Spectrum Technology Platform

Hi Asko

It is possible to set up the WFS in Spatial Manager using the WFS services page. You can add tables to the WFS service and choose which columns in these tables to expose. This would allow the service to be used internally. For example, if the server name was spectrum-server deployed on port 8080 this URL would return the capabilities

http://spectrum-server:8080/rest/Spatial/WFS?SERVICE=WFS&REQUEST=GetCapabilities&VERSION=2.0.2

However, there are two further considerations when exposing this publicly which use of a proxy server is needed to resolve.

First – handling authentication for public access

When accessing the WFS service Spectrum Spatial will prompt the user for a log-in. Any Spectrum user can be used to login, as all Spectrum users have permissions to access the OGC services. However, it is not possible to disable security for just the OGC services without disabling it for the whole of Spectrum Spatial

A proxy server can be used to add the authentication header (basic authentication username/password) to the request made by end users/WFS client apps. The end user or client is then never prompted for the login. The client calls the proxy URL, the proxy adds the authentication and then redirects or calls the spectrum server

Here is an example request where the header is U3BhdGlhbE9HQ1VzZXI6U3BhdGlhbE9HQ1Bhc3N3b3Jk

(this is the user/password combination in base 64 encoding, which here is a user I created called SpatialOGCUser:SpatialOGCPassword)

As this request is made behind the proxy, and is not seen by users, it could be a HTTP call rather than HTTPS.

Second: Exposing a public facing URL in place of the internal server name

You would normally want to expose a different public URL for the service than the internal server name

For example the internal server name may be http://spectrum-server:8080/rest/Spatial/WFS

The public URL you need to expose may be something like this (without the port, so it works on default port 80) http://publicWFS/rest/Spatial/WFS

The proxy would therefore be exposed as publicWFS and would send requests to local-spectrum-server:8080 (as well as adding the authorization header)

When changing the end point like this there is a need to consider the URL defined in the WFS configuration. The WFS returns the URL of the service for each of its supported operations when you make a get capabilities call. WFS clients use this to make further requests to describe and get features from tables. Below is a snippet from a get capabilities request showing the DescribeFeatureType operation, showing the internal URL returned.

http://spectrum-server:8080/rest/Spatial/WFS?SERVICE=WFS&REQUEST=GetCapabilities&VERSION=2.0.2

You would want the request to return the public URL.

There are two ways to do this

• First you can modify the WFS configuration in Spectrum Spatial Manager to replace the URL used with the public URL. This method allows the WFS to work from the public URL, but won't work internally if you have WFS clients using the internal URL. The images below  show how to do this.

• Second, you can have the proxy server modify the XML returned from Spectrum to replace the internal URL with the public one. This method allows the WFS to be used both from the proxy and internally, as the URL returned will be valid in both cases.

Hi Asko

It is possible to set up the WFS in Spatial Manager using the WFS services page. You can add tables to the WFS service and choose which columns in these tables to expose. This would allow the service to be used internally. For example, if the server name was spectrum-server deployed on port 8080 this URL would return the capabilities

http://spectrum-server:8080/rest/Spatial/WFS?SERVICE=WFS&REQUEST=GetCapabilities&VERSION=2.0.2

However, there are two further considerations when exposing this publicly which use of a proxy server is needed to resolve.

First – handling authentication for public access

When accessing the WFS service Spectrum Spatial will prompt the user for a log-in. Any Spectrum user can be used to login, as all Spectrum users have permissions to access the OGC services. However, it is not possible to disable security for just the OGC services without disabling it for the whole of Spectrum Spatial

A proxy server can be used to add the authentication header (basic authentication username/password) to the request made by end users/WFS client apps. The end user or client is then never prompted for the login. The client calls the proxy URL, the proxy adds the authentication and then redirects or calls the spectrum server

Here is an example request where the header is U3BhdGlhbE9HQ1VzZXI6U3BhdGlhbE9HQ1Bhc3N3b3Jk

(this is the user/password combination in base 64 encoding, which here is a user I created called SpatialOGCUser:SpatialOGCPassword)

As this request is made behind the proxy, and is not seen by users, it could be a HTTP call rather than HTTPS.

Second: Exposing a public facing URL in place of the internal server name

You would normally want to expose a different public URL for the service than the internal server name

For example the internal server name may be http://spectrum-server:8080/rest/Spatial/WFS

The public URL you need to expose may be something like this (without the port, so it works on default port 80) http://publicWFS/rest/Spatial/WFS

The proxy would therefore be exposed as publicWFS and would send requests to local-spectrum-server:8080 (as well as adding the authorization header)

When changing the end point like this there is a need to consider the URL defined in the WFS configuration. The WFS returns the URL of the service for each of its supported operations when you make a get capabilities call. WFS clients use this to make further requests to describe and get features from tables. Below is a snippet from a get capabilities request showing the DescribeFeatureType operation, showing the internal URL returned.

http://spectrum-server:8080/rest/Spatial/WFS?SERVICE=WFS&REQUEST=GetCapabilities&VERSION=2.0.2

You would want the request to return the public URL.

There are two ways to do this

• First you can modify the WFS configuration in Spectrum Spatial Manager to replace the URL used with the public URL. This method allows the WFS to work from the public URL, but won't work internally if you have WFS clients using the internal URL. The images below  show how to do this.

• Second, you can have the proxy server modify the XML returned from Spectrum to replace the internal URL with the public one. This method allows the WFS to be used both from the proxy and internally, as the URL returned will be valid in both cases.

