[Geoserver-users] Remove Layer Preview from Login Page

Hi there,

some years ago, I found a quite simple mechanism to remove the "Layer Preview" link from GeoServer's start page, BEFORE being logged on. Currently, I do not find this mechanism any more nor any documentation about it.

Any suggestions brought by Google search just mention to remove read access through Security settings (Layer Security or Service Security).

However, I just want to provide access to the Layer Preview for an logged-on user. I don't want to add authentication requirements to layers or services (if a users manages to assemble a WFS request manually, he/she shall get that data... will never happen *lol*).

I believe there was a rather simple trick to let the Layer Preview menu link not show up before a users has logged-in into the Web administration interface. Is it still there in a recent version (e.g. 2.22.x) and how enable it?

Many thanks in advance,

Carsten

Hi Carsten,

I achieve this by unchecking the "Advertised" check box in every layer.

Best
Remon

On 6/27/23 13:00, Carsten Klein wrote:

Hi there,

some years ago, I found a quite simple mechanism to remove the "Layer Preview" link from GeoServer's start page, BEFORE being logged on. Currently, I do not find this mechanism any more nor any documentation about it.

Any suggestions brought by Google search just mention to remove read access through Security settings (Layer Security or Service Security).

However, I just want to provide access to the Layer Preview for an logged-on user. I don't want to add authentication requirements to layers or services (if a users manages to assemble a WFS request manually, he/she shall get that data... will never happen *lol*).

I believe there was a rather simple trick to let the Layer Preview menu link not show up before a users has logged-in into the Web administration interface. Is it still there in a recent version (e.g. 2.22.x) and how enable it?

Many thanks in advance,

Carsten

_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Hi Remon,

Thanks for your response. However, this makes the layer also disappear from e.g. WMS GetCapabilies, which is quite essential for a geographic server (at least our - and most other - client applications relay on GetCapabilities).

Regards
Carsten

Am 27.06.2023 um 13:16 schrieb Remon Sadikni:

Hi Carsten,

I achieve this by unchecking the "Advertised" check box in every layer.

Best
Remon

On 6/27/23 13:00, Carsten Klein wrote:

Hi there,

some years ago, I found a quite simple mechanism to remove the "Layer Preview" link from GeoServer's start page, BEFORE being logged on. Currently, I do not find this mechanism any more nor any documentation about it.

Any suggestions brought by Google search just mention to remove read access through Security settings (Layer Security or Service Security).

However, I just want to provide access to the Layer Preview for an logged-on user. I don't want to add authentication requirements to layers or services (if a users manages to assemble a WFS request manually, he/she shall get that data... will never happen *lol*).

I believe there was a rather simple trick to let the Layer Preview menu link not show up before a users has logged-in into the Web administration interface. Is it still there in a recent version (e.g. 2.22.x) and how enable it?

Many thanks in advance,

Carsten

_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

There is an option to turn the entire geoserver admin console off in the documentation:

https://docs.geoserver.org/latest/en/user/production/config.html#disable-the-geoserver-web-administration-interface

I am not sure if I have heard of an option to turn off just the layer preview before.

···


Jody Garnett

Hi Jody,

thanks for answering. Do you know any other way to do what I’m needing? Removing Web UI completely is not really convenient…

It’s about not providing users access to download data as vectors. That is required if GeoServer hosts unfree or even critical data.

I could allow WFS requests for ROLE_AUTHENTICATED only. I could even deal with that in my client application (which is capable of authenticating for WFS requests). But I actually do not want to add security (authentication requirements) for WMS requests (getting just dumb images is not a problem).

However, there’s one exception: KML. Although it is a WMS format (and so, it is not protected by any WFS service security rule), KML is actually a vector format, as it contains real WGS84 coordinates (maybe other WMS formats do as well). Even worse for critical data (thing of line features describing North Stream pipelines blown up recently), KML can easily be imported into and publicly published by Google Earth. Even non-GIS related users can do this in minutes.

So, Layer Preview may be a “simple to exploit” security hole when dealing with critical data. In order to prevent it, one has to secure all data and/or all services. The latter is uncommon (or at least uncomfortable) for WMS using raster formats like PNG or JPEG.

