Hi, I understand that this suggestion is more involved in GeoServer codebase than GeoTools. And I also understand you want to keep a narrow scope.
But it brings on some interesting thoughts. What about MonitoringHTTPClient? Hilsen Roar > 23. mar. 2023 kl. 10:50 skrev Andrea Aime <andrea.a...@geosolutionsgroup.com>: > > HI Roar, > for the first round of implementation, I have no place that's actually using > the GeoTools HTTPClient interface. > Given this would be a wrapper, it does not seem much of a HTTPBehavior, but > more of a hint, where the hint > value would be the URLChecker to use. > > Generally speaking, I'd expect it to be handled in a similar way to the > LoggingHTTPClient. > > Cheers > Andrea > > > On Wed, Mar 22, 2023 at 8:49 PM Roar Brænden <roar.brenden...@gmail.com > <mailto:roar.brenden...@gmail.com>> wrote: > Hi, > > This looks like something I've been thinking about. Would love to implement > such a solution. Too bad I'm not in a position to do so. > > Could that blocking, you wanted Jody, be handled by throwing an exception? > > Should this involve an addition to the HTTPClient interface as well? How to > react on a failure to evaluate the url. Should it log a message or throw an > exception? I suppose that is the thinking behind that SecureHTTPClient. > > Often it's hard to know exactly where a URL is specified. Especially if we > include the XML Schema locations. Since it will be the HTTPClient that will > log a warning or throw an exception. How could that object get enough > information to give the user good feedback on which store / layer / process > the admin needs to change? I suppose that varies from case to case and would > be for a later version. > > Best regards, > Roar Brænden > > > >> 22. mar. 2023 kl. 19:00 skrev Jody Garnett <jody.garn...@gmail.com >> <mailto:jody.garn...@gmail.com>>: >> >> Idea (feel free to indicate if it is out of scope). >> >> Environmental variables were introduced to control access for entity >> resolution: >> - It may be possible to replace these with the new URLChecker and simplify >> the application. Or; >> - show them as a URLChecker that cannot be disabled in the user interface >> (to make it clear they are in play) >> >> Reference: >> https://docs.geoserver.org/2.19.x/en/user/production/config.html#production-config-external-entities >> >> <https://docs.geoserver.org/2.19.x/en/user/production/config.html#production-config-external-entities> >> -- >> Jody Garnett >> >> >> On Wed, Mar 22, 2023 at 10:44 AM Andrea Aime >> <andrea.a...@geosolutionsgroup.com >> <mailto:andrea.a...@geosolutionsgroup.com>> wrote: >> Yep, makes sense, proposal updated. >> >> Cheers >> Andrea >> >> On Wed, Mar 22, 2023 at 6:31 PM Jody Garnett <jody.garn...@gmail.com >> <mailto:jody.garn...@gmail.com>> wrote: >> Indeed if you are just intended to back from a regex; then rephrase the >> javadoc or make the method name more clear than "evaluate": >> >> /** >> * Provide implementation to evaluate location/URL/URI passed in string >> form >> * >> * @param location the subject of evaluation >> * @return true if the location is accepted, false otherwise >> */ >> boolean evaluate(String location); >> >> "otherwise" above indicates the location would not be accepted. >> >> To clarify intent: >> >> /** >> * Used to confirm location is allowed for use. >> * >> * URLChecker is used to confirm if a location is allowed for use, >> returning {@true} when they recognize a location as permitted. >> * Several URLChecker instances are expected to be available, as long as >> one URLChecker can confirm a location it is permitted for use. >> * >> * @param location Location expressed as URL, URI or path. >> * @return {@code true} indicates the URLChecker can confirm the >> location is allowed for use, {@code false} indicates the URLChecker is >> unable to confirm. >> */ >> boolean confirm(String location); >> >> -- >> Jody Garnett >> >> >> On Wed, Mar 22, 2023 at 10:07 AM Andrea Aime >> <andrea.a...@geosolutionsgroup.com >> <mailto:andrea.a...@geosolutionsgroup.com>> wrote: >> Hi Jody, >> while the suggestion seems to clarify things, it seems to me it's making the >> implementation harder. >> >> With a regular expression based system, how do you distinguish BLOCK and >> NO_OPINION (imagine we'd have different implementations, one based on >> regexes for user configured sites, and another one for the well known schema >> sites, such as schemas.opengis.org <http://schemas.opengis.org/> and xml.org >> <http://xml.org/>, or a dynamic one allowing a store to declare that the >> server it's talking to is safe). >> >> The idea here is that the URL is now allowed, unless explicitly approved. >> All that we're looking for is a "yes". >> The problem with the other state, is that it's really just "not yes", >> without any extra useful semantic attached to it. >> >> Having a state like "BLOCK" would imply the implementation is based on a >> black list instead (anything but not this one). >> Do you have a use case for it? >> >> Cheers >> Andrea >> >> >> >> On Wed, Mar 22, 2023 at 5:45 PM Jody Garnett <jody.garn...@gmail.com >> <mailto:jody.garn...@gmail.com>> wrote: >> The URL checker has a yes/no response - but is written as a yes/don’t care - >> since to access only one URL checker needs to say yes. >> >> To address feedback: >> - Adjust javadoc, or >> - Provide three states: ALLOW, BLOCK, NO_OPINION >> >> My preference is to return an Enum even if just two states are permitted to >> prevent any confusion. >> >> On Wed, Mar 22, 2023 at 9:15 AM Andrea Aime >> <andrea.a...@geosolutionsgroup.com >> <mailto:andrea.a...