Hi Asko

It is possible to set up the WFS in Spatial Manager using the WFS services page. You can add tables to the WFS service and choose which columns in these tables to expose. This would allow the service to be used internally. For example, if the server name was spectrum-server deployed on port 8080 this URL would return the capabilities

http://spectrum-server:8080/rest/Spatial/WFS?SERVICE=WFS&REQUEST=GetCapabilities&VERSION=2.0.2

However, there are two further considerations when exposing this publicly which use of a proxy server is needed to resolve.

First – handling authentication for public access

When accessing the WFS service Spectrum Spatial will prompt the user for a log-in. Any Spectrum user can be used to login, as all Spectrum users have permissions to access the OGC services. However, it is not possible to disable security for just the OGC services without disabling it for the whole of Spectrum Spatial

A proxy server can be used to add the authentication header (basic authentication username/password) to the request made by end users/WFS client apps. The end user or client is then never prompted for the login. The client calls the proxy URL, the proxy adds the authentication and then redirects or calls the spectrum server

Here is an example request where the header is U3BhdGlhbE9HQ1VzZXI6U3BhdGlhbE9HQ1Bhc3N3b3Jk

(this is the user/password combination in base 64 encoding, which here is a user I created called SpatialOGCUser:SpatialOGCPassword)

As this request is made behind the proxy, and is not seen by users, it could be a HTTP call rather than HTTPS.

Second: Exposing a public facing URL in place of the internal server name

You would normally want to expose a different public URL for the service than the internal server name

For example the internal server name may be http://spectrum-server:8080/rest/Spatial/WFS

The public URL you need to expose may be something like this (without the port, so it works on default port 80) http://publicWFS/rest/Spatial/WFS

The proxy would therefore be exposed as publicWFS and would send requests to local-spectrum-server:8080 (as well as adding the authorization header)

When changing the end point like this there is a need to consider the URL defined in the WFS configuration. The WFS returns the URL of the service for each of its supported operations when you make a get capabilities call. WFS clients use this to make further requests to describe and get features from tables. Below is a snippet from a get capabilities request showing the DescribeFeatureType operation, showing the internal URL returned.

http://spectrum-server:8080/rest/Spatial/WFS?SERVICE=WFS&REQUEST=GetCapabilities&VERSION=2.0.2

You would want the request to return the public URL.

There are two ways to do this

• First you can modify the WFS configuration in Spectrum Spatial Manager to replace the URL used with the public URL. This method allows the WFS to work from the public URL, but won't work internally if you have WFS clients using the internal URL. The images below  show how to do this.

• Second, you can have the proxy server modify the XML returned from Spectrum to replace the internal URL with the public one. This method allows the WFS to be used both from the proxy and internally, as the URL returned will be valid in both cases.

The public URL you need to expose may be something like this (without the port, so it works on default port 80) http://publicWFS/rest/Spatial/WFS

The proxy would therefore be exposed as publicWFS and would send requests to local-spectrum-server:8080 (as well as adding the authorization header)".
Can I understand correctly that via public URL all resource tables from Spatial Manager --> Services --> WFS are accessible for random person, i.e. I can't restrict access to some tables for public WFS users?

Hi Asko

It is possible to set up the WFS in Spatial Manager using the WFS services page. You can add tables to the WFS service and choose which columns in these tables to expose. This would allow the service to be used internally. For example, if the server name was spectrum-server deployed on port 8080 this URL would return the capabilities

http://spectrum-server:8080/rest/Spatial/WFS?SERVICE=WFS&REQUEST=GetCapabilities&VERSION=2.0.2

However, there are two further considerations when exposing this publicly which use of a proxy server is needed to resolve.

First – handling authentication for public access

When accessing the WFS service Spectrum Spatial will prompt the user for a log-in. Any Spectrum user can be used to login, as all Spectrum users have permissions to access the OGC services. However, it is not possible to disable security for just the OGC services without disabling it for the whole of Spectrum Spatial

A proxy server can be used to add the authentication header (basic authentication username/password) to the request made by end users/WFS client apps. The end user or client is then never prompted for the login. The client calls the proxy URL, the proxy adds the authentication and then redirects or calls the spectrum server

Here is an example request where the header is U3BhdGlhbE9HQ1VzZXI6U3BhdGlhbE9HQ1Bhc3N3b3Jk

(this is the user/password combination in base 64 encoding, which here is a user I created called SpatialOGCUser:SpatialOGCPassword)

As this request is made behind the proxy, and is not seen by users, it could be a HTTP call rather than HTTPS.

Second: Exposing a public facing URL in place of the internal server name

You would normally want to expose a different public URL for the service than the internal server name

For example the internal server name may be http://spectrum-server:8080/rest/Spatial/WFS

The public URL you need to expose may be something like this (without the port, so it works on default port 80) http://publicWFS/rest/Spatial/WFS

The proxy would therefore be exposed as publicWFS and would send requests to local-spectrum-server:8080 (as well as adding the authorization header)

When changing the end point like this there is a need to consider the URL defined in the WFS configuration. The WFS returns the URL of the service for each of its supported operations when you make a get capabilities call. WFS clients use this to make further requests to describe and get features from tables. Below is a snippet from a get capabilities request showing the DescribeFeatureType operation, showing the internal URL returned.

http://spectrum-server:8080/rest/Spatial/WFS?SERVICE=WFS&REQUEST=GetCapabilities&VERSION=2.0.2

You would want the request to return the public URL.

There are two ways to do this

• First you can modify the WFS configuration in Spectrum Spatial Manager to replace the URL used with the public URL. This method allows the WFS to work from the public URL, but won't work internally if you have WFS clients using the internal URL. The images below  show how to do this.

• Second, you can have the proxy server modify the XML returned from Spectrum to replace the internal URL with the public one. This method allows the WFS to be used both from the proxy and internally, as the URL returned will be valid in both cases.