Hi,
I have seen that people would like to disable the vector formats from
GetFeatureInfo:
<GetFeatureInfo>
<Format>text/plain</Format>
<Format>application/vnd.ogc.gml</Format>
<Format>application/vnd.ogc.gml/3.1.1</Format>
<Format>text/html</Format>
<Format>application/json</Format>
Would mean GML and geojson.
-Jukka Rahkonen-
________________________________
Christian Mueller wrote:
Hi Andrea
Yes, security orientated. I prefer the white list, did you expect the opposite
:-)
The restriction is done at the service level. If there is a strong demand for
finer granularity, we can add the functionality on a layer level later, using
the service configuration as a default for all layers.
About getFeatureInfo:
At the moment it is possible to disable getFeatureInfo at all, so far so good.
The code for this kind of request uses a default content type, no service
exception is thrown.
What should happen for a getFeatureInfo request if the content type is not
allowed. Should we trigger a Service Exception or return nothing ?.
If there is a demand for adding format restrictions for getFeatureInfo at the
service level, this would be the best point of time to do it. Let me know.
Cheers
Chrstian
On Fri, May 30, 2014 at 3:55 PM, Andrea Aime
<[email protected]<mailto:[email protected]>> wrote:
On Fri, May 30, 2014 at 2:51 PM, Christian Mueller
<[email protected]<mailto:[email protected]>>
wrote:
Hi all
A customer of mine wants to sponsor WMS GetMap output format restrictions and I
want to start this work during the weekend.
The theme is not a new one, I found some mail threads
http://osgeo-org.1560.x6.nabble.com/WMS-output-format-restrictions-td3796402.html
http://sourceforge.net/p/geoserver/mailman/geoserver-users/thread/[email protected]/
There is also an issue about the topic
http://jira.codehaus.org/browse/GEOS-4592
My investigations so far
1) GEOS-4592 proposes a black listing of formats. I would prefer a white
listing of mime types. Implementations of org.geoserver.wms.GetMapOutputFormat
are injected by Spring and as consequence, output formats can be added by
extensions.
Ok, security oriented setup eh?
In the end both work, some people will find it annoying if all they wanted was
to get rid of a certain format, but security oriented people will be concerned
that new plugins or upgrades
will result in undesired formats.
2) I would like to store the white list in org.geoserver.wms.WMSInfo like the
"Limited SRS list". An empty white list means all formats are allowed (this is
the default)
Yep. So this will be done at the service level, not at the layer level, right?
(not against it, just asking).
Wondering, are you planning to have a separate white list for each request?
GetMap and GetFeatureInfo have separate sets of output formats.
Or are you going to work on GetMap only?
3) I think I can find all supported mime types by retrieving all
implementations of GetMapOutputFormat form the Spring context and collecting
the result of the method getMimeType(). On the WMSAdminPage I would implement a
CheckBox "Allowed mime types". The default value of this CheckBox is unchecked.
If checked, I want dynamically add a list of check boxes representing each
mime type .
Yep
4) If the white list is not empty, the WMS capabilities document contains only
allowed format names, retrieved by GetMapOutputFormat.getOutputFormatNames().
Ok
5) A nice place to check the mime type would be
org.geoserver.wms.GetMap.getDelegate(). If the mime type of the producer is not
in the white list, I would throw a ServiceException. The problem I have is how
to get WSInfo object (global or workspace specific). Any Hints ?
WMS.getServiceInfo()
6) Is it enough to open a JIRA issue or should I write a GSIP on github.
No strong opinion here, I'm happy with the mail
Cheers
Andrea
--
==
Meet us at GEO Business 2014! in London! Visit http://goo.gl/fES3aK
for more information.
==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313<tel:%2B39%200584%20962313>
fax: +39 0584 1660272<tel:%2B39%200584%201660272>
mob: +39 339 8844549<tel:%2B39%20%C2%A0339%208844549>
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH
------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
