CBSviewer, an accessible, open standards based webmap viewer

The past months I’ve been busy developing a webmapping application together with Statistics Netherlands to replace their current offerings of webmapping such as CBS in uw Buurt which have various accessibility issues and has Google looking in over your shoulder. The new application can be used with both the keyboard and a mouse and  and will fallback to a non CSS and/or non Javascript version if needed (or requested) by the user providing a much better experience.

Key features of the application are:

  • open standards based interfaces (WMS, WMTS, OpenLS LUS and WCAG)
  • easy modification using maven war overlay techniques (as example you can look into the NOKviewer project)
  • easy to localize using property files / resource bundles for all the text
  • easy to configure thematic maps using a set of xml files
  • easy styling adjustments using Sass and modular CSS

The project builds on well documented, well supported and proven open source libraries such as GeoTools, OpenLayers, jQuery and jQuery UI.

We’re not quite there yet but you can follow the progress of the project through the Github site: [Dutch]


Why using referer header as a security mechanism is a bad idea

Some organisations use the HTTP referer header as a way to authorize access to resources that they host, this was most commonly used for preventing deeplinking to artwork but now also seems to make it’s way into webmapping resources such as tilecaches.
Here are some good reasons why not.

It breaks accessibility

The HTTP specifications have the referer header as an optional element, HTTP clients (eg. browsers, screen readers,… ) are not required to implement this feature or may choose to send it empty. When authorisation is based on the referer header the user will be refused access. Most modern browsers have a “enhanced privacy mode” that will remove the referrer header next to refusing all sorts of other tracking mechanisms, which the header was initially designed for.

Lack of authentication

Using referer checking is authorisation without authentication, plainly, just a bad idea.

Easy to forge

It is easily forged, well forged… since it is not required information a user can pretty much do what they want with this information field. There are various browser extensions and proxy servers that let you modify the referer header thus rendering it useless or granting user access to resources they shouldn’t be getting.


Huh? OWASP?? The Open Web Application Security Project keeps a list of commonly made mistakes and vulnerabilities that have been spotted in the wild. They are an authoritative source of “the wrong thing to do”. Referer header checking is way up on their list of “don’t do this or else”.

Performance and uptime monitoring Inspire View service

The inspire directive has some fairly strict requirements regarding performance and uptime of services (QOS) (see: 32009R0976 Annex 1 and the amendment). Monitoring these parameters can easily be done using a few Python scripts and RRDtool. This provides an environment that is both lightweight and portable across platforms.

RRDtool has been around for ages and is a de-facto instrument for lightweight logging systems gathering large amounts of data. The database aggregates the input providing various algorithms such as average, max/min value as well as way more complex methods. The aggregation makes it possible to use the same database for years while the filesize stays constant and the amount of information just keeps growing. Current versions of RRDtool provide Python bindings out of the box, however I chose to use PyRRD because I was unsuccesful compiling them using Visual Studio 10 first time around.

I have chosen to monitor performance based on response time (the time needed for the initial byte to be received) and transfer time (the time needed for the last byte to be received).

graph showing 4h performance report

Performance measurements, note that responses also vary because of variations in requested image size

To prevent caching of the image a pseudo random bounding box and image size are used so that each request is unique, this generates some variance in the response size so the amount of data transferred (total bytes) for each request is also logged.

Next to that uptime is monitored based on the correct mimetype of the GetMap response, the assumption here is that a mimetype other that requested means there was an error in the service, thus un-availability, this is a rather coarse approach, but it works for me because there is a separate error log that provides the details of a failure.

graph showing 1 week downtime report

Any red line in this graph denotes a failure

I have a batch file that runs the probe script every five minutes and create a graph every fifteen minutes, a HTML page is used to display the resulting graph as wel as provide access to the logfile and the last request.

Browse or get the sourcecode.

GEOZET: Building a dual-mode GIS webapp

Within the GEOZET viewer project a dual mode GIS webapp is being developed by Geonovum as one of the launching products of the PDOK program. Dual mode in this case being on the one hand a rich”, map enabled client/GUI and on the other hand a lean non-javascript, non-css client/GUI for cases like screenreaders.
Bart has written about the OpenLayers based “rich” client in his posts, I’m working on the “core” version, that this post is about. Continue reading ‘GEOZET: Building a dual-mode GIS webapp’

(re-)Building the ArcGIS Geoportal Extension

The ArcGIS Geoportal Extension (GPE) comes as a bunch of web applications, packaged as .war files, executables and scripts. Depending on your requirements you will want to install and/or use a subset of these. Also you will want to customize the look and feel of the portal website. Continue reading ‘(re-)Building the ArcGIS Geoportal Extension’

Creating a Java ArcGIS Server Object Extension to access metadata through a mapservice

So with this cool Server Extension technology being possible with ArcGIS server java ed. 9.3.1 and me finally having time to have a play with it I decided on doing something useful; getting at the metadata of the data within a mapservice. Continue reading ‘Creating a Java ArcGIS Server Object Extension to access metadata through a mapservice’

ArcGIS Server java ed. exposes tomcat manager webapp with well know user credentials

This article concerns the ESRI ArcGIS Server java ed. versions 9.3 and 9.3.1 and possibly others.

ArcGIS Server 9.3sp1 and 9.3.1 expose the Tomcat html manager application; this in itself is not a bad thing if the user would be aware of the consequences and if the credentials which would be necessary to obtain access were not public knowledge [KB 37134 , KB 37147].
Neither of these conditions are met, causing a situation where the management of the built-in tomcat servers is open for anyone interested; you cannot get an easier way to launch a DoS attack. Essentially this makes the product unfit for deployment in the enterprise. Continue reading ‘ArcGIS Server java ed. exposes tomcat manager webapp with well know user credentials’

Testing your map service with JMeter

Apache JMeter is a powerful tool for load testing functional behaviour and performance of applications over the network. It is however not the most accessible or easy to use tool, mostly because of the overwhelming amount of options. Once started though there is no stopping! Continue reading ‘Testing your map service with JMeter’

Join 58 other followers

GISpunt logo


Error: Twitter did not respond. Please wait a few minutes and refresh this page.


%d bloggers like this: