Open lfrz opened 7 years ago
In latest version the proxy servlet was replaced by https://github.com/mitre/HTTP-Proxy-Servlet.
Previous code allowed to restrict a list hosts allowed, but this one seem having only a targetUri, no much configurable.
I guess an option could be to disable it in https://github.com/geonetwork/core-geonetwork/blob/develop/web/src/main/webResources/WEB-INF/web.xml#L342-L358 and rely in CORS, but needs testing. Maybe other developers can confirm if this would be feasible.
The proxy afaik it's used mainly from Ajax code to retrieve GetCapabilities documents in the map viewer and OGC/CSW harvesters.
See example on how to restrict to specific host/requests https://github.com/geonetwork/core-geonetwork/blob/develop/web/src/main/webapp/WEB-INF/config-security/config-security-mapping.xml#L41
@josegar74 although the use of CORS would be strongly advisable to all data providers, it is in my opinion too early to remove a proxy-option.
@fxprunayre thank you for posting that option to secure the proxy, personally i'd say this option is quite hidden. Personally i'd suggest to add it as a parameter 'allowed-hosts' on admin>settings. And by default close it for all hosts.
Maybe we can add dynamically a value: https://stackoverflow.com/a/31875117/469932
I updated the documentation a bit to explain the option to limit the accessible domains. https://github.com/geonetwork/doc/blob/develop/source/administrator-guide/configuring-the-catalog/system-configuration.rst However personally I would:
software component: GeoNetwork (opensource) version: 3.2.1.0 test date: 21.04.2017
concerned parameter: /./proxy?url=http%3a%2f%2fn3r2z6ef1olo1igqbhvhqimbj2psdi19ozco.vie01.local%2fat.lfrz.discoveryservices%2fsrv%2fde%2fcsw202%3fservice%3dCSW%26request%3dGetCapabilities%26version%3d2.0.2 /./proxy?url=http://www.xxxx.at%2fat.xxxx.discoveryservices%2fsrv%2fde%2fcsw202%3fservice%3dCSW%26request%3dGetCapabilities%26version%3d2.0.2 Proof-of-concept: During proxy request, an URL is attached, which is dissolved via DNS by the system. Additionally, it is possible to request any URLS.