[Geoserver-users] H2 JAR version upgrade

[Raif S. Naffah]

hi all,

i recently upgraded from GS 2.2.5 to 2.8.3 (w/ JDK 8) and everything
works fine.  now i'd like to start using 'h2gis' [1] and its GS
data-store [2].

the (potential) problem i'm facing is the version of the 'H2'.  in
the standard GS 2.8.3 release the H2 JAR is at 1.1.119 and is present
in the webapp's lib.  'h2gis' uses a newer version of H2 (1.4.189) which
has an incompatible (disk format) w/ the one used in 1.1.  H2 also
provides a utility to 'upgrade database from 1.1...' [3].

this thread [4] (which i believe is still relevant) suggests that H2 is
only used in specific use-cases...

QUOTE
...once a data directory
is converted to use it (either because of superoverlays or gwc
metastore) you cannot go back.
UNQUOTE

in my case, after upgrading to GS 2.8.3 (re-using a copy of the
data-dir previously used by GS 2.2.5, which in turn was a copy of the
same data-dir used by GS 1.5.4) i tried:

* removing the h2-1.1.119 JAR, and separately
* replacing it w/ a newer version (1.4.191)

everything continues to work fine in both instances.  this, empirically
at least, tells me that my data-dir is not using any 'feature' that
would otherwise cause an H2 database to be generated.

my questions are --and thanks for reading so far :-)

* is there a reliable check to apply _before_ upgrading to ensure a
  data-dir will continue to be operational after the upgrade?

  i guess if an H2 database when created/used is always in a specific
  location w/in the data-dir then checking for the presence of such
  file system object should be enough.  is this the case?

* has any body attempted migrating to a newer version of H2, had to use
  the (H2) upgrade utility to 'fix' a GS data-dir, and would like to
  share their experience?


[1] http://www.h2gis.org/
[2] https://github.com/orbisgis/h2gis-gs
[3] http://h2database.com/html/download.html
[4]
https://sourceforge.net/p/geoserver/mailman/geoserver-devel/thread/4C2070F7.4000507%40opengeo.org/#msg25582876


TIA + cheers;
rsn


pgp2PbE4prVxg.pgp
Description: OpenPGP digital signature
--
___
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

[Geoserver-users] Calling GetMap request from a WebAPI

[Deepti Puri]

I am working on a web mapping application which is build on Leaflet and
Angular JSP libraries and relies on ArcGIS Map Services. We get token from
ArcGIS's gettoken API through a WebAPI and that token is passed to
subsequent calls of Leaflet to map services directly.

Since we are replacing ESRI services with Geoserver WMS but want to keep
the services secure, we decided to pass all the map requests through WebAPI
requests (Also this help in creating functionalities similar to GIS map
services e.g. dynamic layer controls and legends instead of
getLEgendgraphics).

Currently I am working on getting the map images through WMS's GetMap
request. Is it returning only PNG through API request to Leaflet will be
workable in scenario with passed bbox, SRS and Zoom? Is there any plugin or
an example you encounter (essentially source of image is now an API which
is fetching GetMap result as PNG)? Thanks
--
___
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] Fwd: Cannot disable security on GWC REST API

[Kevin Smith]

On Thu, Apr 7, 2016, at 12:10 PM, Jason Newmoyer wrote:
> 1. Updating rest.properties under data_dir/security to this:
>
> /**;GET=IS_AUTHENTICATED_ANONYMOUSLY
> /**;POST,DELETE,PUT=IS_AUTHENTICATED_ANONYMOUSLY
>
> This seems to have no effect. Maybe its only tied to the
> geoserver/rest endpoint?
 
Yes, the GWC and GS REST APIs are completely separate so changing the
security on one has no effect on the other.
 
