[Mapguide-trac] [mapguide-trac] #2864: Support ability to deny resource fetching calls to certain resources for Anonymous users in the mapagent
MapGuide Open Source
trac_mapguide at osgeo.org
Tue Mar 21 05:49:24 PDT 2023
#2864: Support ability to deny resource fetching calls to certain resources for
Anonymous users in the mapagent
-------------------------+------------------------
Reporter: jng | Owner: jng
Type: enhancement | Status: assigned
Priority: low | Milestone: 4.0
Component: Map Agent | Version:
Severity: trivial | Resolution:
Keywords: | External ID:
-------------------------+------------------------
Description changed by jng:
Old description:
> To reduce the attack surface of the MapGuide Web Tier and to prevent
> unwanted leakage of sensitive connection strings in certain Feature
> Sources, we should provide the ability for admins to deny the use of
> resource fetch APIs to anonymous users.
>
> This could be defined as a list of resource ids or resource id prefixes
> in `webconfig.ini` that get checked against any resource id of a
> GETRESOURCE, GETRESOURCEHEADER, GETRESOURCEDATA operation executed in the
> context of an Anonymous user.
New description:
To reduce the attack surface of the MapGuide Web Tier and to prevent
unwanted leakage of sensitive connection strings in certain Feature
Sources, we should provide the ability for admins to deny the use of
resource fetch APIs to anonymous users on a certain set of resources
This could be defined as a list of resource ids or resource id prefixes in
`webconfig.ini` that get checked against any resource id of a GETRESOURCE,
GETRESOURCEHEADER, GETRESOURCEDATA operation executed in the context of an
Anonymous user.
--
--
Ticket URL: <https://trac.osgeo.org/mapguide/ticket/2864#comment:1>
MapGuide Open Source <http://mapguide.osgeo.org/>
MapGuide Open Source Internals
More information about the mapguide-trac
mailing list