Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 2 Next »

Weave have a built in proxy that is used to securely proxy internal resources to the end user. Resources may be map engines or documents that can only be accessed by the server or content that requires authentication and should not be accessible by the client alone. This is handled by Weave automatically with a high level of security.

You can also allow the client to access other internal content by setting up additional proxies.

Setting up a Proxy manually

Proxies are set as startup parameters. This is set up in startup.cmd or startup.sh for console mode or in wrapper.conf for when Weave is run as a service. In the example below, we add two urls to the proxy; gis-services.internal.com and internal.drawings.com. The services should then access https://url-to-server/weave/proxy/https://gis-services.internal.com/someservice/...


-- startup.cmd for Windows
SET JAVA_OPTS=%JAVA_OPTS% -Dweave.proxyHosts="gis-services.internal.com,internal.drawings.com"



-- wrapper.conf for Windows
wrapper.java.additional.10 = -Dweave.proxyHosts="gis-services.internal.com,internal.drawings.com"

Setting up Security

We also have to handle security since we are setting up the proxy manually. If no security is set up for the proxies, anybody could access the internal services which may not be what we anticipated. We can set the security rules in security.xml. Note that we added "/proxy/**=IS_AUTHENTICATED_FULLY" which means that the user need to be fully authenticated in order to access any content. IS_AUTHENTICATED_FULLY could be replaced by a role, such as ROLE_GIS, allowing only those users with that specific role to access the proxy.

security.xml
	<bean id="filterInvocationInterceptor" class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
		.....
		<property name="objectDefinitionSource">
			<value>
				CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
				PATTERN_TYPE_APACHE_ANT
				/login.*=IS_AUTHENTICATED_ANONYMOUSLY
				/login/**=IS_AUTHENTICATED_ANONYMOUSLY
				/report/remote=IS_AUTHENTICATED_ANONYMOUSLY
				/**=IS_AUTHENTICATED_FULLY
		        /admin.html=ROLE_ADMIN
		        /admin/**=ROLE_ADMIN
		        /services/admin/**=ROLE_ADMIN
				/proxy/**=IS_AUTHENTICATED_FULLY
			</value>
		</property>
	</bean>







  • No labels