[Chameleon] Security Question

Paul Spencer pspencer at dmsolutions.ca
Tue Feb 22 12:00:45 EST 2005 

um.  We haven't done a lot with the JSAPI widget lately, but I can 
certainly believe that it might do this.

The JSAPI mode was added when Chameleon was an OGC-only environment, 
i.e. all the layers were WMS layers.  Since we now allow any MapServer 
layer, it is probably doing some inappropriate things.

I suspect that you can fix this temporarily by editing:

chameleon/htdocs/widgets/cwcjsapi/cwcjsapi.widget.php

and removing line 208 which reads:

$szLayerInfo .="aLayerconnection[".$i."] = '" .  $poLayer->connection . 
"';\n";


Cheers

Paul

c p wrote:
> Eric,
> 
> I'm not sure which widget is doing this.. from the method name I'm
> guessing it's the JSAPI widget(s)? that causes it.  I'm just learning
> Chameleon so I've just been modifying the basic JSAPI sample app
> distributed with Chameleon v2.0.   The generated javascript method
> which contains the map file definition is:
> 
> /**
>  * CWCJSAPIWInit
>  * called to initialize the JS API widget
>  */
> function CWCJSAPIWInit()
> {
>   ....
> 
> 
> Corey
> 
> 
> On Sat, 19 Feb 2005 07:57:45 -0500, Eric Bridger <eric at gomoos.org> wrote:
> 
>>Corey,
>>
>>We have depolyed a number of Chameleon applications and I cannot find any display of the connection string in the html source in them.
>>Do you have any idea which widget is doing this?
>>
>>Eric
>>
>>At 11:05 AM 02/19/2005 +0100, Bart van den Eijnden wrote:
>>
>>>Hi,
>>>
>>>one way of working around this would be setting up a Mapserver WMS around
>>>your PostGIS data source, and using a WMS client layer in your Chameleon
>>>MAP file.
>>>
>>>But I am sure there will be easier ways/fixes .....
>>>
>>>Best regards,
>>>Bart
>>>
>>>On Fri, 18 Feb 2005 14:26:02 -0700, c p <cplists at gmail.com> wrote:
>>>
>>>
>>>>Hi again...
>>>>
>>>>I noticed if I view the source of the generated html & javascript in
>>>>my web browser that the layer definitions from my mapfile are embedded
>>>>in the javascript including the connection string (including username
>>>>and password(!!)) for postgis data sources.
>>>>
>>>>Is this a known issue?  How does one work around this?
>>>>
>>>>Thanks,
>>>>Corey
>>
>>
> _______________________________________________
> Chameleon mailing list
> Chameleon at lists.maptools.org
> http://lists.maptools.org/mailman/listinfo/chameleon
> 

-- 
+-----------------------------------------------------------------+
|Paul Spencer                           pspencer at dmsolutions.ca   |
+-----------------------------------------------------------------+
|Applications & Software Development                              |
|DM Solutions Group Inc                 http://www.dmsolutions.ca/|
+-----------------------------------------------------------------+

More information about the Chameleon mailing list