sec-proxy should remove incoming sec-* headers #154
Comments
|
Note that the static webapp goes through the security-proxy now. |
|
works fine on IE9 |
ghost
assigned
|
works fine on FF 21 / linux at home. I have to check which FF version I'm running at work. |
|
Got it: my FF at work (version 21 too) has the "modify headers" extension ON by default |
|
This is critical, since one can access http://sdi.georchestra.org/mapfishapp/edit (normally reserved to members of SV_ADMIN, SV_REVIEWER or SV_EDITOR groups) by setting the appropriate headers. The proxy should remove the incoming sec-* headers. |
|
In the mean time, all geOrchestra instances are advised to add those lines in their apache config: |
|
see #149 on a related topic |
proxy - remove client request sec-username and sec-roles headers - fixes #154
|
I am a little late to this party but this breaks extractor app as mentioned in @fvanderbiest 's comment on #633. If you look in the proxy-servlet.xml file there is a filter that is supposed to do this filtering as long as the request does not come from a "trusted" server. A trusted server can provide the headers. |
…t demonstrate that the filtering works. Make the default behaviour to always remove the sec-username and sec-roles headers. fixes georchestra#633
|
I am making a new pull request that reverts this change but adds tests that demonstrate that the headers are removed by default. This should fix #633 |
|
OK, I am relieved about that. Thanks. |
|
People should also make sure to remove the apache directives if they had been set. |
|
Hi |
|
Closed with #648 |
|
Note: contrary to what I said in the above comment, directives can still be used. |
|
(though they should be useless if one trusts the proxy for doing its job) |
Based on a fresh georchestra install on http://sdi.georchestra.org, I am witnessing a strange behavior:
The text was updated successfully, but these errors were encountered: