ow">in</span> <span class="n">layers</span><span class="p">:</span>
<span class="k">if</span> <span class="n">layer</span><span class="o">.</span><span class="n">startswith</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">prefix</span><span class="p">):</span>
<span class="n">auth_layers</span><span class="p">[</span><span class="n">layer</span><span class="p">]</span> <span class="o">=</span> <span class="p">{}</span>
<span class="n">denied</span> <span class="o">=</span> <span class="kc">True</span>
<span class="k">else</span><span class="p">:</span>
<span class="n">auth_layers</span><span class="p">[</span><span class="n">layer</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span>
<span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="s1">'featureinfo'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="s1">'legendgraphic'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="p">}</span>
<span class="n">allowed</span> <span class="o">=</span> <span class="kc">True</span>
<span class="k">else</span><span class="p">:</span> <span class="c1"># other services are denied</span>
<span class="k">return</span> <span class="p">{</span><span class="s1">'authorized'</span><span class="p">:</span> <span class="s1">'none'</span><span class="p">}</span>
<span class="k">if</span> <span class="n">allowed</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">denied</span><span class="p">:</span>
<span class="k">return</span> <span class="p">{</span><span class="s1">'authorized'</span><span class="p">:</span> <span class="s1">'full'</span><span class="p">}</span>
<span class="k">if</span> <span class="n">denied</span> <span class="ow">and</span> <span class="ow">not</span> <span class="n">allowed</span><span class="p">:</span>
<span class="k">return</span> <span class="p">{</span><span class="s1">'authorized'</span><span class="p">:</span> <span class="s1">'none'</span><span class="p">}</span>
<span class="k">return</span> <span class="p">{</span><span class="s1">'authorized'</span><span class="p">:</span> <span class="s1">'partial'</span><span class="p">,</span> <span class="s1">'layers'</span><span class="p">:</span> <span class="n">auth_layers</span><span class="p">}</span>
</pre></div>
</div>
<p>And here is the part of the <code class="docutils literal"><span class="pre">config.py</span></code> where we define the filter and pass custom options:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="n">application</span> <span class="o">=</span> <span class="n">make_wsgi_app</span><span class="p">(</span><span class="s1">'./mapproxy.yaml'</span><span class="p">)</span>
<span class="n">application</span> <span class="o">=</span> <span class="n">SimpleAuthFilter</span><span class="p">(</span><span class="n">application</span><span class="p">,</span> <span class="n">prefix</span><span class="o">=</span><span class="s1">'secure'</span><span class="p">)</span>
</pre></div>
</div>
</div>
</div>
<div class="section" id="mapproxy-authorization-api">
<h2>MapProxy Authorization API<a class="headerlink" href="#mapproxy-authorization-api" title="Permalink to this headline">¶</a></h2>
<p>MapProxy looks in the request environment for a <code class="docutils literal"><span class="pre">mapproxy.authorize</span></code> entry. This entry should contain a callable (function or method). If it does not find any callable, then MapProxy assumes that authorization is not enabled and that all requests are allowed.</p>
<p>The signature of the authorization function:</p>
<dl class="function">
<dt id="authorize">
<code class="descname">authorize</code><span class="sig-paren">(</span><em>service</em>, <em>layers=[]</em>, <em>environ=None</em>, <em>**kw</em><span class="sig-paren">)</span><a class="headerlink" href="#authorize" title="Permalink to this definition">¶</a></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><ul class="first simple">
<li><strong>service</strong> – service that should be authorized</li>
<li><strong>layers</strong> – list of layer names that should be authorized</li>
<li><strong>environ</strong> – the request environ</li>
</ul>
</td>
</tr>