> 2. Disabling security on the gwc filter chain using the admin web
>interface. Also, have tried adding the anonymous filter and
>removing the basic filter in this filter chain's settings.
>
> Oddly enough, it seems to switch itself back to default settings after
> the configuration reloads (either manual reload on server status page
> or server restart)
>
> I am testing this by using curl as described here:
> http://docs.geoserver.org/stable/en/user/geowebcache/rest/seed.html
 
That's really odd.  Before you reload the change is in effect and
gives you the behaviour you want though?  I did a quick test on 2.9
and disabling the security on the chain and adding the anonymous
filter allowed for unauthenticated access and it presists over restart
and reload.
 
You might try checking if DATA_DIR/security/config.xml is getting
updated when you save the change.
 
--
Kevin Michael Smith
smit...@draconic.ca
 
--
___
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

[Geoserver-users] Fwd: Cannot disable security on GWC REST API

[Jason Newmoyer]

Still haven't figured this one out. Reposting. Thanks.


GeoServer 2.8.2 with Jetty 9.3

I am trying to disable authentication entirely on the geoserver/gwc/rest
endpoint to make it easier for our applications to automate cache
truncation when data updates are loaded.

I have tried:

1. Updating rest.properties under data_dir/security to this:

/**;GET=IS_AUTHENTICATED_ANONYMOUSLY
/**;POST,DELETE,PUT=IS_AUTHENTICATED_ANONYMOUSLY

This seems to have no effect. Maybe its only tied to the geoserver/rest
endpoint?

2. Disabling security on the gwc filter chain using the admin web
interface. Also, have tried adding the anonymous filter and removing the
basic filter in this filter chain's settings.

Oddly enough, it seems to switch itself back to default settings after the
configuration reloads (either manual reload on server status page or server
restart)

I am testing this by using curl as described here:
http://docs.geoserver.org/stable/en/user/geowebcache/rest/seed.html



Jason Newmoyer
Newmoyer Geospatial Solutions
843.606.0424
ja...@newmoyergeospatial.com
--
___
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] Mosaic index error

[Simone Giannecchini]

Ciao,
I would suggest you create the mosaic using a ReST call so that you are not
bitten by the long wait and/or request timeout that can happen with the GUI.

See info here:
http://docs.geoserver.org/latest/en/user/rest/examples/curl.html
http://geoserver.geo-solutions.it/multidim/en/rest/index.html


Regards,
Simone Giannecchini
==
GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information.
==
Ing. Simone Giannecchini
@simogeo
Founder/Director

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob:   +39  333 8128928

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

---
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility  for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

On Thu, Mar 3, 2016 at 12:19 PM, Admire Nyakudya 
wrote:

> Hi
>
> I have a folder that has thousands of rasters and to speed up creating my
> mosaic I decided to use gdaltindex and then stick it inside the folder.
>
> Geo server seems to overwrite the shapefile that already exist. I believe
> I used to be able to do it. This makes the mosaic take time before being
> visible. The main issue is geoserver is writing an index shapefile that is
> incomplete and different to the one generated by gdaltindex.
>
> I have tested on geoserver 2.8 and 2.4
>
>
>
>
>
> --
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151=/4140
> ___
> Geoserver-users mailing list
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
>
--
___
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] GeoServer Heap memory use for large images

[Simone Giannecchini]

Dear Jonathan,
a few things in random order:

-1- 1G permsize? Do you really need it?
-2- 64MB is not the memory that GeoServer will use for a single
request (the total one I mean). It imposes a limit on the backbuffer
on which geoserver will render, hence it is an indirect limitation to
the size of the image one can request (#bands*w*h tells you the size
of the backbuffer in bytes)

This means that depending on the underlying data as well as on the
style it can use much more memory.

Aside, memory is not released instantaneously hence under load unless
you put control flow in the mix you might still get OOM errros

-3- put XMX == XMS there is no point on a server application to set
them differently it will simply make it easier to fragment heap memory
and make OOM easier ti happen.

There is more but this is just a braing dumpo of obvious things.

Regards,
Simone Giannecchini
==
GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information.
==
Ing. Simone Giannecchini
@simogeo
Founder/Director

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob:   +39  333 8128928

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

---
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate.
Il loro utilizzo è consentito esclusivamente al destinatario del
messaggio, per le finalità indicate nel messaggio stesso. Qualora
riceviate questo messaggio senza esserne il destinatario, Vi preghiamo
cortesemente di darcene notizia via e-mail e di procedere alla
distruzione del messaggio stesso, cancellandolo dal Vostro sistema.
Conservare il messaggio stesso, divulgarlo anche in parte,
distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità
diverse, costituisce comportamento contrario ai principi dettati dal
D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely
for the attention and use of the named addressee(s) and may be
confidential or proprietary in nature or covered by the provisions of
privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New
Data Protection Code).Any use not in accord with its purpose, any
disclosure, reproduction, copying, distribution, or either
dissemination, either whole or partial, is strictly forbidden except
previous formal approval of the named addressee(s). If you are not the
intended recipient, please contact immediately the sender by
telephone, fax or e-mail and delete the information in this message
that has been received in error. The sender does not give any warranty
or accept liability as the content, accuracy or completeness of sent
messages and accepts no responsibility  for changes made after they
were sent or for other risks which arise as a result of e-mail
transmission, viruses, etc.


On Tue, Mar 8, 2016 at 1:48 PM, Jonathan Moules
 wrote:
> So I doubled the XMX to 12G and sure enough it can now handle 8 threads with
> no problems.
>
> But curiously, I then restarted the instance again (to throw in a second
> instance) but the very first request returned:
>
>   Rendering process failed
> java.lang.OutOfMemoryError: Java heap space
> Java heap space
>
> I've seen this during a few of my tests - the first request (sometimes first
> several) somehow comes back as being memory constrained, even though there
> are/should be no demands on GeoServer when it's received.
> Is this normal?
> Cheers,
> Jonathan
>
>
>
>  On Tue, 08 Mar 2016 11:31:43 +  wrote
> 
>
> Hi List,
> I'm experiencing some memory issues with GeoServer 2.7.1 on Linux. The
> startup settings are:
> jvm_opts=-Xms2G -Xmx6G -XX:MaxPermSize=1024m (So 6GB of Heap).
>
> I'm running some JMeter tests to make requests like this:
>
> http://localhost:8080/geoserver/wms?LAYERS=myayer=image%2Fpng8=TRUE=WMS=1.1.1=GetMap==EPSG%3A27700=404453,555869,415688,572175=3210=4659_OPTIONS=dpi:300
>
> As you can see, it's for a very large image: 3210 * 4659 at 300DPI (A3
> printing size; alas we cannot use tiles). While mostly targetted at rural
> areas there are some towns in the given areas, so well into the 10's of
> thousands of features sometimes hundreds of thousands. The data is coming
> from Oracle.
> WMS "Max rendering memory (KB)" is at 64MB (the default); I've increased
> rendering time to be up to 5 mins (the max is taking about 100 seconds).
>
> Using 5 threads in Jmeter against one instance and running tests against
> lots of different scales we're seeing a probably 10-20% of requests return:
>
> 
>   Rendering process failed
> java.lang.OutOfMemoryError: Java heap space
> Java heap space
> 
>
>
> We've also had at least one of these:
>
> 
>   Rendering process failed

Re: [Geoserver-users] onImageLoadErrorColor in OL3

[Stefano Costa]

Hi Fernando,
I guess you're question should be addressed to the openlayers users list.

