Weave have a built in proxy that is used to securely proxy internal resources to the client. This is handled by Weave automatically.
You can also allow the client to access other internal content by manually setting up additional proxies.
Setting up a Proxy manually
Proxies are set as startup parameters. This is set up in startup.cmd or startup.sh for console mode or in wrapper.conf for when Weave is run as a service. In the example below, we add two urls to the proxy; gis-services.internal.com and internal.drawings.com. The services should then access https://url-to-server/weave/proxy/https://gis-services.internal.com/someservice/...
-- startup.cmd for Windows SET JAVA_OPTS=%JAVA_OPTS% -Dweave.proxyHosts="gis-services.internal.com,internal.drawings.com" -- wrapper.conf for Windows wrapper.java.additional.10 = -Dweave.proxyHosts="gis-services.internal.com,internal.drawings.com"
Setting up Security
We also have to handle security since we are setting up the proxy manually. If no security is set up for the proxies, anybody could access the internal services which may not be what we anticipated. We can set the security rules in security.xml. Note that we added "/proxy/**=IS_AUTHENTICATED_FULLY" which means that the user need to be fully authenticated in order to access any content. IS_AUTHENTICATED_FULLY could be replaced by a role, such as ROLE_GIS, allowing only those users with that specific role to access the proxy.
<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor"> ..... <property name="objectDefinitionSource"> <value> CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON PATTERN_TYPE_APACHE_ANT /login.*=IS_AUTHENTICATED_ANONYMOUSLY /login/**=IS_AUTHENTICATED_ANONYMOUSLY /report/remote=IS_AUTHENTICATED_ANONYMOUSLY /**=IS_AUTHENTICATED_FULLY /admin.html=ROLE_ADMIN /admin/**=ROLE_ADMIN /services/admin/**=ROLE_ADMIN /proxy/**=IS_AUTHENTICATED_FULLY </value> </property> </bean>