Note: These directions apply to version 6.1.2 and previous. For current versions, security must be implemented manually via WCF. Alternatively, you can install the MapFile Generator on your development environment and leave unsecured, but not in your production environment.
The MapFile Generator is installed with authentication turned off. This means that anyone with access to this web server can add, edit, and delete dynamically created maps. Therefore it is advisable that authentication be enabled. To require logging in, set the ForceLogin setting in the MapFile Generator web.config file to 'true'. This file is located in the install directory of the MapFile Generator. Note that this only enables the login web interface. To enable actual authentication in MDNS, review the Web Service Security page.
At this point, if the application is configured to require logging in, a page will appear with a prompt:
The account must be on the MapDotNet Server machine, or on the domain and with rights to access the machine. On installation, MapDotNet Server does no filtering as to which users have access to these administrative services. To filter access, you must edit a settings file for the web service. This file is located at:
<MapDotNet Server Install Directory>\MapDotNetServer Web Service\wse3policyCache.config
Under the 'policies' section, locate the 'MapDotNetServer AdminService' policy. The default setting is to allow all users. Users can be denied or allowed based on their user account or a group they belong to. Here is an example:
<policy name="MapDotNetServer AdminService">
<authorization>
<
allow user="mydomain\myuser" />
<
deny user="*" />
</authorization>
<usernameOverTransportSecurity />
<requireActionHeader />
</policy>
This will allow the user "mydomain\myuser", but deny everyone else. For more details see the Microsoft documentation:
http://msdn2.microsoft.com/en-us/library/aa529560.aspx
Additional Security Precautions
The login portion of the MapFile Generator will send the username and password over the network unencrypted to the MapDotNet Server Web Service. Additionally, the transfer of the MapFile source to and from page will occur unencrypted. This may include database usernames and passwords. Therefore, it is recommended that if there are any concerns over the security of the network, that the MapDotNet Server Web Service run under a secure hypertext transfer session (HTTPS).