On Wed, Apr 6, 2016 at 3:51 PM, Fernando Quadro  wrote:

> Hi ALL,
>
> In OL2 was used the following line of code not to display the pink screen
> when geoserver did not run.
>
> *OpenLayers.Util.onImageLoadErrorColor = "transparent";*
>
> How to do this in *OL3*?
>
> Thank you!
>
> Best regards,
>
> Fernando Quadro
> http://www.fernandoquadro.com.br
> http://br.linkedin.com/in/fernandoquadro/
>
>
> --
>
> ___
> Geoserver-users mailing list
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
>


-- 

Best regards,
Stefano Costa

==
GeoServer Professional Services from the experts!
Visithttp://goo.gl/it488V for more information.
==
Dott. Stefano Costa
Senior Software Engineer

GeoSolutions S.A.S.Via di Montramito 3/A
55054  Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
http://www.geo-solutions.ithttp://twitter.com/geosolutions_it

---
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate.
Il loro utilizzo è consentito esclusivamente al destinatario del
messaggio, per le finalità indicate nel messaggio stesso. Qualora
riceviate questo messaggio senza esserne il destinatario, Vi preghiamo
cortesemente di darcene notizia via e-mail e di procedere alla
distruzione del messaggio stesso, cancellandolo dal Vostro sistema.
Conservare il messaggio stesso, divulgarlo anche in parte,
distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità
diverse, costituisce comportamento contrario ai principi dettati dal
D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely
for the attention and use of the named addressee(s) and may be
confidential or proprietary in nature or covered by the provisions of
privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New
Data Protection Code).Any use not in accord with its purpose, any
disclosure, reproduction, copying, distribution, or either
dissemination, either whole or partial, is strictly forbidden except
previous formal approval of the named addressee(s). If you are not the
intended recipient, please contact immediately the sender by
telephone, fax or e-mail and delete the information in this message
that has been received in error. The sender does not give any warranty
or accept liability as the content, accuracy or completeness of sent
messages and accepts no responsibility  for changes made after they
were sent or for other risks which arise as a result of e-mail
transmission, viruses, etc.
--
___
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] Truncate LayerGroup GridSet

[Andrea Aime]

Hi Volkan,
you should look in the logs, there should be some stack trace related to
that 500 error,
copy it all and share it back on the list, it might give us some idea of
what is going on

Cheers
Andrea

On Tue, Apr 5, 2016 at 1:41 PM, Volkan Gümüs  wrote:

> Any news on this? :)
>
> Am 04.04.2016 um 12:14 schrieb Volkan Gümüs:
> > Hi,
> >
> > I have a LayerGroup with 2 GridSets (EPSG:900913 and EPSG:900913 512x512)
> >
> > I truncate the GeoWebCache of the LayerGroup over REST to
> > LayerGroup.json setting "gridSetId".
> >
> > Is there a way to reset all GridSets at once?
> >
> > I tried this: "gridSetId": ["EPSG:900913", "EPSG:900913 512x512"]
> > But it just drops me an error 500.
> >
> > Thanks! :)
> >
> >
> > Regards,
> >
> > Volkan
> >
> >
> >
> --
> > ___
> > Geoserver-users mailing list
> > Geoserver-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
> --
> Beste Grüße
>
> Volkan Gümüs
> F1-Computer.de
> Tel: 0231 223 985 60
> Fax: 0231 330 295 08
> Mail: ha...@f1-computer.de
>
>
>
> --
> ___
> Geoserver-users mailing list
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>



-- 
==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.
==

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via di Montramito 3/A
55054  Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39  339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.



The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility  for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

---
--
___
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] Why does geofence not block access when my rule says to DENY the method?

[Ben Caradoc-Davies]

No worries, brainstorming is welcome. We very much appreciate early 
proposals. Note that proposals for code changes might be better directed 
to the geoserver-devel list.

Kind regards,
Ben.

On 07/04/16 23:53, Walter Stovall wrote:
> Please forgive this message I sent prematurely…this is clearly half-baked…
> I need to work with my proposal more and should not have hit Send!

-- 
Ben Caradoc-Davies 
Director
Transient Software Limited 
New Zealand

--
___
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Re: [Geoserver-users] Why does geofence not block access when my rule says to DENY the method?

