From 7c36851a056f527a67c29fe48d062e2e0d79a2f0 Mon Sep 17 00:00:00 2001 From: Nick Graziano Date: Wed, 30 Aug 2023 12:58:31 -0600 Subject: [PATCH 1/2] Add support for access-control-allow-credentials CORS header when CORS_ALLOWED_ORIGINS is not a wildcard --- startup.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/startup.sh b/startup.sh index 7877831..9e054ae 100755 --- a/startup.sh +++ b/startup.sh @@ -54,6 +54,14 @@ fi if [ "${CORS_ENABLED}" = "true" ]; then if ! grep -q DockerGeoServerCorsFilter "$CATALINA_HOME/webapps/geoserver/WEB-INF/web.xml"; then echo "Enable CORS for $CATALINA_HOME/webapps/geoserver/WEB-INF/web.xml" + + # Add support for access-control-allow-credentials when the origin is not a wildcard + if [ "${CORS_ALLOWED_ORIGINS}" != "*" ]; then + CORS_ALLOW_CREDENTIALS="true" + else + CORS_ALLOW_CREDENTIALS="false" + fi + sed -i "\::i\\ \n\ DockerGeoServerCorsFilter\n\ @@ -70,6 +78,10 @@ if [ "${CORS_ENABLED}" = "true" ]; then cors.allowed.headers\n\ ${CORS_ALLOWED_HEADERS}\n\ \n\ + \n\ + cors.support.credentials\n\ + ${CORS_ALLOW_CREDENTIALS}\n\ + \n\ \n\ \n\ DockerGeoServerCorsFilter\n\ From a20e2942b3ad76098d0e3520e0d464267f94e840 Mon Sep 17 00:00:00 2001 From: Nick Graziano Date: Thu, 31 Aug 2023 10:20:05 -0600 Subject: [PATCH 2/2] Add CORS_ALLOW_CREDENTIALS env param that controls cors.support.credentials value, defaults to false, only applies if true and CORS_ALLOWED_ORIGINS is not wildcard. Update README with CORS env vars and PROXY_BASE_URL --- Dockerfile | 2 ++ README.md | 7 ++++++- startup.sh | 4 ++-- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7984a29..6fec72d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,6 +5,7 @@ ARG CORS_ENABLED=false ARG CORS_ALLOWED_ORIGINS=* ARG CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,HEAD,OPTIONS ARG CORS_ALLOWED_HEADERS=* +ARG CORS_ALLOW_CREDENTIALS=false # Environment variables ENV CATALINA_HOME=/opt/apache-tomcat-${TOMCAT_VERSION} @@ -13,6 +14,7 @@ ENV CORS_ENABLED=$CORS_ENABLED ENV CORS_ALLOWED_ORIGINS=$CORS_ALLOWED_ORIGINS ENV CORS_ALLOWED_METHODS=$CORS_ALLOWED_METHODS ENV CORS_ALLOWED_HEADERS=$CORS_ALLOWED_HEADERS +ENV CORS_ALLOW_CREDENTIALS=$CORS_ALLOW_CREDENTIALS ENV DEBIAN_FRONTEND=noninteractive # see https://docs.geoserver.org/stable/en/user/production/container.html diff --git a/README.md b/README.md index e1fd466..950f62a 100644 --- a/README.md +++ b/README.md @@ -76,7 +76,12 @@ The ``startup.sh`` script allows some customization on startup: * ``INSTALL_EXTENSIONS`` to ``true`` to download and install extensions * ``STABLE_EXTENSIONS`` list of extensions to download and install -* ``CORS_ENABLED`` +* ``CORS_ENABLED`` to ``true`` to enable CORS support. The following environment variables can be used to customize the CORS configuration. + * ``CORS_ALLOWED_ORIGINS`` (default ``*``) + * ``CORS_ALLOWED_METHODS`` (default ``GET,POST,PUT,DELETE,HEAD,OPTIONS``) + * ``CORS_ALLOWED_HEADERS`` (default ``*``) + * ``CORS_ALLOW_CREDENTIALS`` (default ``false``) **Setting this to ``true`` will only have the desired effect if ``CORS_ALLOWED_ORIGINS`` defines explicit origins (not ``*``)** +* ``PROXY_BASE_URL`` to the base URL of the GeoServer web app if GeoServer is behind a proxy. Example: ``https://example.com/geoserver``. Example installing wps and ysld extensions: diff --git a/startup.sh b/startup.sh index 9e054ae..7f008b7 100755 --- a/startup.sh +++ b/startup.sh @@ -55,8 +55,8 @@ if [ "${CORS_ENABLED}" = "true" ]; then if ! grep -q DockerGeoServerCorsFilter "$CATALINA_HOME/webapps/geoserver/WEB-INF/web.xml"; then echo "Enable CORS for $CATALINA_HOME/webapps/geoserver/WEB-INF/web.xml" - # Add support for access-control-allow-credentials when the origin is not a wildcard - if [ "${CORS_ALLOWED_ORIGINS}" != "*" ]; then + # Add support for access-control-allow-credentials when the origin is not a wildcard when specified via env var + if [ "${CORS_ALLOWED_ORIGINS}" != "*" ] && [ "${CORS_ALLOW_CREDENTIALS}" = "true" ]; then CORS_ALLOW_CREDENTIALS="true" else CORS_ALLOW_CREDENTIALS="false"