Security

Enable / Disable WMS GetCapability

Set hide_capabilities to true in your vars_<project>.yaml to disable the WMS GetCapability when accessing the Mapserver proxy (mapserverproxy).

Default: false

Force authentication when accessing the Mapserver proxy

If your WMS contains private layers and you wish to force a client to authenticate in order to always obtain all layers (including private layers), you can force authentication by adding the parameter authentication_required to the WMS URL. This setting may be necessary for the good operation of some clients such as ArcMap.

For example, if your WMS is accessible as

https://<yourserver>/<yourinstance>/wsgi/mapserv_proxy

then you can use the following URL to force authentication:

https://<yourserver>/<yourinstance>/wsgi/mapserv_proxy?authentication_required=true

Enable / Disable the admin interface

To disable the admin interface, set enable_admin_interface to false in your vars_<project>.yaml file.

Default: true

Enable / Disable the OGC proxy

To enable the OGC proxy, set ogcproxy_enable to true in your vars_<project>.yaml file.

Default: false

And adding the papyrus_ogcproxy package in the install_requires of the setup.py file.

In the viewer.js files you should also add the OpenLayers.ProxyHost configuration:

OpenLayers.ProxyHost = "${request.route_url('ogcproxy') | n}?url=";

Working without this proxy implies that all external WMS services (from the database and from the WMS browser) should have the CORS headers (enable-cors.org).

Access to services by external servers

By default, only localhost can access c2c’s services. To permit access to a specific service by an external server, you must set headers CORS (Access-Control-Allow-Origin) in your vars_<project>.yaml file.

Add or modify the structure like that:

headers:
    <service_name>:
        access_control_allow_origin: ["<domain1>", "<domain2>", ...]
        access_control_max_age: 3600

A "*" can be included in access_control_allow_origin to allow everybody to access, but no credentials will be passed in the case.

Available services are:

Entry:

  • index
  • config
  • api

Services:

  • themes
  • login
  • mapserver
  • print
  • profile
  • raster
  • layers
  • login
  • error

Authorized referers

To mitigate CSRF attacks, the server validates the referer against a list of authorized referers.

By default, only the pages coming from the server are allowed. You can change that list by adding an authorized_referers list in your vars_<project>.yaml file.

This solution is not the most secure (some people have browser extensions that reset the referer), but that is the easiest to implement with all our different JS frameworks.