[Walter Stovall]

Please forgive this message I sent prematurely…this is clearly half-baked…
I need to work with my proposal more and should not have hit Send!

From: Walter Stovall
Sent: Thursday, April 07, 2016 7:47 AM
To: geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] Why does geofence not block access when my rule 
says to DENY the method?

I’ve prototyped some code for making geofence throw a ServiceException when a 
LocalWorkspace is set on a request but the user has no access to the workspace 
in the context of this service method.  This prevents execution of the method 
altogether rather than just filtering data.  My thinking is that if your 
request is in the context of  a specific workspace, as indicated by 
LocalWorkspace AND you have NO access to ANY layers in that workspace when 
executing this method, that I’m not interfering with meaningful processing by 
throwing this exception.

This satisfies my goal of blocking execution of the method itself instead of 
filtering data.

I’ve done this by adding a call to the following method inside the 
GeofenceAccessManager.operationDispatched method…
private void rejectDisallowedOperation(Authentication user, String service, 
String request) {
WorkspaceInfo wsInfo = LocalWorkspace.get();
if (wsInfo == null) {
return;
}
String workspace = wsInfo.getName();
RuleFilter ruleFilter = new 
RuleFilter(RuleFilter.SpecialFilterType.ANY);
setRuleFilterUserOrRole(user, ruleFilter);

ruleFilter.setInstance(configurationManager.getConfiguration().getInstanceName());
if (service != null) {
if ("*".equals(service)) {
ruleFilter.setService(RuleFilter.SpecialFilterType.ANY);
} else {
ruleFilter.setService(service);
}
} else {
ruleFilter.setService(RuleFilter.SpecialFilterType.DEFAULT);
}

if (request != null) {
if ("*".equals(request)) {
ruleFilter.setRequest(RuleFilter.SpecialFilterType.ANY);
} else {
ruleFilter.setRequest(request);
}
} else {
ruleFilter.setRequest(RuleFilter.SpecialFilterType.DEFAULT);
}
ruleFilter.setWorkspace(workspace);
ruleFilter.setLayer(RuleFilter.SpecialFilterType.ANY);

String sourceAddress = retrieveCallerIpAddress();
if (sourceAddress != null) {
ruleFilter.setSourceAddress(sourceAddress);
} else {
LOGGER.log(Level.WARNING, "No source IP address found");
ruleFilter.setSourceAddress(RuleFilter.SpecialFilterType.DEFAULT);
}

LOGGER.log(Level.FINE, "Local workspace disallow filter: {0}", 
ruleFilter);

AccessInfo rule = rules.getAccessInfo(ruleFilter);
if (rule.getGrant().equals(GrantType.DENY)) {
throw new ServiceException("Access denied. Workspace " + workspace
+ " is not accessible.");
}
}

An example of how I use this would be a GF_RULE that specifies a User Role, 
Service, Method, Workspace, with access=DENY.  With the addition of the code 
above this prevents execution of the method altogether IF and only if the 
LocalWorkspace is set specifically to this workspace that the user has no 
access to.

Would this be an acceptable change to GeofenceAccessManager that I might 
contribute via a pull request?

Thanks for your consideration – Walter Stovall

From: Walter Stovall
Sent: Friday, April 01, 2016 4:52 AM
To: 'Andrea Aime'
Cc: 
geoserver-users@lists.sourceforge.net
Subject: RE: [Geoserver-users] Why does geofence not block access when my rule 
says to DENY the method?

Thank you for that detail – it helps a lot.  I’m not committed to a solution at 
this point.

I agree with you about keeping security issues out of the service code.  I’m 
just struggling for a solution that works for my requirement to block method 
execution by unauthorized users.  In this case it is the method I want to 
restrict, not the scope of the data.

Your suggestion of a separate set of rules or a flag on the rule is a good one. 
 I’d like to use geofence for all my security rather than configure separate 
code with much of the same information about users and roles, etc.  But as it 
stands, it apparently will not block a method from executing, so I need to come 
up with something.

Thanks for the feedback, Walter

From: andrea.a...@gmail.com 
[mailto:andrea.a...@gmail.com] On Behalf Of Andrea Aime
Sent: Thursday, March 31, 2016 1:53 PM
To: Walter Stovall
Cc: 
geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] Why does geofence not block access when my rule 
says to DENY the method?

On Thu, Mar 31, 2016 at 6:00 PM, Walter Stovall 
> wrote:

Re: [Geoserver-users] Why does geofence not block access when my rule says to DENY the method?

[Walter Stovall]

I’ve prototyped some code for making geofence throw a ServiceException when a 
LocalWorkspace is set on a request but the user has no access to the workspace 
in the context of this service method.  This prevents execution of the method 
altogether rather than just filtering data.  My thinking is that if your 
request is in the context of  a specific workspace, as indicated by 
LocalWorkspace AND you have NO access to ANY layers in that workspace when 
executing this method, that I’m not interfering with meaningful processing by 
throwing this exception.

This satisfies my goal of blocking execution of the method itself instead of 
filtering data.

I’ve done this by adding a call to the following method inside the 
GeofenceAccessManager.operationDispatched method…
private void rejectDisallowedOperation(Authentication user, String service, 
String request) {
WorkspaceInfo wsInfo = LocalWorkspace.get();
if (wsInfo == null) {
return;
}
String workspace = wsInfo.getName();
RuleFilter ruleFilter = new 
RuleFilter(RuleFilter.SpecialFilterType.ANY);
setRuleFilterUserOrRole(user, ruleFilter);

ruleFilter.setInstance(configurationManager.getConfiguration().getInstanceName());
if (service != null) {
if ("*".equals(service)) {
ruleFilter.setService(RuleFilter.SpecialFilterType.ANY);
} else {
ruleFilter.setService(service);
}
} else {
ruleFilter.setService(RuleFilter.SpecialFilterType.DEFAULT);
}

if (request != null) {
if ("*".equals(request)) {
ruleFilter.setRequest(RuleFilter.SpecialFilterType.ANY);
} else {
ruleFilter.setRequest(request);
}
} else {
ruleFilter.setRequest(RuleFilter.SpecialFilterType.DEFAULT);
}
ruleFilter.setWorkspace(workspace);
ruleFilter.setLayer(RuleFilter.SpecialFilterType.ANY);

String sourceAddress = retrieveCallerIpAddress();
if (sourceAddress != null) {
ruleFilter.setSourceAddress(sourceAddress);
} else {
LOGGER.log(Level.WARNING, "No source IP address found");
ruleFilter.setSourceAddress(RuleFilter.SpecialFilterType.DEFAULT);
}

LOGGER.log(Level.FINE, "Local workspace disallow filter: {0}", 
ruleFilter);

AccessInfo rule = rules.getAccessInfo(ruleFilter);
if (rule.getGrant().equals(GrantType.DENY)) {
throw new ServiceException("Access denied. Workspace " + workspace
+ " is not accessible.");
}
}

An example of how I use this would be a GF_RULE that specifies a User Role, 
Service, Method, Workspace, with access=DENY.  With the addition of the code 
above this prevents execution of the method altogether IF and only if the 
LocalWorkspace is set specifically to this workspace that the user has no 
access to.

Would this be an acceptable change to GeofenceAccessManager that I might 
contribute via a pull request?

Thanks for your consideration – Walter Stovall

From: Walter Stovall
Sent: Friday, April 01, 2016 4:52 AM
To: 'Andrea Aime'
Cc: geoserver-users@lists.sourceforge.net
Subject: RE: [Geoserver-users] Why does geofence not block access when my rule 
says to DENY the method?

Thank you for that detail – it helps a lot.  I’m not committed to a solution at 
this point.