<tr class="field-even field"><th class="field-name">Return type:</th><td class="field-body"><p class="first last">dictionary with authorization information</p>
</td>
</tr>
</tbody>
</table>
<p>The arguments might get extended in future versions of MapProxy. Therefore you should collect further arguments in a catch-all keyword argument (i.e. <code class="docutils literal"><span class="pre">**kw</span></code>).</p>
</dd></dl>
<div class="admonition note">
<p class="first admonition-title">Note</p>
<p class="last">The actual name of the callable is insignificant, only the environment key <code class="docutils literal"><span class="pre">mapproxy.authorize</span></code> is important.</p>
</div>
<p>The <code class="docutils literal"><span class="pre">service</span></code> parameter is a string and the content depends on the service that calls the authorize function. Generally, it is the lower-case name of the service (e.g. <code class="docutils literal"><span class="pre">tms</span></code> for TMS service), but it can be different to further control the service (e.g. <code class="docutils literal"><span class="pre">wms.map</span></code>).</p>
<p>The function should return a dictionary with the authorization information. The expected content of that dictionary can vary with each service. Only the <code class="docutils literal"><span class="pre">authorized</span></code> key is consistent with all services.</p>
<p>The <code class="docutils literal"><span class="pre">authorized</span></code> entry can have four values.</p>
<dl class="docutils">
<dt><code class="docutils literal"><span class="pre">full</span></code></dt>
<dd>The request for the given <cite>service</cite> and <cite>layers</cite> is fully authorized. MapProxy handles the request as if there is no authorization.</dd>
<dt><code class="docutils literal"><span class="pre">partial</span></code></dt>
<dd>Only parts of the request are allowed. The dictionary should contains more information on what parts of the request are allowed and what parts are denied. Depending on the service, MapProxy can then filter the request based on that information, e.g. return WMS Capabilities with permitted layers only.</dd>
<dt><code class="docutils literal"><span class="pre">none</span></code></dt>
<dd>The request is denied and MapProxy returns an HTTP 403 (Forbidden) response.</dd>
<dt><code class="docutils literal"><span class="pre">unauthenticated</span></code></dt>
<dd>The request(er) was not authenticated and MapProxy returns an HTTP 401 response. Your middleware can capture this and ask the requester for authentication. <code class="docutils literal"><span class="pre">repoze.who</span></code>‘s <code class="docutils literal"><span class="pre">PluggableAuthenticationMiddleware</span></code> will do this for example.</dd>
</dl>
<div class="versionadded">
<p><span class="versionmodified">New in version 1.1.0: </span>The <code class="docutils literal"><span class="pre">environment</span></code> parameter and support for <code class="docutils literal"><span class="pre">authorized:</span> <span class="pre">unauthenticated</span></code> results.</p>
</div>
<div class="section" id="limited-to">
<span id="id1"></span><h3><code class="docutils literal"><span class="pre">limited_to</span></code><a class="headerlink" href="#limited-to" title="Permalink to this headline">¶</a></h3>
<p>You can restrict the geographical area for each request. MapProxy will clip each request to the provided geometry – areas outside of the permitted area become transparent.</p>
<p>Depending on the service, MapProxy supports this clipping for the whole request or for each layer. You need to provide a dictionary with <code class="docutils literal"><span class="pre">bbox</span></code> or <code class="docutils literal"><span class="pre">geometry</span></code> and the <code class="docutils literal"><span class="pre">srs</span></code> of the geometry. The following geometry values are supported:</p>
<dl class="docutils">
<dt>BBOX:</dt>
<dd>Bounding box as a list of minx, miny, maxx, maxy.</dd>
<dt>WKT polygons:</dt>
<dd>String with one or more polygons and multipolygons as WKT. Multiple WKTs must be delimited by a new line character.