What about a new option to disable Layer Preview for anonymous access? Or, as an alternative, a new boolean layer property (like “enabled” or “advertised”) named “show in preview” (defaulting to true)?

Carsten

···

Am 27.06.2023 um 13:53 schrieb Jody Garnett:

There is an option to turn the entire geoserver admin console off in the documentation:

https://docs.geoserver.org/latest/en/user/production/config.html#disable-the-geoserver-web-administration-interface

I am not sure if I have heard of an option to turn off just the layer preview before.


Jody Garnett

On Jun 27, 2023 at 1:00:51 PM, Carsten Klein <c.klein@anonymised.com> wrote:

Hi there,

some years ago, I found a quite simple mechanism to remove the “Layer
Preview” link from GeoServer’s start page, BEFORE being logged on.
Currently, I do not find this mechanism any more nor any documentation
about it.

Any suggestions brought by Google search just mention to remove read
access through Security settings (Layer Security or Service Security).

However, I just want to provide access to the Layer Preview for an
logged-on user. I don’t want to add authentication requirements to
layers or services (if a users manages to assemble a WFS request
manually, he/she shall get that data… will never happen lol).

I believe there was a rather simple trick to let the Layer Preview menu
link not show up before a users has logged-in into the Web
administration interface. Is it still there in a recent version (e.g.
2.22.x) and how enable it?

Many thanks in advance,

Carsten


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

This is an interesting challenge as geoserver really wishes to share you information :)​

a) You can may a layer group opaque to contain your layer and just use it to draw, and then it is not listed anywhere (see no evil). But if you wish to provided authenticated access to WFS then this will be a little too hidden.

b) You can add your WFS authentication, and then for WMS … disable GetFeatureInfo KML, PDF, SVG and any other WMS output format you consider too sufficiently detailed :slightly_smiling_face: You best lock down WMS GetFeatureInfo access as well as that can provided GML

c) You could set up an internal GeoServer for those authenticated users, and a more public WMS only GeoServer for sharing the imagery. Use cascading WMS to have a separation.

If you really need to “handle critical data” and only provided a visual … you may not wish to be publishing at all? There are raster to vector processing chains around after all and WMS provided adhoc zoom to allow edge detection with great detail.

···


Jody Garnett


Jody Garnett

Hi Jody, hi Andrea

thanks for these ideas. Solution b) sounds quite reasonable. On the other side, there are (authenticated) users that actually need KML from time to time.

This is an interesting challenge as geoserver really wishes to share you information :slight_smile:

That’s correct. However, in business environments you always need to define with whom to share your data.

One of our customers which operates a gas network has a new security officer (don’t like stories beginning like that…). Since they don’t want to find their network on Google Earth, they try to prevent their employees from accessing vector data in such a simple way (the server’s not accessible from the Internet). Raster to vector processing is not in focus here as it’s not considered “simple access” (at least the security officers may not even know that such “magic” is possible).

AFAIK, there are some more companies around here that are facing the same problem.

@Andrea Yes, actually building a WMS request is simple, if you’ve ever heard of WMS. However, the users in focus are actually NOT related to GIS and OGC, so they will not be able to assemble a WMS request.

And also, that’s not the point. The problem is, that those company’s security officers can see this obvious “security hole” and focus on that. Since they also have no ideas about WMS they just don’t see that removing anonymous access to Layer Preview is no real solution (and its a long hard way to make them see…). So, they keep insisting on removing it. Don’t you experience the same in your businesses? A company’s security requests often are far from rational but paranoid :slight_smile:

Boiling this down, anonymous access to vector data with two simple clicks is often considered too easy. It’s about to make it a little more difficult to get the data if you actually shouldn’t have access. Security is always the question of how much an attacker is willing to invest in order to (e.g.) steal something. You don’t always need a Fort Knox but also shouldn’t leave the front door open all the time.

Wouldn’t it be simple enough to implement that though an environment variable or a context property GUI_ENABLE_ANONYMOUS_READ_ACCESS (or likewise)? If I had more knowledge of Wicket (and time), I could provide a simple patch. Looking into the code, in GeoServerBasePage.java:281, you filterByAuth MenuPageInfo-typed beans to create the left side menu. Seems like you just need to override method getPageAuthorizer() in MapPreviewPage.java:

protected ComponentAuthorizer getPageAuthorizer() {
return isGUIEnableAnonymousReadAccess() ? ComponentAuthorizer.ALLOW : ComponentAuthorizer.AUTHENTICATED;
}

Don’t laugh, it’s just an idea… I’m not in Wicket :slight_smile:

Carsten

···

Am 27.06.2023 um 15:40 schrieb Jody Garnett:

This is an interesting challenge as geoserver really wishes to share you information :)​

a) You can may a layer group opaque to contain your layer and just use it to draw, and then it is not listed anywhere (see no evil). But if you wish to provided authenticated access to WFS then this will be a little too hidden.

b) You can add your WFS authentication, and then for WMS … disable GetFeatureInfo KML, PDF, SVG and any other WMS output format you consider too sufficiently detailed :slightly_smiling_face: You best lock down WMS GetFeatureInfo access as well as that can provided GML

c) You could set up an internal GeoServer for those authenticated users, and a more public WMS only GeoServer for sharing the imagery. Use cascading WMS to have a separation.

If you really need to “handle critical data” and only provided a visual … you may not wish to be publishing at all? There are raster to vector processing chains around after all and WMS provided adhoc zoom to allow edge detection with great detail.


Jody Garnett

On Jun 27, 2023 at 3:12:12 PM, Carsten Klein <c.klein@anonymised.com> wrote:

Hi Jody,

thanks for answering. Do you know any other way to do what I’m needing? Removing Web UI completely is not really convenient…

It’s about not providing users access to download data as vectors. That is required if GeoServer hosts unfree or even critical data.

I could allow WFS requests for ROLE_AUTHENTICATED only. I could even deal with that in my client application (which is capable of authenticating for WFS requests). But I actually do not want to add security (authentication requirements) for WMS requests (getting just dumb images is not a problem).

However, there’s one exception: KML. Although it is a WMS format (and so, it is not protected by any WFS service security rule), KML is actually a vector format, as it contains real WGS84 coordinates (maybe other WMS formats do as well). Even worse for critical data (thing of line features describing North Stream pipelines blown up recently), KML can easily be imported into and publicly published by Google Earth. Even non-GIS related users can do this in minutes.

So, Layer Preview may be a “simple to exploit” security hole when dealing with critical data. In order to prevent it, one has to secure all data and/or all services. The latter is uncommon (or at least uncomfortable) for WMS using raster formats like PNG or JPEG.

What about a new option to disable Layer Preview for anonymous access? Or, as an alternative, a new boolean layer property (like “enabled” or “advertised”) named “show in preview” (defaulting to true)?

Carsten


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Am 27.06.2023 um 13:53 schrieb Jody Garnett:

There is an option to turn the entire geoserver admin console off in the documentation:

https://docs.geoserver.org/latest/en/user/production/config.html#disable-the-geoserver-web-administration-interface

I am not sure if I have heard of an option to turn off just the layer preview before.


Jody Garnett

On Jun 27, 2023 at 1:00:51 PM, Carsten Klein <c.klein@anonymised.com> wrote:

Hi there,

some years ago, I found a quite simple mechanism to remove the “Layer
Preview” link from GeoServer’s start page, BEFORE being logged on.
Currently, I do not find this mechanism any more nor any documentation
about it.

Any suggestions brought by Google search just mention to remove read
access through Security settings (Layer Security or Service Security).

However, I just want to provide access to the Layer Preview for an
logged-on user. I don’t want to add authentication requirements to
layers or services (if a users manages to assemble a WFS request
manually, he/she shall get that data… will never happen lol).

I believe there was a rather simple trick to let the Layer Preview menu
link not show up before a users has logged-in into the Web
administration interface. Is it still there in a recent version (e.g.
2.22.x) and how enable it?

Many thanks in advance,

Carsten


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

We normally don’t do “security by obscurity”, at least not by choice, closing the main door, but leaving the back window open.
If you enable WFS only to some users, they can also download KML from it, but it will be without any styling, just data, unlike the KML you could get from WMS.

I don’t believe a solution exists to block a specific output format for only certain users, but if I had to do it, I’d extend GeoFence
to handle that case as well.

