1

Topic: WMS as a logged in user

Hello,

I'm coding a plugin for QGIS which includes a tool to provide convenient access to the NBN WMS. This is all fine as an anonymous user.

But I want users to be able to supply their NBN login credentials so that they can get better access to data where they've been granted it.

The documentation here (https://data.nbn.org.uk/Documentation/W … _Services/), suggests that I need to add the username and a userkey to the URL in the call to the WMS thus:

gis.nbn.org.uk/SingleSpecies/NBNSYS0000005629?username=test&userkey=HASHED_PASSWORD

I'm not sure what the userkey should be. I thought that it might be an authentication cookie value as suggested here: https://data.nbn.org.uk/Documentation/W … ogging_In/

I've written code to supply credentials and retrieve an authentication cookie (which looks fine), but when I supply its value in place of 'HASHED_PASSWORD', I still get the default level of data access.

Can anyone help me out?

Rich

Richard Burkmar
Biodiversity Project Officer
Field Studies Council

2

Re: WMS as a logged in user

I've just looked up hashing and I've tried sending a hashed password, again to no effect. I don't know much about the technical aspects of security, but I guess that it matters exactly how I hash the password? But there are no details here - https://data.nbn.org.uk/Documentation/W … Services/.

I used the uuid and hashlib Python libraries, like this:

salt = uuid.uuid4().hex
hashed_password = hashlib.sha512(password + salt).hexdigest()

I also tried it without the salt. (Whatever that means.) But still I got the default level of access.

Rich

Richard Burkmar
Biodiversity Project Officer
Field Studies Council

3 (edited by BDeed 14-10-2014 18:06:32)

Re: WMS as a logged in user

Hi Rich, i don't know if this is useful but i have now managed to do this with a VB desktop program (principle should be similar?). The solution was based on some code posted by Tim May of COFNOD some time ago. I'll see if i can track it down...

In fact it was just a couple of places below this post, here: http://forums.nbn.org.uk/viewtopic.php?id=4987

LERC Officer
Merseyside BioBank - Local Environmental Records Centre for North Merseyside
www.MerseysideBioBank.org.uk

4

Re: WMS as a logged in user

Hi Ben,

The 'normal' rest services are okay - I can get a cookie for authentication. But its the Web Mapping Service that's the problem - the authentication is different: it doesn't seem to require a cookie. I'll have to email the NBN direct about it.

Rich

Richard Burkmar
Biodiversity Project Officer
Field Studies Council

5

Re: WMS as a logged in user

Hi Rich, the cookie should be used for both web mapping and the rest services as they authenticate using the same methods, the hashed-userkey stuff is just for logging in for one off calls as a way to get around the need for having to use a cookie to log in to the system.

You should be able to test this using a browser, logging into the gateway (therefore getting a cookie) and then accessing the web mapping via a browser should demonstrate this working.

The hashed password stuff is to simplify one off jobs so that they are easier to perform rather than a long term way to use the maps, at least in my view, they may be being used differently in the wild.

Hope that helps,
Matt

Matt Debont
Application Developer
Joint Nature Conservation Committee, Monkstone House, City Road, Peterborough PE1 1JY, UK

6 (edited by burkmarr 20-10-2014 11:58:46)

Re: WMS as a logged in user

Hi Matt,

Thanks for clarifying that. I don't think it solves my problem though. I see how that works with a browser - because browsers are designed to store and send cookies with every http call.

My problem is that I'm not accessing the WMS through a browser - I'm accessing it through QGIS. Although I can retrieve a cookie programatically within my QGIS plugin,  I have no way of directing QGIS to send the cookie whenever it makes a call to the WMS (e.g. when the user pans or zooms the map). There's no way to specify a cookie to a WMS either through the QGIS standard interface or when using QGIS's API for calling a WMS (as I'm doing with my plugin).

So, as far as I can figure out, there is no way, using cookie authentication, to use the NBN WMS service within QGIS as a logged in user. Do you know of anyone using the NBN WMS from within QGIS or any GIS (e.g. MapInfo or ArcGIS) as a logged-in user? If so I'd really like to chat to them about how they do it.

I can, of course, specify the URL that is to be used for the web service. So if there is a way to supply user credentials within the URL, e.g. by including a 'hashed password' as the documentation on the NBN website suggests, I would be able to use the NBN WMS as a logged in user from within QGIS. Do you have any more technical details on how to use the 'hashed password' on the WMS URL?

Best wishes,

Rich

Richard Burkmar
Biodiversity Project Officer
Field Studies Council

7

Re: WMS as a logged in user

Hi, there is a password / userkey hasher on the documentation pages at https://data.nbn.org.uk/Documentation/W … ctiveTools

Hope that helps,
Matt

Matt Debont
Application Developer
Joint Nature Conservation Committee, Monkstone House, City Road, Peterborough PE1 1JY, UK

8

Re: WMS as a logged in user

Okay thanks for that reference Matt - the Java example on that page showed me that I had to use a simple 'MD5' hashed key and I was easily able to implement that in Python. Now I'm getting the same hashed value for my password in my code as I get using the interactive tool on the page that you referred me to. So at least  I know that I am hashing the password correctly.

Unfortunately it doesn't work for the WMS. It works fine for the Atlas Grade Map rest service that is the subject of that page, but it is just ignored by the WMS. Is this something that the development team can look at?

I think that it's important because, as far as I can see, there is currently no way for someone consuming the NBN WMS through a desktop GIS, such as QGIS, MapInfo or ArcGIS, to access data at the level which their login credentials allow - data can only be accessed at the public level. QGIS (and I imagine MapInfo and ArcGIS) don't support the cookie authentication method because they are not browsers, and the URL (hashed password) method, just doesn't work.

If it can't be addressed, at the very least the page here - https://data.nbn.org.uk/Documentation/W … _Services/ - should be updated to reflect the fact that there is no way to specify login credentials in the URL. (In other words remove the bit about using hashed passwords.)

Can you let me know if I need to raise this somehow as a separate bug report?

Rich

Richard Burkmar
Biodiversity Project Officer
Field Studies Council

9

Re: WMS as a logged in user

Hi Rich, the md5 hashed key should work with both WMS and Atlas mapping requests. Are you using both the username and the hashed key parameters in the URL?

i.e. username=test&userkey=hashed_pass

Matt Debont
Application Developer
Joint Nature Conservation Committee, Monkstone House, City Road, Peterborough PE1 1JY, UK

10

Re: WMS as a logged in user

I am Matt. QGIS's API for WMS is a class called QgsRasterLayer. You supply the URL string of the WMS to this class' constructor in this kind of format:

url=https://gis.nbn.org.uk/SingleSpecies/NBNSYS0000008608&layers=Grid-10km&styles=&format=image/gif&crs=EPSG:27700

The above works correctly, building a WMS layer from the NBN showing a hectad distribution map with the correct projection etc.

The URL below produces exactly the same results:

url=https://gis.nbn.org.uk/SingleSpecies/NBNSYS0000008608&username=burkmarr&userkey=hashed_password&layers=Grid-10km&styles=&format=image/gif&crs=EPSG:27700

Note that it doesn't fall over - but it produces the same map as before, whereas I should see more 10 km squares because I have better than public access.

I know that the string I'm using for hashed_password is correct because I've used the same value on the atlas class map page (the page you directed me to before) to get back a map with the higher level of access (i.e. all the dots I expect to see at my access level).

Rich

Richard Burkmar
Biodiversity Project Officer
Field Studies Council

11

Re: WMS as a logged in user

Hi Rich, sorry for the slow response, if you are still having issues could you email our support address (support @ nbn.org.uk) with this and I will try and get this pointed at the right person, as this looks like something is amiss here as it should 'just work' but obviously there is a problem going on somewhere here.

Matt

Matt Debont
Application Developer
Joint Nature Conservation Committee, Monkstone House, City Road, Peterborough PE1 1JY, UK

12 (edited by burkmarr 30-10-2014 12:07:16)

Re: WMS as a logged in user

Hi Matt,

Further probing leads me to think that this could be a QGIS problem rather than a problem with the NBN WMS. I've reached that conclusion because *outside* of QGIS, this works:

https://gis.nbn.org.uk/SingleSpecies/NB … d_password

Putting that URL straight into a browser brings me back a map with all the dots that I should be able to see with my access.

So I looked more closely at what QGIS is doing. When I supply "&username=burkmarr&userkey=hashed_password" in my code to the relevant QGIS API, the result is that "&username=burkmarr" gets through fine, but "&userkey=hashed_password" is stripped out. QGIS is happy for me to supply "&password=hashed_password" - it leaves that in, but, of course, the NBN doesn't recognise that - it's looking for 'userkey' not 'password'.

I looked again at what QGIS did with username and userkey parameters. My statement of what it did with these parameters was based on me misreading of the QGIS layer properties dialog once the WMS layer was created. I realised that a better way of seeing what QGIS was really doing was using a tool to intercept and examine the actual HTTP requests - see next post.

I'm going to see if I can find a QGIS developer's forum where someone can help identify what the problem is.

Thanks for all your help.

Rich

Richard Burkmar
Biodiversity Project Officer
Field Studies Council

13 (edited by burkmarr 30-10-2014 12:42:52)

Re: WMS as a logged in user

I used Fiddler to examine the HTTP requests that QGIS is actually sending. (Anyone that wants to do this should note that you have to set QGIS network options so that Host is set to localhost, Port to 8888 and Proxy type to HttpProxy.)

In fact neither the unsername or userkey parameters get sent to the NBN WMS in the HTTP request. I guess that this is because they are non-standard WMS parameters (i.e. not in the OGC WMS implementation standard). However the standard does make it clear that additional parameters are permitted (i.e. using them does not break the standard), so I wonder why QGIS is stripping them out?

I wondered if the NBN WMS GetCapabilities response should be advertising them so that QGIS knows not to strip them out?

I'll pose a question to the QGIS community, but I suspect that I'm reaching a dead end with this.

(I posted a question on StackExchange: http://gis.stackexchange.com/questions/ … -via-qgis)

Rich

Richard Burkmar
Biodiversity Project Officer
Field Studies Council

14

Re: WMS as a logged in user

Thanks for updating us and please let me know if you get a response as I would be interested if there is a way to fix this and if there is something you would like us to try.

Matt Debont
Application Developer
Joint Nature Conservation Committee, Monkstone House, City Road, Peterborough PE1 1JY, UK

15

Re: WMS as a logged in user

Will do Matt. For now I've released it without the login functionality. For anyone interested, there's a demo here: http://youtu.be/J8HMJvaKZbI

Richard Burkmar
Biodiversity Project Officer
Field Studies Council