[Geoserver-users] WFS maximum number of features, used to limit access

Hello,

I am wondering about the WFS setting “Maximum number of features”. If I wanted to make it impossible to add this layer including all of its features to a map/file (and make the data easy to re-employ for any purpose) would this be achievable consistently with this setting?

It seems that way, I haven’t been able to make a getFeature request return more than one feature, and I’d like to be sure there’s no known other way.

(The question comes from a need for specific singular geometries in a public web map while trying to make the whole collection of geometries unavailable)

Thanks for any pieces of advice : )

Hi,

“Maximum number of features” setting is reliable and user cannot bypass it, but it only limits the number of features returned by a single GetFeature request. User, who may be a machine, can make new requests with another FID or bounding box. If you want to prevent such harvesting you must add some kind of access control into your system.

-Jukka Rahkonen-

Hi, thanks. Yes I realize repeated getFeature requests can be generated to achieve the same as downloading the whole layer. Even if I turned off wfs services for a workspace a getfeatureinfo application/json request will return geometry and attributes and I could send it from a very small scale to get lots of replies. So for the intent (obfuscate rather than make absolutely inaccessible) it might do.

I currently fail to see how a public service that required geometry (and would need to accept any number of requests per minute in essence) could be made immune to a script sending repeat requests with minor variations.

On Wed, Apr 26, 2023 at 11:08 AM Rahkonen Jukka <jukka.rahkonen@anonymised.com> wrote:

Hi,

“Maximum number of features” setting is reliable and user cannot bypass it, but it only limits the number of features returned by a single GetFeature request. User, who may be a machine, can make new requests with another FID or bounding box. If you want to prevent such harvesting you must add some kind of access control into your system.

-Jukka Rahkonen-

Lähettäjä: David Persson <perssond9@anonymised.com>
Lähetetty: keskiviikko 26. huhtikuuta 2023 11.44
Vastaanottaja: geoserver-users <geoserver-users@anonymised.com.net>
Aihe: [Geoserver-users] WFS maximum number of features, used to limit access

Hello,

I am wondering about the WFS setting “Maximum number of features”. If I wanted to make it impossible to add this layer including all of its features to a map/file (and make the data easy to re-employ for any purpose) would this be achievable consistently with this setting?

It seems that way, I haven’t been able to make a getFeature request return more than one feature, and I’d like to be sure there’s no known other way.

(The question comes from a need for specific singular geometries in a public web map while trying to make the whole collection of geometries unavailable)

Thanks for any pieces of advice : )

Hi David,

I don’t know about this feature in GeoServer, but in the setting you describe, it could be possible to guess the ID values of the geometries and write a script that downloads them individually and merges them into a single file. So I would suggest you don’t use an incremental number but some sort of hashed value or GUID as identifier. Another idea would be to temporarilly block IP addresses that send many requests.

Regards
Daniel