Allow access to arbitrary paths on the target server

This how-to describes how you can use a service of type FORWARD to allow access to arbitrary paths on the target server via security.manager for OGC.

In some cases, it may be necessary to allow access to certain paths on the protected server that do not directly belong to a secured WMS or WFS.

This is particularly the case when an OGC service references resources in its responses that are located outside the actual service path. In this case, you will find a warning message in the log file of security.manager for OGC that indicates that a service of type FORWARD may be required for this path.

[WARN ] [...] de.conterra.security.proxy.ogc.ProxyUrlReplacementHook - No service defined for path: /geoserver/schemas/wfs/1.1.0/wfs.xsd. Please add a service of type FORWARD for this path otherwise access to it is blocked.`

Example

Suppose you protect a WFS service under the path /geoserver/wfs with the following server configuration:

server-config.json
{
  "server": {
    "host": "https://gisserver.example.com",
    "services": [
      {
        "path": "/geoserver/wfs",
        "type": "WFS",
        "policy-ref": "geoserver-wfs-policy"
      }
    ]
  }
}

The example WFS references schema documents in its responses that are located outside the actual service path. The response of a GetCapabilities request could look like this:

<wfs:WFS_Capabilities ...>
  ...
  <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="http://www.opengis.net/wfs" ...>
    <xsd:import namespace="http://www.opengis.net/gml" schemaLocation="https://secman.example.com/secman-ogc/geoserver/schemas/gml/3.1.1/base/gml.xsd"/>
    ...
  </xsd:schema>
  ...
</wfs:WFS_Capabilities>

The imported XML schema file under the path /geoserver/schemas is not part of the WFS service that is protected under the path /geoserver/wfs. Therefore, requests for the XML schema file are blocked by security.manager for OGC by default. To allow clients to retrieve the referenced schema document, you need to allow access to the path /geoserver/schemas.

The following section describes the necessary steps to enable access to this path.

Steps to enable access to a path

  1. Open the server configuration file server-config.json.

  2. Add another service of type FORWARD under services for the path that should be enabled:

    "services": [
  // ...
  {
    "path": "/geoserver/schemas",
    "type": "FORWARD"
  }
]

    This enables access to all resources under the path /geoserver/schemas on the protected server.

  3. Save the file and restart security.manager for OGC.

After the restart, clients can access the resources under the enabled path via the URL of the protected service. For the example, this means that requests from clients to https://secman.example.com/secman-ogc/geoserver/schemas/gml/3.1.1/base/gml.xsd are forwarded to the protected server.

Additional notes

For detailed information on how security.manager for OGC determines the target service for an incoming request, see Mapping incoming request to a protected services.