Configure to enable protection against server-side request forgery attacks |
To solve Server-Side Request Forgery (SSRF) vulnerability issues vulnerabilities, you can modify the iServer configuration file [SuperMap iServer installation directory] \webapps\iserver\WEB-INF\web.xml to enable protection against SSRF attacks.
Configure to start protection against SSRF attacks as follows::
<filter>
<filter-name>SsrfFilter</filter-name>
<display-name>SsrfFilter</display-name>
<filter-class>com.supermap.server.host.webapp.SsrfFilter</filter-class>
<async-supported>true</async-supported>
<init-param>
<param-name>ssrfDefendEnable</param-name>
<!-- Optional values: true and false respectively indicate enabling and disabling SSRF protection -->
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>apiList</param-name>
<!-- After enabling protection, you can set the API for protection, supporting regular expression matching for URLs, multiple rules separated by ;, please refer to following examples
-->
<param-value>^/iserver/setup/.*;^/iserver/_setup/.*;^/iserver/setup.*</param-value>
</init-param>
<init-param>
<param-name>hostWhiteList</param-name>
<!-- After enabling protection, you can set the host request header whitelist, only hosts whose IPs are in the whitelist can access the APIs matched in apiList, multiple IPs separated by ; -->
<param-value>ip1:port1;ip2:port2;ip3:port3</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>SsrfFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
1. When multiple web filters exist at the same time, the loading and implementation of each web filter has a strict order relationship. It is consistent with the definition order of each web filter in the web.xml file. In order to make XSSFilter work, you need to define FilterMappping for the Filter in web.xml.
2. After the web.xml configuration is completed, restart the iServer to take effect.