[Geoserver-devel] [JIRA] (GEOS-11052) Default config files do not indicate correctly how to setup the CORS filter

Robin KERDILES created an issue

GeoServer / BugGEOS-11052

Default config files do not indicate correctly how to setup the CORS filter

Issue Type:

BugBug

Affects Versions:

2.22.5

Assignee:

Unassigned

Components:

Documentation

Created:

05/Jul/23 11:51 AM

Environment:

Geoserver container behind a reverse proxy which is terminating the connexion over TLS.
Headers are transmitted (X-Forwaded-*)

Priority:

LowLow

Reporter:

Robin KERDILES

The default file web.xml has a wrong order in the filters if we want to add CORS.
There is a conflict with spring security and the login is impossible unless I add the CORS filter as the last filter.
The first filter made me think that the order of the filters provided as a comment block for the CORS was important as well.

    <!--
      THIS FILTER MAPPING MUST BE THE FIRST ONE, otherwise we end up with ruined chars in the input from the GUI
      See the "Note" in the Tomcat character encoding guide:
      http://wiki.apache.org/tomcat/FAQ/CharacterEncoding
    -->
    <filter-mapping>
      <filter-name>Set Character Encoding</filter-name>
      <url-pattern>/*</url-pattern>
    </filter-mapping>

   <!-- Uncomment following filter to enable CORS
    <filter-mapping>
        <filter-name>cross-origin</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>
    -->

Here is the diff file with a working configuration for my specific environment

--- web.xml.orig
+++ web.xml
@@ -156,25 +156,31 @@
       </init-param>
     </filter>
     -->
-
-   <!-- Uncomment following filter to enable CORS in Tomcat. Do not forget the second config block further down.
+
     <filter>
-      <filter-name>cross-origin</filter-name>
+      <filter-name>DockerGeoServerCorsFilter</filter-name>
       <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
       <init-param>
-        <param-name>cors.allowed.origins</param-name>
-        <param-value>*</param-value>
+          <param-name>cors.allowed.origins</param-name>
+          <param-value>https://sequoia.aubepine.emanrisk.net,https://sequoia.chene.emanrisk.net,https://sequoia.maite.emanrisk.net</param-value>
       </init-param>
       <init-param>
-        <param-name>cors.allowed.methods</param-name>
-        <param-value>GET,POST,PUT,DELETE,HEAD,OPTIONS</param-value>
+          <param-name>cors.allowed.methods</param-name>
+          <param-value>GET,POST,PUT,DELETE,HEAD,OPTIONS</param-value>
       </init-param>
       <init-param>
-        <param-name>cors.allowed.headers</param-name>
-        <param-value>*</param-value>
+          <param-name>cors.allowed.headers</param-name>
+          <param-value>Authorization,Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
       </init-param>
+      <init-param>
+          <param-name>cors.exposed.headers</param-name>
+          <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
+      </init-param>
+      <init-param>
+        <param-name>cors.support.credentials</param-name>
+        <param-value>true</param-value>
+      </init-param>
     </filter>
-    -->

     <!--
       THIS FILTER MAPPING MUST BE THE FIRST ONE, otherwise we end up with ruined chars in the input from the GUI
@@ -236,6 +242,11 @@
       <url-pattern>/*</url-pattern>
     </filter-mapping>

+    <filter-mapping>
+      <filter-name>DockerGeoServerCorsFilter</filter-name>
+      <url-pattern>/*</url-pattern>
+    </filter-mapping>
+
     <!-- general initializer, should be first thing to execute -->
     <listener>
       <listener-class>org.geoserver.GeoserverInitStartupListener</listener-class>

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100229-sha1:634ba05)

Atlassian logo