@geosolutionsgroup.com>> wrote: >> HI all, >> this is a revival of the old GSIP-189, a bit modernized, with a smaller >> initial scope (that should help us get an implementation going safeguarding >> some remote access functionality sooner rather than later). >> >> Please review, discuss, vote: >> https://github.com/geoserver/geoserver/wiki/GSIP-218 >> <https://github.com/geoserver/geoserver/wiki/GSIP-218> >> >> Best regards >> Andrea >> >> == >> GeoServer Professional Services from the experts! >> Visit http://bit.ly/gs-services-us <http://bit.ly/gs-services-us> for more >> information. >> == >> >> Ing. Andrea Aime >> @geowolf >> Technical Lead >> >> GeoSolutions Group >> phone: +39 0584 962313 >> fax: +39 0584 1660272 >> mob: +39 339 8844549 >> >> https://www.geosolutionsgroup.com/ <https://www.geosolutionsgroup.com/> >> http://twitter.com/geosolutions_it <http://twitter.com/geosolutions_it> >> ------------------------------------------------------- >> >> Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE >> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si >> precisa che ogni circostanza inerente alla presente email (il suo contenuto, >> gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i >> solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto >> per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le >> sarei comunque grato se potesse darmene notizia. >> >> This email is intended only for the person or entity to which it is >> addressed and may contain information that is privileged, confidential or >> otherwise protected from disclosure. We remind that - as provided by >> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this >> e-mail or the information herein by anyone other than the intended recipient >> is prohibited. If you have received this email by mistake, please notify us >> immediately by telephone or e-mail >> _______________________________________________ >> GeoTools-Devel mailing list >> GeoTools-Devel@lists.sourceforge.net >> <mailto:GeoTools-Devel@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/geotools-devel >> <https://lists.sourceforge.net/lists/listinfo/geotools-devel> >> -- >> -- >> Jody Garnett >> >> >> -- >> Regards, >> Andrea Aime >> == >> GeoServer Professional Services from the experts! >> Visit http://bit.ly/gs-services-us <http://bit.ly/gs-services-us> for more >> information. >> == >> >> Ing. Andrea Aime >> @geowolf >> Technical Lead >> >> GeoSolutions Group >> phone: +39 0584 962313 >> fax: +39 0584 1660272 >> mob: +39 339 8844549 >> >> https://www.geosolutionsgroup.com/ <https://www.geosolutionsgroup.com/> >> http://twitter.com/geosolutions_it <http://twitter.com/geosolutions_it> >> ------------------------------------------------------- >> >> Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE >> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si >> precisa che ogni circostanza inerente alla presente email (il suo contenuto, >> gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i >> solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto >> per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le >> sarei comunque grato se potesse darmene notizia. >> >> This email is intended only for the person or entity to which it is >> addressed and may contain information that is privileged, confidential or >> otherwise protected from disclosure. We remind that - as provided by >> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this >> e-mail or the information herein by anyone other than the intended recipient >> is prohibited. If you have received this email by mistake, please notify us >> immediately by telephone or e-mail >> >> >> -- >> Regards, >> Andrea Aime >> == >> GeoServer Professional Services from the experts! >> Visit http://bit.ly/gs-services-us <http://bit.ly/gs-services-us> for more >> information. >> == >> >> Ing. Andrea Aime >> @geowolf >> Technical Lead >> >> GeoSolutions Group >> phone: +39 0584 962313 >> fax: +39 0584 1660272 >> mob: +39 339 8844549 >> >> https://www.geosolutionsgroup.com/ <https://www.geosolutionsgroup.com/> >> http://twitter.com/geosolutions_it <http://twitter.com/geosolutions_it> >> ------------------------------------------------------- >> >> Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE >> 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si >> precisa che ogni circostanza inerente alla presente email (il suo contenuto, >> gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i >> solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto >> per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le >> sarei comunque grato se potesse darmene notizia. >> >> This email is intended only for the person or entity to which it is >> addressed and may contain information that is privileged, confidential or >> otherwise protected from disclosure. We remind that - as provided by >> European Regulation 2016/679 “GDPR” - copying, dissemination or use of this >> e-mail or the information herein by anyone other than the intended recipient >> is prohibited. If you have received this email by mistake, please notify us >> immediately by telephone or e-mail >> _______________________________________________ >> Geoserver-devel mailing list >> geoserver-de...@lists.sourceforge.net >> <mailto:geoserver-de...@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/geoserver-devel >> <https://lists.sourceforge.net/lists/listinfo/geoserver-devel> > > > -- > Regards, > Andrea Aime > == > GeoServer Professional Services from the experts! > Visit http://bit.ly/gs-services-us <http://bit.ly/gs-services-us> for more > information. > == > > Ing. Andrea Aime > @geowolf > Technical Lead > > GeoSolutions Group > phone: +39 0584 962313 > fax: +39 0584 1660272 > mob: +39 339 8844549 > > https://www.geosolutionsgroup.com/ <https://www.geosolutionsgroup.com/> > http://twitter.com/geosolutions_it <http://twitter.com/geosolutions_it> > ------------------------------------------------------- > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE > 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa > che ogni circostanza inerente alla presente email (il suo contenuto, gli > eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i > destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per > errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei > comunque grato se potesse darmene notizia. > > This email is intended only for the person or entity to which it is addressed > and may contain information that is privileged, confidential or otherwise > protected from disclosure. We remind that - as provided by European > Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or > the information herein by anyone other than the intended recipient is > prohibited. If you have received this email by mistake, please notify us > immediately by telephone or e-mail
_______________________________________________ GeoTools-Devel mailing list GeoTools-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-devel
