fixes #547 and partially reverts #c7dd64dc

kartoza · Aug 6, 2023 · 53c9175 · 53c9175
1 parent 8df28f0
commit 53c9175
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 3 deletions.
diff --git a/build_data/web.xml b/build_data/web.xml
@@ -461,7 +461,7 @@
   <!--   blockContentTypeSniffingEnabled                                    -->
   <!--                       Should the header that blocks content type     -->
   <!--                       sniffing be added to every response? [true]    -->
-
+    <!-- SECURITY_START -->
     <filter>
         <filter-name>httpHeaderSecurity</filter-name>
         <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
@@ -471,6 +471,7 @@
             <param-value>SAMEORIGIN</param-value>
         </init-param>
     </filter>
+    <!-- SECURITY_END -->
 
   <!-- A filter that sets character encoding that is used to decode -->
   <!-- parameters in a POST request -->
@@ -561,12 +562,13 @@
   <!-- ==================== Built In Filter Mappings ====================== -->
 
   <!-- The mapping for the HTTP header security Filter -->
-
+    <!-- SECURITY_START -->
     <filter-mapping>
         <filter-name>httpHeaderSecurity</filter-name>
         <url-pattern>/*</url-pattern>
         <dispatcher>REQUEST</dispatcher>
     </filter-mapping>
+    <!-- SECURITY_END -->
 
   <!-- The mapping for the Set Character Encoding Filter -->
 <!--

diff --git a/scripts/env-data.sh b/scripts/env-data.sh
@@ -354,6 +354,13 @@ if [ -z "${DISABLE_CORS}" ]; then
   DISABLE_CORS=false
 fi
 
+if [ -z "${DISABLE_SECURITY_FILTER}" ]; then
+  DISABLE_SECURITY_FILTER=false
+fi
+if [ -z "${ACTIVATE_PROXY_HEADERS}" ]; then
+  ACTIVATE_PROXY_HEADERS=false
+fi
+
 if [ -z "${UPDATE_LOGGING_PROFILES}" ]; then
   UPDATE_LOGGING_PROFILES=false
 fi

diff --git a/scripts/functions.sh b/scripts/functions.sh
@@ -87,6 +87,10 @@ function web_cors() {
         sed -i 's/<!-- CORS_START.*/<!-- CORS DEACTIVATED BY DISABLE_CORS -->\n<!--/; s/^.*<!-- CORS_END -->/-->/' \
           ${CATALINA_HOME}/conf/web.xml
       fi
+      if [[ "${DISABLE_SECURITY_FILTER}" =~ [Tt][Rr][Uu][Ee] ]]; then
+        sed -i 's/<!-- SECURITY_START.*/<!-- SECURITY FILTER DEACTIVATED BY DISABLE_SECURITY_FILTER -->\n<!--/; s/^.*<!-- SECURITY_END -->/-->/' \
+          ${CATALINA_HOME}/conf/web.xml
+      fi
     fi
   fi
 }

diff --git a/scripts/start.sh b/scripts/start.sh
@@ -438,7 +438,9 @@ else
   # default value
   eval "$transform"
   # Add x-forwarded headers
-  sed -i.bak -r '/\<\Host\>/ i\ \t<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" protocolHeaderHttpsValue="https"/>' ${CATALINA_HOME}/conf/server.xml
+  if [[ "${ACTIVATE_PROXY_HEADERS}" =~ [Tt][Rr][Uu][Ee] ]]; then
+    sed -i.bak -r '/\<\Host\>/ i\ \t<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" remoteIpProxiesHeader="x-forwarded-by" protocolHeader="x-forwarded-proto" protocolHeaderHttpsValue="https"/>' ${CATALINA_HOME}/conf/server.xml
+  fi
 fi