Opened 13 months ago

Closed 13 months ago

#2864 closed enhancement (fixed)

Support ability to deny resource fetching calls to certain resources for Anonymous users in the mapagent

Reported by: jng Owned by: jng
Priority: low Milestone: 4.0
Component: Map Agent Version:
Severity: trivial Keywords:
Cc: External ID:

Description (last modified by jng)

To reduce the attack surface of the MapGuide Web Tier and to prevent unwanted leakage of sensitive connection strings in certain Feature Sources, we should provide the ability for admins to deny the use of resource fetch APIs to anonymous users on a certain set of resources

This could be defined as a list of resource ids or resource id prefixes in webconfig.ini that get checked against any resource id of a GETRESOURCE, GETRESOURCEHEADER, GETRESOURCEDATA operation executed in the context of an Anonymous user.

Change History (2)

comment:1 by jng, 13 months ago

Description: modified (diff)

comment:2 by jng, 13 months ago

Resolution: fixed
Status: assignedclosed

In 10036:

Add support for 3 new optional properties in webconfig.ini

These properties accept a comma-delimited list of resource ids or resource id prefixes, which if set will deny access for the respective GETRESOURCECONTENT, GETRESOURCEDATA or GETRESOURCEHEADER operation to Anonymous users for any resource id that starts with any of the tokens defined. This way, it is flexible enough to deny access to certain resources, or entire parent folders of resources.

Fixes #2864

Note: See TracTickets for help on using tickets.