Regards,

···

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

I wonder if control flow could manage to stop the flow for a specific output format :slight_smile:

···

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail


Jody Garnett

Hi Andrea,

What do you mean by “normally”? Where’s the exception? :-p
I know, not doing “security by obscurity” is no good idea.

Actually, I do not authenticate every single user in GeoServer. If we’re using WFS with security/authentication, we use the same “service account” for all clients, so I’m not able to identify different users. Also, I cannot use the client’s IP address, since they use DHCP and addresses may change over time (additionally, all VPN-connected users share a complete different subnet…). So, AFAIK, with GeoFence as well as with GS built-in security it’s difficult to target specific users while using a single service account.

After all, I was just looking for a really simple solution w/o the need to implement a full blown user and right management (e.g. making all 500+ users known to GeoServer). Finally, the customer is likely not willing to pay for such a huge change, while a simpler solution exists…

Customer: “… just remove that link… cannot be that difficult…”
Me: “no, it’s simple, but maintainers dislike…”

So, I can understand both sides. Nevertheless, I’m screwed, since, at the end, I cannot implement any solution for the problem.

What if this change (remove anonymous Layer Preview) will have nothing to do with security? It’s just an UI tweak/improvement? Like Jody’s recent Start Page overhaul?

I still I believe a context property in web.xml could do the job:

ANONYMOUS_LAYER_PREVIEW_ACCESS
false

I could swear, that, some years ago, I managed to remove the Layer Preview menu item from anonymous start page with a simple setting. I found that in, either the documentation or wherever… Unfortunately, I cannot remember exactly. However, it worked in those days. Can you remember whether such a setting was present in an older version?

Regards,
Carsten

Hi Andrea, hi Jody,

actually, the solution to the anonymous Layer Preview problem is quite simple and relays on GeoServer’s built in Security capabilities only. Under Security → Authentication, adding a new HTML Filter Chain “webPreview” for path (ANT pattern) “/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage” is the first step. I also checked “Allow creation of an HTTP session for storing the authentication token” (don’t know whether it’s really required). Finally, I’ve added Chain filters “rememberme” and “form” in that order.

Obviously, that new filter chain must be positioned before the “web” filter chain (which ist for path “/web/**” and allows for anonymous access).

With that chain in place, clicking on the Layer Preview link while not being authenticated, just forwards you to the FORM login page org.geoserver.web.GeoServerLoginPage. Layer Preview is no longer accessible anonymously… :slight_smile:

I did the same for pages for Demos → Demo requests and Demo → WCS request builder.

As mentioned before, several German companies I know about are facing the same problem. Maybe it’s worth to mention that procedure in the docs somewhere under “Running in a production environment”.

Regards,
Carsten

Hi Andrea, hi Jody,

actually, the solution to the anonymous Layer Preview problem is quite simple and relays on GeoServer’s built in Security capabilities only. Under Security → Authentication, adding a new HTML Filter Chain “webPreview” for path (ANT pattern) “/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage” is the first step. I also checked “Allow creation of an HTTP session for storing the authentication token” (don’t know whether it’s really required). Finally, I’ve added Chain filters “rememberme” and “form” in that order.

Obviously, that new filter chain must be positioned before the “web” filter chain (which ist for path “/web/**” and allows for anonymous access).

With that chain in place, clicking on the Layer Preview link while not being authenticated, just forwards you to the FORM login page org.geoserver.web.GeoServerLoginPage. Layer Preview is no longer accessible anonymously… :slight_smile:

I did the same for pages for Demos → Demo requests and Demo → WCS request builder.

As mentioned before, several German companies I know about are facing the same problem. Maybe it’s worth to mention that procedure in the docs somewhere under “Running in a production environment”.

Please make the change to the documentation, then everyone will benefit from your work

Ian

···

Ian Turton

With a big red warning stating that’s not proper security, please: it will only fool users that can’t build OGC requests.

