-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sec-proxy should remove incoming sec-* headers #154
Comments
Note that the static webapp goes through the security-proxy now. |
works fine on IE9 |
works fine on FF 21 / linux at home. I have to check which FF version I'm running at work. |
Got it: my FF at work (version 21 too) has the "modify headers" extension ON by default |
This is critical, since one can access http://sdi.georchestra.org/mapfishapp/edit (normally reserved to members of SV_ADMIN, SV_REVIEWER or SV_EDITOR groups) by setting the appropriate headers. The proxy should remove the incoming sec-* headers. |
In the mean time, all geOrchestra instances are advised to add those lines in their apache config:
|
see #149 on a related topic |
proxy - remove client request sec-username and sec-roles headers - fixes #154
I am a little late to this party but this breaks extractor app as mentioned in @fvanderbiest 's comment on #633. If you look in the proxy-servlet.xml file there is a filter that is supposed to do this filtering as long as the request does not come from a "trusted" server. A trusted server can provide the headers. |
…t demonstrate that the filtering works. Make the default behaviour to always remove the sec-username and sec-roles headers. fixes georchestra#633
I am making a new pull request that reverts this change but adds tests that demonstrate that the headers are removed by default. This should fix #633 |
OK, I am relieved about that. Thanks. |
People should also make sure to remove the
apache directives if they had been set. |
Hi |
Closed with #648 |
Note: contrary to what I said in the above comment,
directives can still be used. |
(though they should be useless if one trusts the proxy for doing its job) |
Based on a fresh georchestra install on http://sdi.georchestra.org, I am witnessing a strange behavior:
The text was updated successfully, but these errors were encountered: