Re: [Geoserver-users] Remove Layer Preview from Login Page (SOLVED)
Hi Jukka, actually, the customer just wants to disable anonymous access to Layer Preview. For them, that is kind of a security feature. However, as Andrea pointed out, it's not, since users could still access all unsecured data through OGC services. Currently, the customer and its security officer is fine with only removing anonymous access to Layer Preview (which hands out data on a silver platter) so, I'm fine with that, too. They are not willing to invest into a full blown data-level or service-level security concept, which will effect many of their clients. Yes, KML is one of the problematic formats for the customer (can simply be added to Google Earth and published). On the other hand, some users actually need KML for their daily work, so simply removing KML (which a know about) is not an option. Carsten Am 01.07.2023 um 19:40 schrieb Rahkonen Jukka: Hi, Did I understand right that what you want to achieve is to disable the KML outputformat for WMS? Have you considered to restrict the allowed MIME types https://docs.geoserver.org/latest/en/user/services/wms/webadmin.html#restricting-mime-types-for-getmap-and-getfeatureinfo-requests -Jukka Rahkonen- *Lähettäjä:* Carsten Klein *Lähetetty:* lauantai 1. heinäkuuta 2023 16.27 *Vastaanottaja:* Andrea Aime ; Jody Garnett *Kopio:* geoserver-users@lists.sourceforge.net *Aihe:* Re: [Geoserver-users] Remove Layer Preview from Login Page (SOLVED) Hi Andrea, hi Jody, actually, the solution to the anonymous Layer Preview problem is quite simple and relays on GeoServer's built in Security capabilities only. Under *Security* -> Authentication, adding a new HTML Filter Chain "webPreview" for path (ANT pattern) "/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage" is the first step. I also checked "Allow creation of an HTTP session for storing the authentication token" (don't know whether it's really required). Finally, I've added Chain filters "rememberme" and "form" in that order. Obviously, that new filter chain must be positioned before the "web" filter chain (which ist for path "/web/**" and allows for anonymous access). With that chain in place, clicking on the Layer Preview link while not being authenticated, just forwards you to the FORM login page org.geoserver.web.GeoServerLoginPage. Layer Preview is no longer accessible anonymously... :-) I did the same for pages for *Demos* -> Demo requests and *Demo* -> WCS request builder. As mentioned before, several German companies I know about are facing the same problem. Maybe it's worth to mention that procedure in the docs somewhere under "Running in a production environment". Regards, Carsten ___ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
Re: [Geoserver-users] Remove Layer Preview from Login Page (SOLVED)
Hi, Did I understand right that what you want to achieve is to disable the KML outputformat for WMS? Have you considered to restrict the allowed MIME types https://docs.geoserver.org/latest/en/user/services/wms/webadmin.html#restricting-mime-types-for-getmap-and-getfeatureinfo-requests -Jukka Rahkonen- Lähettäjä: Carsten Klein Lähetetty: lauantai 1. heinäkuuta 2023 16.27 Vastaanottaja: Andrea Aime ; Jody Garnett Kopio: geoserver-users@lists.sourceforge.net Aihe: Re: [Geoserver-users] Remove Layer Preview from Login Page (SOLVED) Hi Andrea, hi Jody, actually, the solution to the anonymous Layer Preview problem is quite simple and relays on GeoServer's built in Security capabilities only. Under Security -> Authentication, adding a new HTML Filter Chain "webPreview" for path (ANT pattern) "/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage" is the first step. I also checked "Allow creation of an HTTP session for storing the authentication token" (don't know whether it's really required). Finally, I've added Chain filters "rememberme" and "form" in that order. Obviously, that new filter chain must be positioned before the "web" filter chain (which ist for path "/web/**" and allows for anonymous access). With that chain in place, clicking on the Layer Preview link while not being authenticated, just forwards you to the FORM login page org.geoserver.web.GeoServerLoginPage. Layer Preview is no longer accessible anonymously... :-) I did the same for pages for Demos -> Demo requests and Demo -> WCS request builder. As mentioned before, several German companies I know about are facing the same problem. Maybe it's worth to mention that procedure in the docs somewhere under "Running in a production environment". Regards, Carsten ___ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
Re: [Geoserver-users] Remove Layer Preview from Login Page (SOLVED)
On Sat, Jul 1, 2023 at 3:37 PM Ian Turton wrote: > > Please make the change to the documentation, then everyone will benefit > from your work > > With a big red warning stating that's not proper security, please: it will only fool users that can't build OGC requests. Cheers Andrea -- Regards, Andrea Aime == GeoServer Professional Services from the experts! Visit http://bit.ly/gs-services-us for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions Group phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 https://www.geosolutionsgroup.com/ http://twitter.com/geosolutions_it --- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail ___ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
Re: [Geoserver-users] Remove Layer Preview from Login Page (SOLVED)
On Sat, 1 Jul 2023 at 14:29, Carsten Klein wrote: > Hi Andrea, hi Jody, > > actually, the solution to the anonymous Layer Preview problem is quite > simple and relays on GeoServer's built in Security capabilities only. Under > *Security* -> Authentication, adding a new HTML Filter Chain "webPreview" > for path (ANT pattern) > "/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage" is the > first step. I also checked "Allow creation of an HTTP session for storing > the authentication token" (don't know whether it's really required). > Finally, I've added Chain filters "rememberme" and "form" in that order. > > Obviously, that new filter chain must be positioned before the "web" > filter chain (which ist for path "/web/**" and allows for anonymous access). > > With that chain in place, clicking on the Layer Preview link while not > being authenticated, just forwards you to the FORM login page > org.geoserver.web.GeoServerLoginPage. Layer Preview is no longer accessible > anonymously... :-) > > I did the same for pages for *Demos* -> Demo requests and *Demo* -> WCS > request builder. > > As mentioned before, several German companies I know about are facing the > same problem. Maybe it's worth to mention that procedure in the docs > somewhere under "Running in a production environment". > Please make the change to the documentation, then everyone will benefit from your work Ian > Regards, > Carsten > ___ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users > -- Ian Turton ___ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
Re: [Geoserver-users] Remove Layer Preview from Login Page (SOLVED)
Hi Andrea, hi Jody, actually, the solution to the anonymous Layer Preview problem is quite simple and relays on GeoServer's built in Security capabilities only. Under *Security* -> Authentication, adding a new HTML Filter Chain "webPreview" for path (ANT pattern) "/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage" is the first step. I also checked "Allow creation of an HTTP session for storing the authentication token" (don't know whether it's really required). Finally, I've added Chain filters "rememberme" and "form" in that order. Obviously, that new filter chain must be positioned before the "web" filter chain (which ist for path "/web/**" and allows for anonymous access). With that chain in place, clicking on the Layer Preview link while not being authenticated, just forwards you to the FORM login page org.geoserver.web.GeoServerLoginPage. Layer Preview is no longer accessible anonymously... :-) I did the same for pages for *Demos* -> Demo requests and *Demo* -> WCS request builder. As mentioned before, several German companies I know about are facing the same problem. Maybe it's worth to mention that procedure in the docs somewhere under "Running in a production environment". Regards, Carsten ___ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users