Class RestrictUrisProcessor

  • All Implemented Interfaces:
    ConfigurationObject, HttpProcessor<ClientHttpFactoryProcessorParam>, Processor<ClientHttpFactoryProcessorParam,​java.lang.Void>

    public final class RestrictUrisProcessor
    extends AbstractClientHttpRequestFactoryProcessor
    This processor check urls against a set of url matchers to see if the request should be allowed or rejected.

    Usage of processor is as follows:

    
     - !restrictUris
       matchers:
         - !localMatch {}
         - !ipMatch
           ip: www.camptocamp.org
         - !dnsMatch
           host: mapfish-geoportal.demo-camptocamp.com
           port: 80
         - !dnsMatch
           host: labs.metacarta.com
           port: 80
         - !dnsMatch
           host: terraservice.net
           port: 80
         - !dnsMatch
           host: tile.openstreetmap.org
           port: 80
         - !dnsMatch
           host: www.geocat.ch
           port: 80
     

    By default a matcher allows the URL, but it can be setup to reject the URL (by setting reject to true). The first matcher that matches will be the one picking the final outcome. If no matcher matches, the URI is rejected. So, for example, you can allow every URLs apart from the internal URLs like that:

    
     - !restrictUris
       matchers:
         - !ipMatch
           ip: 192.178.0.0
           mask: 255.255.0.0
           reject: true
         - !acceptAll
     

    If the Print service is in your DMZ and needs to allow access to any WMS server, it is strongly recommended to have a configuration like the previous one in order to avoid having the Print service being used as a proxy to access your internal servers.

    Note: if this class is part of a CompositeClientHttpRequestFactoryProcessor (!configureHttpRequests) then it should be the last one so that the checks are done after all changes to the URIs [[examples=http_processors]]

    See Also:
    AcceptAllMatcher, AddressHostMatcher, DnsHostMatcher, LocalHostMatcher