Return this type if you are getting the geometries from a spatial database.</dd>
<dt>Shapely geometry:</dt>
<dd>Shapely geometry object. Return this type if you already processing the geometries in your Python code with <a class="reference external" href="http://toblerity.github.com/shapely/">Shapely</a>.</dd>
</dl>
<p>Here is an example callback result for a WMS <cite>GetMap</cite> request with all three geometry types. See below for examples for other services:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="s1">'authorized'</span><span class="p">:</span> <span class="s1">'partial'</span><span class="p">,</span>
<span class="s1">'layers'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'layer1'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="s1">'limited_to'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'geometry'</span><span class="p">:</span> <span class="p">[</span><span class="o">-</span><span class="mi">10</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">50</span><span class="p">],</span>
<span class="s1">'srs'</span><span class="p">:</span> <span class="s1">'EPSG:4326'</span><span class="p">,</span>
<span class="p">},</span>
<span class="p">},</span>
<span class="s1">'layer2'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="s1">'limited_to'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'geometry'</span><span class="p">:</span> <span class="s1">'POLYGON((...))'</span><span class="p">,</span>
<span class="s1">'srs'</span><span class="p">:</span> <span class="s1">'EPSG:4326'</span><span class="p">,</span>
<span class="p">},</span>
<span class="p">},</span>
<span class="s1">'layer3'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="s1">'limited_to'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'geometry'</span><span class="p">:</span> <span class="n">shapely</span><span class="o">.</span><span class="n">geometry</span><span class="o">.</span><span class="n">Polygon</span><span class="p">(</span>
<span class="p">[(</span><span class="o">-</span><span class="mi">10</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="p">(</span><span class="mi">30</span><span class="p">,</span> <span class="o">-</span><span class="mi">5</span><span class="p">),</span> <span class="p">(</span><span class="mi">30</span><span class="p">,</span> <span class="mi">50</span><span class="p">),</span> <span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="mi">50</span><span class="p">)]),</span>
<span class="s1">'srs'</span><span class="p">:</span> <span class="s1">'EPSG:4326'</span><span class="p">,</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<div class="section" id="performance">
<h4>Performance<a class="headerlink" href="#performance" title="Permalink to this headline">¶</a></h4>
<p>The clipping is quite fast, but if you notice that the overhead is to large, you should reduce the complexity of the geometries returned by your authorization callback. You can improve the performance by returning the geometry in the projection from <code class="docutils literal"><span class="pre">query_extent</span></code>, by limiting it to the <code class="docutils literal"><span class="pre">query_extent</span></code> and by simplifing the geometry. Refer to the <code class="docutils literal"><span class="pre">ST_Transform</span></code>, <code class="docutils literal"><span class="pre">ST_Intersection</span></code> and <code class="docutils literal"><span class="pre">ST_SimplifyPreserveTopology</span></code> functions when you query the geometries from PostGIS.</p>
</div>
</div>
</div>
<div class="section" id="wms-service">
<h2>WMS Service<a class="headerlink" href="#wms-service" title="Permalink to this headline">¶</a></h2>
<p>The WMS service expects a <code class="docutils literal"><span class="pre">layers</span></code> entry in the authorization dictionary for <code class="docutils literal"><span class="pre">partial</span></code> results. <code class="docutils literal"><span class="pre">layers</span></code> itself should be a dictionary with all layers. All missing layers are interpreted as denied layers.</p>
<p>Each layer contains the information about the permitted features. A missing feature is interpreted as a denied feature.</p>
<p>Here is an example result of a call to the authorize function:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="s1">'authorized'</span><span class="p">:</span> <span class="s1">'partial'</span><span class="p">,</span>
<span class="s1">'layers'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'layer1'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="s1">'featureinfo'</span><span class="p">:</span> <span class="kc">False</span><span class="p">,</span>
<span class="p">},</span>
<span class="s1">'layer2'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="s1">'featureinfo'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<div class="section" id="id2">
<h3><code class="docutils literal"><span class="pre">limited_to</span></code><a class="headerlink" href="#id2" title="Permalink to this headline">¶</a></h3>
