Wednesday, 5 April 2023

Announcing: MapGuide Open Source 4.0 Beta 1

Due to real life priorities and commitments, this release look longer than expected to finally come to fruition, but that's all in the past because we're finally here! The first (and probably only) beta release of MapGuide Open Source 4.0 is finally available for the following platforms:

  • Windows
  • Ubuntu Linux 22.04
  • CentOS Linux 7.0
Some notable changes / improvements over the previous Preview 4 release are detailed below.

GeoJSON output improvements

The GeoJSON output support has several improvements in this release:
  • Where possible, the GeoJSON will now always include the crs property (if the source data's coordinate system has an EPSG code representation), allowing for the GeoJSON content to self-identify its coordinate system.
  • GeoJSON from WFS GetFeature requests will now properly transform feature data if a different SRS/CRS is specified in the query parameters
  • Such requests that return GeoJSON content now properly return a application/json mime type

Additional security options for mapagent hardening

Currently, an Anonymous (guest) user or session can read any resource in a MapGuide Server's repository via the mapagent HTTP endpoint. While this capability is required for certain client applications to work properly (for example, mapguide-react-layout needs to be able to read WebLayout/ApplicationDefinition/MapDefinition resources as part of viewer initialization), it doesn't mean that *every* resource should be allowed to be read by anonymous users/sessions.

In particular, Feature Sources rarely need to be read by anonymous users/sessions and it may be considered a security risk to some that connection settings in such Feature Sources (especially ones that connect to relational databases) can be read by anonymous users/sessions, exposing names of internal db servers in the process.

The current resource permission model in MapGuide does allow for read access certain resources to be denied (in their resource headers), but this model is a sledgehammer approach. (ie. It will break rendering operations that need to query data from a feature source you just denied access to in their resource header).

We need a more fine-grained approach where we can deny direct resource API access operations to things like feature sources, but still allow resource API access operations to such resources in the context of things like map rendering.

This release introduces several new webconfig.ini properties to help reduce the attack surface of the mapagent in this regard.
  • AnonymousDenyGetResourceContent
  • AnonymousDenyGetResourceData
  • AnonymousDenyGetResourceHeader
These properties accept a comma-delimited list of resource ids or resource id prefixes and when set, if an anonymous user/session attempts a GETRESOURCECONTENT, GETRESOURCEHEADER or GETRESOURCEDATA with a resource id that matches any id or prefix specified, the mapagent will deny them access to that resource.

With this feature, you can reduce the attack surface of your mapagent by reducing anonymous resource access to only resources needed for a MapGuide client application to function.

Please note that this feature only covers the mapagent and not your custom application code.

Web Tier Component updates

This release bundles updated web tier components:
  • PHP 8.1.17
  • Apache httpd 2.4.56
  • Apache Tomcat 9.0.73

Some long-standing bugs/limitations finally fixed!

A 14-year old bug where un-formatted WebLayout XML cannot be loaded has finally been fixed.

Another 14-year old limitation where labels under basic stylization is always left-justified has been addressed with new options in the 4.0.0 Layer Definition schema allowing you to control the feature label justification.

Sorry for the long turnaround on such issues. Sadly, one person can only do so much.

What's next?

Before we begin the journey to Release Candidate (and then Final release). I will be stepping away from MapGuide development/maintenance work for a few weeks to give some of the surrounding projects like Maestro and mapguide-react-layout some long needed attention, and I expect new releases of MapGuide Maestro and mapguide-react-layout during this period as a result.

Once that is out of the way, then it is back onto the 4.0 release train, driving it to its final destination.

No comments:

Post a Comment