I agree with you about keeping security issues out of the service code.  I’m 
just struggling for a solution that works for my requirement to block method 
execution by unauthorized users.  In this case it is the method I want to 
restrict, not the scope of the data.

Your suggestion of a separate set of rules or a flag on the rule is a good one. 
 I’d like to use geofence for all my security rather than configure separate 
code with much of the same information about users and roles, etc.  But as it 
stands, it apparently will not block a method from executing, so I need to come 
up with something.

Thanks for the feedback, Walter

From: andrea.a...@gmail.com 
[mailto:andrea.a...@gmail.com] On Behalf Of Andrea Aime
Sent: Thursday, March 31, 2016 1:53 PM
To: Walter Stovall
Cc: 
geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] Why does geofence not block access when my rule 
says to DENY the method?

On Thu, Mar 31, 2016 at 6:00 PM, Walter Stovall 
> wrote:
Thanks.  That works for most things.  But in my case I have a custom service 
that creates new workspaces and layers.  I only want authorized users to 
execute this service method.

As I see it, if the rule specifies the Service and Request but not the 
workspace or layer, the method should be blocked since it doesn’t allow access 
to anything.

I'm afraid this would lead to much confusion when 

Re: [Geoserver-users] Problem with INSPIRE xsd schema

[Ben Caradoc-Davies]

Adam,

it looks like your namespaces are incorrect. The ps namespace should be:
http://inspire.ec.europa.eu/schemas/ps/4.0

But below it looks like you have requested type with namespace:
http://inspire.ec.europa.eu/schemas/ps/4.0/ProtectedSite

Your namespace.xml also has a different namespace URI:
http://inspire.ec.europa.eu/schemas/ps

Please check that all your namespaces are correct. You may also need to 
create secondary namespaces to ensure that these are defined for the 
GeoTools encoder:
http://docs.geoserver.org/latest/en/user/data/app-schema/secondary-namespaces.html

There are also several problems with your mapping file: you use a 
namespace prefix "base" that is not defined, and one targetAttribute is 
"ps:" (no prefix, missing local name).

It would also be useful to examine the geoserver logs and look for 
exception stack traces; sometimes a strange error later may be caused by 
earlier exception that has left something in an incomplete state. First 
fix your namespaces.

Kind regards,
Ben.

On 07/04/16 19:32, Adam Mydla wrote:
> Hi,
>
> I'm working on my diploma thesis with GeoServer and complement application
> schema.
>
> When I created data store, and create a new layer program writes an error
> in the mapping file:
> "Could not list layers for this store, an error occurred retrieving them:
> java.util.NoSuchElementException: No top-level element found in Schemes: {}
> http://inspire.ec.europa.eu/schemas/ps/4.0/ProtectedSite ProtectedSite "
>
> I don´t know how to resolve because there isn´t another source
> ProtectedSites.xsd scheme download source.
>
> How I can solve this problem ?
>
> here is my mapping file for download:
> https://drive.google.com/open?id=0B1bulwJXoip1VHdxSHFyenNXLXM
>
> Adam
>
>
>
> --
>
>
>
> ___
> Geoserver-users mailing list
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>

-- 
Ben Caradoc-Davies 
Director
Transient Software Limited 
New Zealand

--
___
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

[Geoserver-users] Problem with INSPIRE xsd schema

[Adam Mydla]

Hi,

I'm working on my diploma thesis with GeoServer and complement application
schema.

When I created data store, and create a new layer program writes an error
in the mapping file:
"Could not list layers for this store, an error occurred retrieving them:
java.util.NoSuchElementException: No top-level element found in Schemes: {}
http://inspire.ec.europa.eu/schemas/ps/4.0/ProtectedSite ProtectedSite "

I don´t know how to resolve because there isn´t another source
ProtectedSites.xsd scheme download source.

How I can solve this problem ?

here is my mapping file for download:
https://drive.google.com/open?id=0B1bulwJXoip1VHdxSHFyenNXLXM

Adam
--
___
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users