Security¶
Authentication¶
The default policy¶
By default, c2cgeoportal applications use an auth ticket authentication
policy (AuthTktAuthenticationPolicy). With this policy, the user name is
obtained from the “auth ticket” cookie set in the request.
The policy is created, and added to the application’s configuration, in the
application’s main __init__.py file.
Using another policy¶
When using AuthTktAuthenticationPolicy, an “auth ticket” cookie should be
set in the request for the user to be identified. In some applications, using
a custom identification mechanism may be needed instead, for instance to use SSO.
Our knowledge base has an example of how this can be achieved.
User validation¶
For logging in, c2cgeoportal validates the user credentials
(username/password) by reading the user information from the user database
table. If a c2cgeoportal application should work with another user information
source, like LDAP, a custom client validation mechanism can be set up.
Our knowledge base has an example of how this can be achieved.
HTTPS¶
If your application is accessed in HTTPS, you have to make sure that all URLs generated by the application (CSS and Javascript files, images, MapServer requests, etc.) use the HTTPS scheme as well. Otherwise the browser will prompt “unsecure content” warnings.
There are two ways to manage this:
- application behind a proxy
- application and SSL certificate on the same server
Application behind a proxy¶
If the application is placed behind some proxy that removes the SSL encryption (plain HTTP is used between the proxy and the server), then some specific configuration is required both on the c2cgeoportal application and on the proxy:
The proxy should add a specific header to the requests. For example
X-Https on(X-Httpsis the header name, andonis the header value).To make c2cgeoportal generate HTTPS URLs when requests with this header are received, you should set the HTTPS environment variable by adding the following in the
apache/wsgi.conf.makofile in the<location ...>section, in our example:SetEnvIf X-Https on HTTPS=1
In Mako templates, if you need to know what scheme is used, you may test the
value of request.scheme. For example:
var WMTS_OPTIONS = {
% if request.scheme == 'https':
url: 'https://my.wmts.server/'
% else:
url: 'http://my.wmts.server/'
% endif
/* ... */
};
Application and SSL certificate on the same server¶
If the SSL certificate and the application are located on the same server, all requests will be redirected to https. So you should change the scheme to https for all url except for some cases that should always use http (typically, all requests to localhost): see url parameter in tilegeneration configuration.
If you apply ssl encryption on your application, you should take care of the tiles url to use https scheme to avoid secure and insecure contents.
Finally, you should redirect all http request to https scheme. On Camptocamp servers, this needs to be requested via infrastructure support.
In case you load http external resources into your application, you should use the resourceproxy service as described below.
Loading non https external resources¶
If you want to load non https external resources in your https application, you should use the resourceproxy service and add the list of hosts you want to access in your project vars_<project>.yaml configuration file:
resourceproxy:
# list of urls from which it is safe to load content
targets:
#exampletargetname: http://www.camptocamp.com/?param1=%s¶m2=%s
rfinfo: http://www.rfinfo.vd.ch/rfinfo.php?no_commune=%s&no_immeuble=%s
Then you can access resources by building urls using the following schema:
http://<host>/wsgi/resourceproxy?target=<targetname>&values=(<valueparam1>,...).
For example:
http://geoportail.camptocamp.com/main/wsgi/resourceproxy?target=rfinfo&values=(175,2633)
Local certificate checks¶
Certain c2cgeoportal features open a http session to your c2cgeoportal services,
for example the checker or the lingua_extractor.
If you are running your server in https and wish to disable certificate checks in these
connections, you can achieve this by adding the following configuration element to your vars file:
vars:
http_options:
disable_ssl_certificate_validation: True
Reset password¶
When a user has forgotten his/her password, a new one may be sent by email if some additional GeoMapFish configuration is provided.
To ensure such an e-mail can be generated, you should add the following configuration
in the vars.yaml file:
# SMTP configuration could be already there if needed by other feature
smtp:
host: smtp.example.com:465
ssl: true
user: <username>
password: <password>
starttls: false
reset_password:
# Used to send a confirmation email
email_from: info@camptocamp.com
email_subject: New password generated for GeoMapFish
email_body: |
Hello {user},
You have asked for an new password,
the newly generated password is: {password}
Sincerely yours
The GeoMapFish team
If the SMTP host ends with a colon (:) followed by a number, and there is no port specified, that suffix will be stripped off and the number interpreted as the port number to use.
Replace the smtp.example.com value by a working SMTP server name.
Access to WMS GetCapability¶
Set hide_capabilities to true in your vars_<project>.yaml to disable
the WMS GetCapability when accessing the Mapserver proxy (mapserverproxy).
Default: false
Access to the admin interface¶
To disable the admin interface, set enable_admin_interface to false
in your vars_<project>.yaml file.
Default: true
Access to the OGC proxy¶
To enable the OGC proxy, set ogcproxy_enable to true in your
vars_<project>.yaml file.
Default: false
Furthermore, add the papyrus_ogcproxy package in the install_requires of the setup.py file.
In the viewer.js files, you should also add the OpenLayers.ProxyHost configuration:
OpenLayers.ProxyHost = "${request.route_url('ogcproxy') | n}?url=";
Working without this proxy implies that all external WMS services (from the database and from the WMS browser) should have the CORS headers (enable-cors.org).
Access to services by external servers¶
By default, only localhost can access c2cgeoportal’s services.
To permit access to a specific service by an external server, you must set CORS headers (Access-Control-Allow-Origin) in your vars_<project>.yaml file.
Add or modify the structure as follows:
headers:
<service_name>:
access_control_allow_origin: ["<domain1>", "<domain2>", ...]
access_control_max_age: 3600
A "*" can be included in access_control_allow_origin to allow everybody to
access, but no credentials will be passed in this case.
Available services are:
Entry:
- index
- config
- api
Services:
- themes
- login
- mapserver
- profile
- raster
- layers
- login
- error
Authorized referrers¶
To mitigate CSRF attacks, the server validates the referrer against a list of authorized referrers.
By default, only the requests coming from the server are allowed. You can change
that list by adding an authorized_referers list in your
vars_<project>.yaml file.
This solution is not the most secure (some people have browser extensions that reset the referrer), but that is the easiest to implement with all the different JS frameworks.
Force authentication when accessing the mapserver proxy¶
If your WMS contains private layers and you wish to force a client to authenticate
in order to always obtain all layers (including private layers), you can force
authentication by adding the parameter authentication_required to the WMS URL.
This setting may be necessary for the good operation of some clients such as ArcMap.
For example, if your WMS is accessible as
https://<yourserver>/<yourinstance>/wsgi/mapserv_proxy
then you can use the following URL to force authentication:
https://<yourserver>/<yourinstance>/wsgi/mapserv_proxy?authentication_required=true
