Advanced settings

The following parameters can be changed in the configuration.

jsregistry.browsing.enabled

This parameter enables or disabled the HTML browsing capabilities of the JS-Registry (/resources/jsregistry/root). By default, the function is enabled (true).

security.ssl.trustAny

This parameter enables support for self-signed certificates for HTTPS connections. This should not enabled this in production installations. By default, the function is disabled (false).

security.login.redirect.trusted.hosts

Comma-separated list of accepted hostnames. This list defines redirection destinations accepted if the map.apps login process is using redirects to forward the client to a specific site after successful login. This ensures that users are protected from attackers who intend to redirect them to a malicious site.

Adding hostnames to this property is only required in special situations, for example if applications are integrated with map.apps login that are deployed on a different host. This often occurs while using development projects.

Wildcards can also be used to achieve trust on a domain basis.

Example: *.gishost.org
Default: localhost

security.embedding.allowed.origins

Comma-separated list of origins that can embed map.apps in an iFrame. If the embedding page is not allowed, the responses to the X-Frame-Options: DENY header request are added.

Example: security.embedding.allowed.origins=https://my‑example.com:8080,https://demos.de

Default: <empty>

security.responseHeaders.common

List of HTTP headers following the Response Headers Syntax. The headers are added to responses of the map.apps backend service. Modify this property if you have special security requirements, only.

By default the following headers are added:

  • X-Content-Type-Options:nosniff: Defines that the browser should interpret responses based on the Content-Type header, only (MDN ).

  • Strict-Transport-Security:max-age=604800: Applies if map.apps is accessed via HTTPS. Defines that the browser should remember that the host is not allowed to be accessed via HTTP for 7 days (604800 seconds) (MDN ).

Example: security.responseHeaders.common=X-Content-Type-Options:nosniff,Strict-Transport-Security:max-age=604800

Default: X-Content-Type-Options:nosniff,Strict-Transport-Security:max-age=604800

security.responseHeaders.manager

List of HTTP headers following the Response Headers Syntax. The headers added to responses of map.apps manager HTML pages, like /manager or /account/login/. Modify the value of this property if you have special security requirements, only.

By default the following headers are added:

  • Referrer-Policy:same-origin : Defines that the browser should send a Referrer header only to those pages visited or included that belong to the same origin as the current page (MDN ).

  • Content-Security-Policy: Defines security restrictions to prevent XSS attacks (MDN ).

Example: security.responseHeaders.manager=Referrer-Policy:same-origin, Content-Security-Policy:default-src 'self'

Default: Referrer-Policy:same-origin, Content-Security-Policy:default-src 'self'; script-src 'self' https://demos.conterra.de https://api.github.com; connect-src 'self' https: http:; img-src 'self' data: https:; worker-src 'self' blob:; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'

security.responseHeaders.apps

List of HTTP headers following the Response Headers Syntax. The headers are added to responses of map.apps apps HTML pages, like /resources/apps/<app>/index.html. Modify this property if you have special security requirements, only.

By default the following headers are added:

  • Referrer-Policy:same-origin: Defines that the browser should send a Referrer header to pages visited or included of same origin like this page (MDN ).

  • Content-Security-Policy: Defines security restrictions (MDN ).

Example: security.responseHeaders.manager=Referrer-Policy:same-origin, Content-Security-Policy:default-src 'self'

Default: Referrer-Policy:same-origin,Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' https: http:; worker-src 'self' blob:; connect-src 'self' https: http:; img-src 'self' data: blob: https: http:; style-src 'self' 'unsafe-inline'; base-uri 'self'; form-action 'self'

Response Headers Syntax

The syntax to specify a list of response header is: <header-name>:<header-value>,<header-name>:<header-value>, where

  • <header-name> is an HTTP header name that must start with an upper case letter, and

  • <header-value> is an HTTP header value.

Providing User Specific Bundles and Widgets

The following only applies to applications stored in the file system, without using map.apps Manager. In addition, map.apps must be linked to security.manager or map.apps Usermanagement.

Take the following steps to provide role based bundles and widgets (can be used for tools as well).

At first, configure an app in map.apps Manager and export it. Afterwards the extracted app has to be placed in the following folder: {map.apps dir}\js\apps\YourApp. It might be necessary to create the subfolder apps/ manually. The app.json file has to be renamed to app.jsp.

You can use a security.manager library to filter app configuration files. This technique uses the security.manager tag library and requires to define a JSP file (app.jsp) instead of a JSON file (app.json). Despite a special header, the content definition of the files is similar. When the file is requested from the server, it is transformed into a JSON file without the additional header. Within the JSP file, special tags can be used to filter certain content, based on the user’s role.

Example
 <s:isInRole role="myRole">"selection"</s:isInRole>

In this example the selection-string is only added to the file if the current user has the role myRole. This tag can be used at any position in the file, for example to exclude bundles in the allowedBundles section or to exclude certain tools from a toolset definition.

Sample of an app.jsp file
 <%@ page contentType="application/json; charset=UTF-8" pageEncoding="UTF-8" language="java" session="false" isThreadSafe="true" isELIgnored="true"%><%@ taglib uri="https://www.conterra.de/security/tags" prefix="s"%>{
   "load": {
     "allowedBundles": [
       "system",
       "map",
       "themes",
       "templates",
       "templatelayout",
       "windowmanager",
       "coordinatetransformer",
       "resultcenter",
       "contentviewer",
       <s:isInRole role="sM_Administrator">"selection",</s:isInRole>
       "infoviewer",
       "toolset",
       "toolrules",
       "authentication"
     ]
   },
   "bundles": {
     ...
   }
 }

To transform the content of the JSP file to a JSON file, it is necessary to create a reference to the file in the configuration and to add it to the list of protectedAnonymousResources.

 ...
 security.application.jspMappings=.......,/js/apps/{YourApp}/app.json

 security.application.protectedAnonymousResources=/js/sample/,/js/sample/*.html,**/appauthorization/app.json,**/{YourApp}/app.json
 ...