Cheers
Andrea

···

Regards,

Andrea Aime

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions Group
phone: +39 0584 962313

fax: +39 0584 1660272

mob: +39 339 8844549

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it


Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail

Hi,

Did I understand right that what you want to achieve is to disable the KML outputformat for WMS? Have you considered to restrict the allowed MIME types https://docs.geoserver.org/latest/en/user/services/wms/webadmin.html#restricting-mime-types-for-getmap-and-getfeatureinfo-requests

-Jukka Rahkonen-

···

Lähettäjä: Carsten Klein <c.klein@…5805…>
Lähetetty: lauantai 1. heinäkuuta 2023 16.27
Vastaanottaja: Andrea Aime <andrea.aime@…10949…>; Jody Garnett <jody.garnett@…84…>
Kopio: geoserver-users@lists.sourceforge.net
Aihe: Re: [Geoserver-users] Remove Layer Preview from Login Page (SOLVED)

Hi Andrea, hi Jody,

actually, the solution to the anonymous Layer Preview problem is quite simple and relays on GeoServer’s built in Security capabilities only. Under Security → Authentication, adding a new HTML Filter Chain “webPreview” for path (ANT pattern) “/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage” is the first step. I also checked “Allow creation of an HTTP session for storing the authentication token” (don’t know whether it’s really required). Finally, I’ve added Chain filters “rememberme” and “form” in that order.

Obviously, that new filter chain must be positioned before the “web” filter chain (which ist for path “/web/**” and allows for anonymous access).

With that chain in place, clicking on the Layer Preview link while not being authenticated, just forwards you to the FORM login page org.geoserver.web.GeoServerLoginPage. Layer Preview is no longer accessible anonymously… :slight_smile:

I did the same for pages for Demos → Demo requests and Demo → WCS request builder.

As mentioned before, several German companies I know about are facing the same problem. Maybe it’s worth to mention that procedure in the docs somewhere under “Running in a production environment”.

Regards,
Carsten

Hi Jukka,

actually, the customer just wants to disable anonymous access to Layer Preview. For them, that is kind of a security feature. However, as Andrea pointed out, it’s not, since users could still access all unsecured data through OGC services. Currently, the customer and its security officer is fine with only removing anonymous access to Layer Preview (which hands out data on a silver platter) so, I’m fine with that, too. They are not willing to invest into a full blown data-level or service-level security concept, which will effect many of their clients.

Yes, KML is one of the problematic formats for the customer (can simply be added to Google Earth and published). On the other hand, some users actually need KML for their daily work, so simply removing KML (which a know about) is not an option.

Carsten

···

Am 01.07.2023 um 19:40 schrieb Rahkonen Jukka:

Hi,

Did I understand right that what you want to achieve is to disable the KML outputformat for WMS? Have you considered to restrict the allowed MIME types https://docs.geoserver.org/latest/en/user/services/wms/webadmin.html#restricting-mime-types-for-getmap-and-getfeatureinfo-requests

-Jukka Rahkonen-

Lähettäjä: Carsten Klein c.klein@anonymised.com
Lähetetty: lauantai 1. heinäkuuta 2023 16.27
Vastaanottaja: Andrea Aime andrea.aime@anonymised.com; Jody Garnett jody.garnett@anonymised.com
Kopio: geoserver-users@lists.sourceforge.net
Aihe: Re: [Geoserver-users] Remove Layer Preview from Login Page (SOLVED)

Hi Andrea, hi Jody,

actually, the solution to the anonymous Layer Preview problem is quite simple and relays on GeoServer’s built in Security capabilities only. Under Security → Authentication, adding a new HTML Filter Chain “webPreview” for path (ANT pattern) “/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage” is the first step. I also checked “Allow creation of an HTTP session for storing the authentication token” (don’t know whether it’s really required). Finally, I’ve added Chain filters “rememberme” and “form” in that order.

Obviously, that new filter chain must be positioned before the “web” filter chain (which ist for path “/web/**” and allows for anonymous access).

With that chain in place, clicking on the Layer Preview link while not being authenticated, just forwards you to the FORM login page org.geoserver.web.GeoServerLoginPage. Layer Preview is no longer accessible anonymously… :slight_smile:

I did the same for pages for Demos → Demo requests and Demo → WCS request builder.

As mentioned before, several German companies I know about are facing the same problem. Maybe it’s worth to mention that procedure in the docs somewhere under “Running in a production environment”.

Regards,
Carsten