Hi Andrea
Yes, security orientated. I prefer the white list, did you expect the
opposite :-)
The restriction is done at the service level. If there is a strong demand
for finer granularity, we can add the functionality on a layer level later,
using the service configuration as a default for all layers.
About getFeatureInfo:
At the moment it is possible to disable getFeatureInfo at all, so far so
good. The code for this kind of request uses a default content type, no
service exception is thrown.
What should happen for a getFeatureInfo request if the content type is not
allowed. Should we trigger a Service Exception or return nothing ?.
If there is a demand for adding format restrictions for getFeatureInfo at
the service level, this would be the best point of time to do it. Let me
know.
Cheers
Chrstian
On Fri, May 30, 2014 at 3:55 PM, Andrea Aime <[email protected]>
wrote:
> On Fri, May 30, 2014 at 2:51 PM, Christian Mueller <
> [email protected]> wrote:
>
>> Hi all
>>
>> A customer of mine wants to sponsor WMS GetMap output format restrictions
>> and I want to start this work during the weekend.
>>
>> The theme is not a new one, I found some mail threads
>>
>>
>> http://osgeo-org.1560.x6.nabble.com/WMS-output-format-restrictions-td3796402.html
>>
>> http://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/[email protected]/
>>
>> There is also an issue about the topic
>>
>> http://jira.codehaus.org/browse/GEOS-4592
>>
>>
>> My investigations so far
>>
>> 1) GEOS-4592 proposes a black listing of formats. I would prefer a white
>> listing of mime types. Implementations
>> of org.geoserver.wms.GetMapOutputFormat are injected by Spring and as
>> consequence, output formats can be added by extensions.
>>
>
> Ok, security oriented setup eh?
> In the end both work, some people will find it annoying if all they wanted
> was to get rid of a certain format, but security oriented people will be
> concerned that new plugins or upgrades
> will result in undesired formats.
>
>
>>
>> 2) I would like to store the white list in org.geoserver.wms.WMSInfo like
>> the "Limited SRS list". An empty white list means all formats are allowed
>> (this is the default)
>>
>
> Yep. So this will be done at the service level, not at the layer level,
> right? (not against it, just asking).
> Wondering, are you planning to have a separate white list for each
> request? GetMap and GetFeatureInfo have separate sets of output formats.
> Or are you going to work on GetMap only?
>
>
>> 3) I think I can find all supported mime types by retrieving all
>> implementations of GetMapOutputFormat form the Spring context and
>> collecting the result of the method getMimeType(). On the WMSAdminPage I
>> would implement a CheckBox "Allowed mime types". The default value of this
>> CheckBox is unchecked. If checked, I want dynamically add a list of check
>> boxes representing each mime type .
>>
>
> Yep
>
>>
>> 4) If the white list is not empty, the WMS capabilities document contains
>> only allowed format names, retrieved by
>> GetMapOutputFormat.getOutputFormatNames().
>>
>
> Ok
>
>
>>
>> 5) A nice place to check the mime type would
>> be org.geoserver.wms.GetMap.getDelegate(). If the mime type of the producer
>> is not in the white list, I would throw a ServiceException. The problem I
>> have is how to get WSInfo object (global or workspace specific). Any Hints ?
>>
>
> WMS.getServiceInfo()
>
>
>>
>> 6) Is it enough to open a JIRA issue or should I write a GSIP on github.
>>
>
> No strong opinion here, I'm happy with the mail
>
> Cheers
> Andrea
>
> --
> ==
> Meet us at GEO Business 2014! in London! Visit http://goo.gl/fES3aK
> for more information.
> ==
>
> Ing. Andrea Aime
> @geowolf
> Technical Lead
>
> GeoSolutions S.A.S.
> Via Poggio alle Viti 1187
> 55054 Massarosa (LU)
> Italy
> phone: +39 0584 962313
> fax: +39 0584 1660272
> mob: +39 339 8844549
>
> http://www.geo-solutions.it
> http://twitter.com/geosolutions_it
>
> -------------------------------------------------------
>
--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
