.. _integrator_security:

Security
========

.. include:: authentication.rst
.. include:: https.rst
.. include:: reset_password.rst

Access to WMS GetCapability
---------------------------

Set ``hide_capabilities`` to ``true`` in your ``vars_<project>.yaml`` to disable
the WMS GetCapability when accessing the Mapserver proxy (mapserverproxy).

Default: ``false``

Access to the admin interface
-----------------------------

To disable the admin interface, set ``enable_admin_interface`` to ``false``
in your ``vars_<project>.yaml`` file.

Default: ``true``

Access to the OGC proxy
-----------------------

To enable the OGC proxy, set ``ogcproxy_enable`` to ``true`` in your
``vars_<project>.yaml`` file.

Default: ``false``

Furthermore, add the ``papyrus_ogcproxy`` package in the ``install_requires`` of the ``setup.py`` file.

In the ``viewer.js`` files, you should also add the ``OpenLayers.ProxyHost`` configuration:

.. code:: javascript

   OpenLayers.ProxyHost = "${request.route_url('ogcproxy') | n}?url=";

Working without this proxy implies that all external WMS services (from the database and from the WMS browser) should
have the CORS headers (`enable-cors.org <http://enable-cors.org/server.html>`_).

Access to services by external servers
--------------------------------------

By default, only localhost can access c2cgeoportal's services.
To permit access to a specific service by an external server, you must set CORS headers (Access-Control-Allow-Origin) in your ``vars_<project>.yaml`` file.

Add or modify the structure as follows:

.. code:: yaml

    headers:
        <service_name>:
            access_control_allow_origin: ["<domain1>", "<domain2>", ...]
            access_control_max_age: 3600

A ``"*"`` can be included in ``access_control_allow_origin`` to allow everybody to
access, but no credentials will be passed in this case.

Available services are:

Entry:

- index
- config
- api

Services:

- themes
- login
- mapserver
- print
- profile
- raster
- layers
- login
- error

Authorized referrers
--------------------

To mitigate `CSRF <https://en.wikipedia.org/wiki/Cross-site_request_forgery>`_
attacks, the server validates the referrer against a list of authorized referrers.

By default, only the requests coming from the server are allowed. You can change
that list by adding an ``authorized_referers`` list in your
``vars_<project>.yaml`` file.

This solution is not the most secure (some people have browser extensions that
reset the referrer), but that is the easiest to implement with all the different
JS frameworks.

Force authentication when accessing the mapserver proxy
-------------------------------------------------------

If your WMS contains private layers and you wish to force a client to authenticate
in order to always obtain all layers (including private layers), you can force
authentication by adding the parameter ``authentication_required`` to the WMS URL.
This setting may be necessary for the good operation of some clients such as ArcMap.

For example, if your WMS is accessible as

.. code:: html

   https://<yourserver>/<yourinstance>/wsgi/mapserv_proxy

then you can use the following URL to force authentication:

.. code:: html

   https://<yourserver>/<yourinstance>/wsgi/mapserv_proxy?authentication_required=true