<div class="versionadded">
<p><span class="versionmodified">New in version 1.4.0.</span></p>
</div>
<p>The WMS service supports <code class="docutils literal"><span class="pre">limited_to</span></code> for <cite>GetCapabilities</cite>, <cite>GetMap</cite> and <cite>GetFeatureInfo</cite> requests. MapProxy will modify the bounding box of each restricted layer for <cite>GetCapabilities</cite> requests. <cite>GetFeatureInfo</cite> requests will only return data if the info coordinate is inside the permitted area. For <cite>GetMap</cite> requests, MapProxy will clip each layer to the provided geometry – areas outside of the permitted area become transparent or colored in the <cite>bgcolor</cite> of the WMS request.</p>
<p>You can provide the geometry for each layer or for the whole request.</p>
<p>See <a class="reference internal" href="#limited-to"><span class="std std-ref">limited_to</span></a> for more details.</p>
<p>Here is an example callback result with two limited layers and one unlimited layer:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="s1">'authorized'</span><span class="p">:</span> <span class="s1">'partial'</span><span class="p">,</span>
<span class="s1">'layers'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'layer1'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="s1">'limited_to'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'geometry'</span><span class="p">:</span> <span class="p">[</span><span class="o">-</span><span class="mi">10</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">30</span><span class="p">,</span> <span class="mi">50</span><span class="p">],</span>
<span class="s1">'srs'</span><span class="p">:</span> <span class="s1">'EPSG:4326'</span><span class="p">,</span>
<span class="p">},</span>
<span class="p">},</span>
<span class="s1">'layer2'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="s1">'limited_to'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'geometry'</span><span class="p">:</span> <span class="s1">'POLYGON((...))'</span><span class="p">,</span>
<span class="s1">'srs'</span><span class="p">:</span> <span class="s1">'EPSG:4326'</span><span class="p">,</span>
<span class="p">},</span>
<span class="p">},</span>
<span class="s1">'layer3'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Here is an example callback result where the complete request is limited:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="s1">'authorized'</span><span class="p">:</span> <span class="s1">'partial'</span><span class="p">,</span>
<span class="s1">'limited_to'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'geometry'</span><span class="p">:</span> <span class="n">shapely</span><span class="o">.</span><span class="n">geometry</span><span class="o">.</span><span class="n">Polygon</span><span class="p">(</span>
<span class="p">[(</span><span class="o">-</span><span class="mi">10</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="p">(</span><span class="mi">30</span><span class="p">,</span> <span class="o">-</span><span class="mi">5</span><span class="p">),</span> <span class="p">(</span><span class="mi">30</span><span class="p">,</span> <span class="mi">50</span><span class="p">),</span> <span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="mi">50</span><span class="p">)]),</span>
<span class="s1">'srs'</span><span class="p">:</span> <span class="s1">'EPSG:4326'</span><span class="p">,</span>
<span class="p">},</span>
<span class="s1">'layers'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'layer1'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="p">},</span>
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
</div>
<div class="section" id="service-types">
<h3>Service types<a class="headerlink" href="#service-types" title="Permalink to this headline">¶</a></h3>
<p>The WMS service uses the following service strings:</p>
<div class="section" id="wms-map">
<h4><code class="docutils literal"><span class="pre">wms.map</span></code><a class="headerlink" href="#wms-map" title="Permalink to this headline">¶</a></h4>
<p>This is called for WMS GetMap requests. <code class="docutils literal"><span class="pre">layers</span></code> is a list with the actual layers to render, that means that group layers are resolved.
The <code class="docutils literal"><span class="pre">map</span></code> feature needs to be set to <code class="docutils literal"><span class="pre">True</span></code> for each permitted layer.
The whole request is rejected if any requested layer is not permitted. Resolved layers (i.e. sub layers of a requested group layer) are filtered out if they are not permitted.</p>
<div class="versionadded">
<p><span class="versionmodified">New in version 1.1.0: </span>The <code class="docutils literal"><span class="pre">authorize</span></code> function gets called with an additional <code class="docutils literal"><span class="pre">query_extent</span></code> argument:</p>
<dl class="function">
<dt>
<code class="descname">authorize</code><span class="sig-paren">(</span><em>service</em>, <em>environ</em>, <em>layers</em>, <em>query_extent</em>, <em>**kw</em><span class="sig-paren">)</span></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><strong>query_extent</strong> – a tuple of the SRS (e.g. <code class="docutils literal"><span class="pre">EPSG:4326</span></code>) and the BBOX
of the request to authorize.</td>
</tr>
</tbody>
</table>
</dd></dl>
</div>
<div class="section" id="example">
<h5>Example<a class="headerlink" href="#example" title="Permalink to this headline">¶</a></h5>
<p>With a layer tree like:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">layer1</span>
<span class="n">layers</span><span class="p">:</span>
<span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">layer1a</span>
<span class="n">sources</span><span class="p">:</span> <span class="p">[</span><span class="n">l1a</span><span class="p">]</span>
<span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">layer1b</span>
<span class="n">sources</span><span class="p">:</span> <span class="p">[</span><span class="n">l1b</span><span class="p">]</span>
</pre></div>
</div>
<p>An authorize result of:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="s1">'authorized'</span><span class="p">:</span> <span class="s1">'partial'</span><span class="p">,</span>
<span class="s1">'layers'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'layer1'</span><span class="p">:</span> <span class="p">{</span><span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">},</span>
<span class="s1">'layer1a'</span><span class="p">:</span> <span class="p">{</span><span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">}</span>
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Results in the following:</p>
<ul class="simple">
<li>A request for <code class="docutils literal"><span class="pre">layer1</span></code> renders <code class="docutils literal"><span class="pre">layer1a</span></code>, <code class="docutils literal"><span class="pre">layer1b</span></code> gets filtered out.</li>
<li>A request for <code class="docutils literal"><span class="pre">layer1a</span></code> renders <code class="docutils literal"><span class="pre">layer1a</span></code>.</li>
<li>A request for <code class="docutils literal"><span class="pre">layer1b</span></code> is rejected.</li>
<li>A request for <code class="docutils literal"><span class="pre">layer1a</span></code> and <code class="docutils literal"><span class="pre">layer1b</span></code> is rejected.</li>
</ul>
</div>
</div>
<div class="section" id="wms-featureinfo">
<h4><code class="docutils literal"><span class="pre">wms.featureinfo</span></code><a class="headerlink" href="#wms-featureinfo" title="Permalink to this headline">¶</a></h4>
<p>This is called for WMS GetFeatureInfo requests and the behavior is similar to <code class="docutils literal"><span class="pre">wms.map</span></code>.</p>
</div>
<div class="section" id="wms-capabilities">
<h4><code class="docutils literal"><span class="pre">wms.capabilities</span></code><a class="headerlink" href="#wms-capabilities" title="Permalink to this headline">¶</a></h4>
<p>This is called for WMS GetCapabilities requests. <code class="docutils literal"><span class="pre">layers</span></code> is a list with all named layers of the WMS service.
Only layers with the <code class="docutils literal"><span class="pre">map</span></code> feature set to <code class="docutils literal"><span class="pre">True</span></code> are included in the capabilities document. Missing layers are not included.</p>
<p>Sub layers are only included when the parent layer is included, since authorization interface is not able to reorder the layer tree. Note, that you are still able to request these sub layers (see <code class="docutils literal"><span class="pre">wms.map</span></code> above).</p>
<p>Layers that are queryable and only marked so in the capabilities if the <code class="docutils literal"><span class="pre">featureinfo</span></code> feature set to <code class="docutils literal"><span class="pre">True</span></code>.</p>
<p>With a layer tree like:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">layer1</span>
<span class="n">layers</span><span class="p">:</span>
<span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">layer1a</span>
<span class="n">sources</span><span class="p">:</span> <span class="p">[</span><span class="n">l1a</span><span class="p">]</span>
<span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">layer1b</span>
<span class="n">sources</span><span class="p">:</span> <span class="p">[</span><span class="n">l1b</span><span class="p">]</span>
<span class="o">-</span> <span class="n">name</span><span class="p">:</span> <span class="n">layer1c</span>
<span class="n">sources</span><span class="p">:</span> <span class="p">[</span><span class="n">l1c</span><span class="p">]</span>
</pre></div>
</div>
<p>An authorize result of:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="s1">'authorized'</span><span class="p">:</span> <span class="s1">'partial'</span><span class="p">,</span>
<span class="s1">'layers'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'layer1'</span><span class="p">:</span> <span class="p">{</span><span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span> <span class="s1">'feature'</span><span class="p">:</span> <span class="kc">True</span><span class="p">},</span>
<span class="s1">'layer1a'</span><span class="p">:</span> <span class="p">{</span><span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span> <span class="s1">'feature'</span><span class="p">:</span> <span class="kc">True</span><span class="p">},</span>
<span class="s1">'layer1b'</span><span class="p">:</span> <span class="p">{</span><span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">},</span>
<span class="s1">'layer1c'</span><span class="p">:</span> <span class="p">{</span><span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">},</span>
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Results in the following abbreviated capabilities:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="o"><</span><span class="n">Layer</span> <span class="n">queryable</span><span class="o">=</span><span class="s2">"1"</span><span class="o">></span>
<span class="o"><</span><span class="n">Name</span><span class="o">></span><span class="n">layer1</span><span class="o"></</span><span class="n">Name</span><span class="o">></span>
<span class="o"><</span><span class="n">Layer</span> <span class="n">queryable</span><span class="o">=</span><span class="s2">"1"</span><span class="o">><</span><span class="n">Name</span><span class="o">></span><span class="n">layer1a</span><span class="o"></</span><span class="n">Name</span><span class="o">></</span><span class="n">Layer</span><span class="o">></span>
<span class="o"><</span><span class="n">Layer</span><span class="o">><</span><span class="n">Name</span><span class="o">></span><span class="n">layer1b</span><span class="o"></</span><span class="n">Name</span><span class="o">></</span><span class="n">Layer</span><span class="o">></span>
<span class="o"></</span><span class="n">Layer</span><span class="o">></span>
</pre></div>
</div>
</div>
</div>
</div>
<div class="section" id="tms-tile-service">
<h2>TMS/Tile Service<a class="headerlink" href="#tms-tile-service" title="Permalink to this headline">¶</a></h2>
<p>The TMS service expects a <code class="docutils literal"><span class="pre">layers</span></code> entry in the authorization dictionary for <code class="docutils literal"><span class="pre">partial</span></code> results. <code class="docutils literal"><span class="pre">layers</span></code> itself should be a dictionary with all layers. All missing layers are interpreted as denied layers.</p>
<p>Each layer contains the information about the permitted features. The TMS service only supports the <code class="docutils literal"><span class="pre">tile</span></code> feature. A missing feature is interpreted as a denied feature.</p>
<p>Here is an example result of a call to the authorize function:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="s1">'authorized'</span><span class="p">:</span> <span class="s1">'partial'</span><span class="p">,</span>
<span class="s1">'layers'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'layer1'</span><span class="p">:</span> <span class="p">{</span><span class="s1">'tile'</span><span class="p">:</span> <span class="kc">True</span><span class="p">},</span>
<span class="s1">'layer2'</span><span class="p">:</span> <span class="p">{</span><span class="s1">'tile'</span><span class="p">:</span> <span class="kc">False</span><span class="p">},</span>
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>The TMS service uses <code class="docutils literal"><span class="pre">tms</span></code> as the service string for all authorization requests.</p>
<p>Only layers with the <code class="docutils literal"><span class="pre">tile</span></code> feature set to <code class="docutils literal"><span class="pre">True</span></code> are included in the TMS capabilities document (<code class="docutils literal"><span class="pre">/tms/1.0.0</span></code>). Missing layers are not included.</p>
<p>The <code class="docutils literal"><span class="pre">authorize</span></code> function gets called with an additional <code class="docutils literal"><span class="pre">query_extent</span></code> argument for all tile requests:</p>
<dl class="function">
<dt>
<code class="descname">authorize</code><span class="sig-paren">(</span><em>service</em>, <em>environ</em>, <em>layers</em>, <em>query_extent=None</em>, <em>**kw</em><span class="sig-paren">)</span></dt>
<dd><table class="docutils field-list" frame="void" rules="none">
<col class="field-name" />
<col class="field-body" />
<tbody valign="top">
<tr class="field-odd field"><th class="field-name">Parameters:</th><td class="field-body"><strong>query_extent</strong> – a tuple of the SRS (e.g. <code class="docutils literal"><span class="pre">EPSG:4326</span></code>) and the BBOX
