Weave proxy

Owned by Uffe Svensson
Last updated: 2017-01-30
2 min read

Weave have a built in proxy that is used to securely proxy internal resources to the client. This is handled by Weave automatically.

You can also allow the client to access other internal content by manually setting up additional proxies.

Setting up a Proxy manually

Proxies are set as startup parameters. This is set up in startup.cmd or startup.sh for console mode or in wrapper.conf for when Weave is run as a service. In the example below, we add two urls to the proxy; gis-services.internal.com and internal.drawings.com. The services should then access https://url-to-server/weave/proxy/https://gis-services.internal.com/someservice/...


-- startup.cmd for Windows
SET JAVA_OPTS=%JAVA_OPTS% -Dweave.proxyHosts="gis-services.internal.com,internal.drawings.com"



-- wrapper.conf for Windows
wrapper.java.additional.10 = -Dweave.proxyHosts="gis-services.internal.com,internal.drawings.com"

Setting up Security

We also have to handle security since we are setting up the proxy manually. If no security is set up for the proxies, anybody could access the internal services which may not be what we anticipated. We can set the security rules in security.xml. Note that we added "/proxy/**=IS_AUTHENTICATED_FULLY" which means that the user need to be fully authenticated in order to access any content. IS_AUTHENTICATED_FULLY could be replaced by a role, such as ROLE_GIS, allowing only those users with that specific role to access the proxy.

security.xml
	<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		.....
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/login.*=IS_AUTHENTICATED_ANONYMOUSLY
				/login/**=IS_AUTHENTICATED_ANONYMOUSLY
				/report/remote=IS_AUTHENTICATED_ANONYMOUSLY
				/**=IS_AUTHENTICATED_FULLY
		        /admin.html=ROLE_ADMIN
		        /admin/**=ROLE_ADMIN
		        /services/admin/**=ROLE_ADMIN
				/proxy/**=IS_AUTHENTICATED_FULLY
			</value>
		</property>
	</bean>


Examples

Link to internal documents

For the data source data connection data definition there is a URL type available. This will create a hyperlink in the client and can be constructed dynamically with the underlying data, making it easy to route to a particular URL. But if the URL is pointing to an intranet source and the client is located outside of the domain, we will need to proxy the request. By altering the the column property, we will add the "proxy/" at the beginning to let Weave make the request instead of the client.

URL in data definition
<data:datadefinition id="roadDetails">
    <datasourcedataconnection datasource="datasource.main" table="ROADS" key="RD_NAME" prefix="DISTINCT">
        <parameter name="plancode" label="Plan code" column="PLAN_CODE"/>
        <parameter name="alttype" label="Alt. Type" column="ALT_TYPE"/>
        <parameter type="url" name="plan" label="Plan" column="'proxy/http://imgsvr:8080/gis/documents/plan_'||ROADS.PLAN_CODE||'.pdf'" text="Open"/>
    </datasourcedataconnection>
</data:datadefinition>