Security

General

MapStore is a web application that is usually deployed on tomcat. For this reason you should follow the general security settings suggested by tomcat.

There are also other considerations valid for all the applications:

  • Always use HTTPS to create secure connections
  • Do not share sensible data like passwords (for users or database)
  • Always use strong and not trivial passwords (for user or database)

HTTPS

The suggested configuration to use HTTPS for MapStore is to expose on port 80 using an HTTP server.

For instance for Apache HTTP server you can then set the proxy configuration like this:

# Example for Apache HTTP server
ProxyPass        /mapstore   ajp://localhost:8010/mapstore
ProxyPassReverse /mapstore   ajp://localhost:8010/mapstore

Proxy

MapStore is delivered with an internal proxy that allows to access data to remote servers directly, avoiding the same origin policy of the web browser.

Note

If you know some servers, outside the domain of your application, that are accessible using Cross-origin resource sharing (CORS) mechanism, you can configure them in localConfig.json, in the section proxy-->useCors. Adding a URL to this list makes MapStore call the service directly, without passing through the proxy server.

{
    "proxyUrl": {
        "url": "proxy/?url=",
        "useCORS": [
        "https://nominatim.openstreetmap.org",
        "https://otherdomain.org/geoserver/"
        ]
    }
}

MapStore will intercept automatically the cross-origin requests and will redirect them to the proxy. This proxy can be configured to restrict set of requests allowed, or to limit the connections to avoid some some types of attacks (e.g. DNS)

This is the actual default configuration:

# ##################
# CONNECTION MANAGER
# ##################
timeout = 30000
connection_timeout = 30000
max_total_connections = 60
default_max_connections_per_host = 6

# #################
# Stream Byte Size
# #################
defaultStreamByteSize=1024

# ###########
# WHITE LISTS
# ###########
#hostnameWhitelist = localhost,demo1.geo-solutions.it,demo.geo-solutions.it

mimetypeWhitelist = application/force-download,text/html,text/plain,application/xml,text/xml,application/vnd.ogc.sld+xml,application/vnd.ogc.gml,application/json,application/vnd.ogc.wms_xml,application/x-www-form-urlencoded,image/png,application/pdf,text/csv,image/bil,application/bil16,application/zip,text/csv;charset=UTF-8

methodsWhitelist = GET,POST,PUT

#hostsWhitelist = 127.0.0.1

#reqtypeWhitelist.capabilities = (([&]?([Rr][Ee][Qq][Uu][Ee][Ss][Tt]=[Gg]et[Cc]apabilities))|([&]?(version=1\\.1\\.1)))+
reqtypeWhitelist.capabilities = .*[Gg]et[Cc]apabilities.*
reqtypeWhitelist.featureinfo = .*[Gg]et[Ff]eature[Ii]nfo.*
reqtypeWhitelist.csw = .*csw.*
reqtypeWhitelist.geostore = .*geostore.*
reqtypeWhitelist.generic = (.*exist.*)|(.*pdf.*)|(.*map.*)|(.*wms.*)|(.*wmts.*)|(.*tms.*)|(.*wfs.*)|(.*ows.*)|(.*spatialreference.*)|(.*wps.*)

This configuration is made to make MapStore work with every server, limiting the requests to the ones typical of MapStore. So by default you will find restrictions on - mime types (the ones supported by MapStore) - request types (forcing URL to contain strings typical of the OGC service requests).

By default there is no restriction on Hosts, but you can configure this proxy with a white-list of allowed servers, setting a comma separated list of host names in hostnameWhitelist property.

If you want to disable this proxy at all, you can simply set methodsWhitelist to a method that doesn’t exists. (e.g. “NOT_EXIST”).