of the request to authorize, or <code class="docutils literal"><span class="pre">None</span></code> for capabilities requests.</td>
</tr>
</tbody>
</table>
</dd></dl>
<div class="section" id="id3">
<h3><code class="docutils literal"><span class="pre">limited_to</span></code><a class="headerlink" href="#id3" title="Permalink to this headline">¶</a></h3>
<div class="versionadded">
<p><span class="versionmodified">New in version 1.5.0.</span></p>
</div>
<p>MapProxy will clip each tile to the provided geometry – areas outside of the permitted area become transparent. MapProxy will return PNG images in this case.</p>
<p>Here is an example callback result where the tile request is limited:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="s1">'authorized'</span><span class="p">:</span> <span class="s1">'partial'</span><span class="p">,</span>
<span class="s1">'limited_to'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'geometry'</span><span class="p">:</span> <span class="n">shapely</span><span class="o">.</span><span class="n">geometry</span><span class="o">.</span><span class="n">Polygon</span><span class="p">(</span>
<span class="p">[(</span><span class="o">-</span><span class="mi">10</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="p">(</span><span class="mi">30</span><span class="p">,</span> <span class="o">-</span><span class="mi">5</span><span class="p">),</span> <span class="p">(</span><span class="mi">30</span><span class="p">,</span> <span class="mi">50</span><span class="p">),</span> <span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="mi">50</span><span class="p">)]),</span>
<span class="s1">'srs'</span><span class="p">:</span> <span class="s1">'EPSG:4326'</span><span class="p">,</span>
<span class="p">},</span>
<span class="s1">'layers'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'layer1'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'tile'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="p">},</span>
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<div class="versionadded">
<p><span class="versionmodified">New in version 1.5.1.</span></p>
</div>
<p>You can also add the limit to the layer and mix it with properties used for the other services:</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="s1">'authorized'</span><span class="p">:</span> <span class="s1">'partial'</span><span class="p">,</span>
<span class="s1">'layers'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'layer1'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'tile'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="s1">'map'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="s1">'limited_to'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'geometry'</span><span class="p">:</span> <span class="n">shapely</span><span class="o">.</span><span class="n">geometry</span><span class="o">.</span><span class="n">Polygon</span><span class="p">(</span>
<span class="p">[(</span><span class="o">-</span><span class="mi">10</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="p">(</span><span class="mi">30</span><span class="p">,</span> <span class="o">-</span><span class="mi">5</span><span class="p">),</span> <span class="p">(</span><span class="mi">30</span><span class="p">,</span> <span class="mi">50</span><span class="p">),</span> <span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="mi">50</span><span class="p">)]),</span>
<span class="s1">'srs'</span><span class="p">:</span> <span class="s1">'EPSG:4326'</span><span class="p">,</span>
<span class="p">},</span>
<span class="s1">'layer2'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'tile'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="s1">'map'</span><span class="p">:</span> <span class="kc">False</span><span class="p">,</span>
<span class="s1">'featureinfo'</span><span class="p">:</span> <span class="kc">True</span><span class="p">,</span>
<span class="s1">'limited_to'</span><span class="p">:</span> <span class="p">{</span>
<span class="s1">'geometry'</span><span class="p">:</span> <span class="n">shapely</span><span class="o">.</span><span class="n">geometry</span><span class="o">.</span><span class="n">Polygon</span><span class="p">(</span>
<span class="p">[(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span> <span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="o">-</span><span class="mi">5</span><span class="p">),</span> <span class="p">(</span><span class="mi">30</span><span class="p">,</span> <span class="mi">50</span><span class="p">),</span> <span class="p">(</span><span class="mi">20</span><span class="p">,</span> <span class="mi">50</span><span class="p">)]),</span>
<span class="s1">'srs'</span><span class="p">:</span> <span class="s1">'EPSG:4326'</span><span class="p">,</span>
<span class="p">},</span>
<span class="p">},</span>
<span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>See <a class="reference internal" href="#limited-to"><span class="std std-ref">limited_to</span></a> for more details.</p>
</div>
</div>
<div class="section" id="kml-service">
<h2>KML Service<a class="headerlink" href="#kml-service" title="Permalink to this headline">¶</a></h2>
<p>The KML authorization is similar to the TMS authorization, including the <code class="docutils literal"><span class="pre">limited_to</span></code> option.</p>
<p>The KML service uses <code class="docutils literal"><span class="pre">kml</span></code> as the service string for all authorization requests.</p>
</div>
<div class="section" id="wmts-service">
<h2>WMTS Service<a class="headerlink" href="#wmts-service" title="Permalink to this headline">¶</a></h2>
<p>The WMTS authorization is similar to the TMS authorization, including the <code class="docutils literal"><span class="pre">limited_to</span></code> option.</p>
<p>The WMTS service uses <code class="docutils literal"><span class="pre">wmts</span></code> as the service string for all authorization requests.</p>
</div>
<div class="section" id="demo-service">
<h2>Demo Service<a class="headerlink" href="#demo-service" title="Permalink to this headline">¶</a></h2>
<p>The demo service only supports <code class="docutils literal"><span class="pre">full</span></code> or <code class="docutils literal"><span class="pre">none</span></code> authorization. <code class="docutils literal"><span class="pre">layers</span></code> is always an empty list. The demo service does not authorize the services and layers that are listed in the overview page. If you permit a user to access the demo service, then he can see all services and layers names. However, access to these services is still restricted to the according authorization.</p>
<p>The service string is <code class="docutils literal"><span class="pre">demo</span></code>.</p>
</div>
<div class="section" id="multimapproxy">
<h2>MultiMapProxy<a class="headerlink" href="#multimapproxy" title="Permalink to this headline">¶</a></h2>
<p>The <a class="reference internal" href="deployment.html#multimapproxy"><span class="std std-ref">MultiMapProxy</span></a> application stores the instance name in the environment as <code class="docutils literal"><span class="pre">mapproxy.instance_name</span></code>. This information in not available when your middleware gets called, but you can use it in your authorization function.</p>
<p>Example that rejects MapProxy instances where the name starts with <code class="docutils literal"><span class="pre">secure</span></code>.</p>
<div class="highlight-default"><div class="highlight"><pre><span></span><span class="k">class</span> <span class="nc">MultiMapProxyAuthFilter</span><span class="p">(</span><span class="nb">object</span><span class="p">):</span>
<span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">app</span><span class="p">,</span> <span class="n">global_conf</span><span class="p">):</span>
<span class="bp">self</span><span class="o">.</span><span class="n">app</span> <span class="o">=</span> <span class="n">app</span>
<span class="k">def</span> <span class="nf">__call__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">environ</span><span class="p">,</span> <span class="n">start_reponse</span><span class="p">):</span>
<span class="n">environ</span><span class="p">[</span><span class="s1">'mapproxy.authorize'</span><span class="p">]</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">authorize</span>
<span class="k">return</span> <span class="bp">self</span><span class="o">.</span><span class="n">app</span><span class="p">(</span><span class="n">environ</span><span class="p">,</span> <span class="n">start_reponse</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">authorize</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">service</span><span class="p">,</span> <span class="n">layers</span><span class="o">=</span><span class="p">[]):</span>
<span class="n">instance_name</span> <span class="o">=</span> <span class="n">environ</span><span class="o">.</span><span class="n">get</span><span class="p">(</span><span class="s1">'mapproxy.instance_name'</span><span class="p">,</span> <span class="s1">''</span><span class="p">)</span>
<span class="k">if</span> <span class="n">instance_name</span><span class="o">.</span><span class="n">startswith</span><span class="p">(</span><span class="s1">'secure'</span><span class="p">):</span>
<span class="k">return</span> <span class="p">{</span><span class="s1">'authorized'</span><span class="p">:</span> <span class="s1">'none'</span><span class="p">}</span>
<span class="k">else</span><span class="p">:</span>
<span class="k">return</span> <span class="p">{</span><span class="s1">'authorized'</span><span class="p">:</span> <span class="s1">'full'</span><span class="p">}</span>
</pre></div>
</div>
</div>
</div>
</div>
</div>
</div>
<footer class="footer">
<div class="container">
<p class="pull-right">
<a href="#">Back to top</a>
</p>
<p>
© Copyright Oliver Tonnhofer, Omniscale, <a href="http://mapproxy.org/about">Legal</a>
<br/>
Last updated on 2018-01-07
<br/>
Created using <a href="http://sphinx-doc.org/">Sphinx</a> 1.4.9.
</p>
</div>
</footer>
</body>
</html>
|