[Geoserver-users] GeoServer 1.7.1, OracleNG datastore plugin and SLD containing filters

Vanmeulebrouk_Bas · January 7, 2009, 12:19pm

Hi list,

I am trying to upgrade to GeoServer 1.7.1. I am using the OracleNG
datastore plugin. I have got an SLD containing a filter which works fine
using the "old" Oracle datastore plugin (see below), but which does not
work using the NG plugin. Images rendered by the WMS are blank. However,
if I use an SLD without a filter (for instance the polygon SLD which
comes with GeoServer), an image is rendered. Does anyone know what I am
doing wrong? Any help will be greatly appreciated.

Kind regards,

Bas Vanmeulebrouk.

The SLD which does not work in the OracleNG plugin:
<?xml version="1.0" encoding="ISO-8859-1"?>
<StyledLayerDescriptor version="1.0.0"
    xsi:schemaLocation="http://www.opengis.net/sld
StyledLayerDescriptor.xsd"
    xmlns="http://www.opengis.net/sld"
    xmlns:ogc="http://www.opengis.net/ogc"
    xmlns:xlink="http://www.w3.org/1999/xlink"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <NamedLayer>
    <Name>Beheermaatregelen</Name>
    <UserStyle>
      <Title>Beheermaatregelen style</Title>
      <Abstract>Beheermaatregelen style</Abstract>
      <FeatureTypeStyle>
        <Rule>
          <Name>Hergroei</Name>
          <ogc:Filter>
            <ogc:PropertyIsEqualTo>
              <ogc:PropertyName>BEHEER</ogc:PropertyName>
              <ogc:Literal>00</ogc:Literal>
            </ogc:PropertyIsEqualTo>
          </ogc:Filter>
          <PolygonSymbolizer>
            <Fill>
              <CssParameter name="fill">#FFFFFF</CssParameter>
              <CssParameter name="fill-opacity">0.75</CssParameter>
            </Fill>
            <Stroke>
              <CssParameter name="stroke">#6E6E6E</CssParameter>
              <CssParameter name="stroke-opacity">1.0</CssParameter>
              <CssParameter name="stroke-width">1</CssParameter>
              <CssParameter name="stroke-dasharray">1</CssParameter>
            </Stroke>
          </PolygonSymbolizer>
        </Rule>
        <Rule>
          <Name>Oogsten week 16 & 20</Name>
          <ogc:Filter>
            <ogc:PropertyIsEqualTo>
              <ogc:PropertyName>BEHEER</ogc:PropertyName>
              <ogc:Literal>01</ogc:Literal>
            </ogc:PropertyIsEqualTo>
          </ogc:Filter>
          <PolygonSymbolizer>
            <Fill>
              <CssParameter name="fill">#FFFA96</CssParameter>
              <CssParameter name="fill-opacity">0.75</CssParameter>
            </Fill>
            <Stroke>
              <CssParameter name="stroke">#6E6E6E</CssParameter>
              <CssParameter name="stroke-opacity">1.0</CssParameter>
              <CssParameter name="stroke-width">1</CssParameter>
              <CssParameter name="stroke-dasharray">1</CssParameter>
            </Stroke>
          </PolygonSymbolizer>
        </Rule>

etc. etc.

      </FeatureTypeStyle>
    </UserStyle>
  </NamedLayer>
</StyledLayerDescriptor>

Andrea_Aime3 · January 7, 2009, 12:35pm

Vanmeulebrouk, Bas ha scritto:

Hi list,
I am trying to upgrade to GeoServer 1.7.1. I am using the OracleNG
datastore plugin. I have got an SLD containing a filter which works fine
using the "old" Oracle datastore plugin (see below), but which does not
work using the NG plugin. Images rendered by the WMS are blank. However,
if I use an SLD without a filter (for instance the polygon SLD which
comes with GeoServer), an image is rendered. Does anyone know what I am
doing wrong? Any help will be greatly appreciated.

I guess you're not doing anything wrong, the NG version of the plugin
has been published exactly to find out errors that we could not
catch just by doing automated tests on it, before it replaces completely
the old oracle plugin.

Do you happen to also have a sql dump of your data for me so that
I can make some experiments and fix the problem?

Cheers
Andrea

--
Andrea Aime
OpenGeo - http://opengeo.org
Expert service straight from the developers.

Andrea_Aime3 · January 20, 2009, 7:31pm

Vanmeulebrouk, Bas ha scritto:

Dear Andrea,

Thank you very much for looking into this. In the attachment you will
find an export of the table I am applying the SLD to. You should be able
to load it into an Oracle database using the imp utility. If not, please
specify which format you want to receive the data in. I have also
attached the complete SLD I am using. Please let me know if you have got
questions or if I can help by trying new versions of the plugin for
instance.

Ok, found out where the issue is, and I have to say, Oracle is
always full of surprises (mostly bad ones, mostly issues that other
databases do not have).

The issue is described in some technical length here:
http://forums.sun.com/thread.jspa?threadID=5097927
http://forums.oracle.com/forums/thread.jspa?threadID=183252&tstart=0&messageID=504793

The old Oracle driver was building plain SQL statements, which
is known to be susceptible to an attack known as SQL injection
(which happens because the query string is build concatenating
strings coming from the user side, which an attacker can
eventually leverage to make damage in your database), but which
work fine in your specific case (comparison against a CHAR(N)
column).

We actually never managed to reproduce a working attack schema,
but to err on the side of safety, the new datastore was built
with prepared statements, which are no susceptible to this
kind of attack.

Now, what is happening is that with prepared statements and
columns of type CHAR the equality fails unless we use some
non JDBC standard code for setting the value of the column
to be compared (and possibly pad the string to the right
length...).

For the time being, I can suggest two workarounds:
- use varchars instead of chars
- manually pad your query strings to 10 chars, that is,
use '21 ' instead of '21' (I tried, it works)
Alternatively, use the old Oracle data store.

Fixing this will require major changes in our jdbc code,
which relies on a database to be able and respect the
standards without such wiggles as Oracle does.

I've opened a jira issue to track this, but as I said,
it won't be an easy fix to make:
http://jira.codehaus.org/browse/GEOT-2293

Cheers
Andrea

--
Andrea Aime
OpenGeo - http://opengeo.org
Expert service straight from the developers.