12.2. Gadget proxy configuration

In eXo Platform, you could allow gadgets to load remote resources. However, this could be a potential security risk, as it will make the Gadget deployed as an open web proxy. So, you can set up the anonymous proxy to accept or deny certain hosts by configuring the ProxyFilterService.

Configuring the ProxyFilterService

By default, the proxy denies any host except the domain on which the gadget server is installed.

To specify domains that you want to allow or deny, modify the file:

The default configuration is:


<component>
    <key>org.exoplatform.web.security.proxy.ProxyFilterService</key>
    <type>org.exoplatform.web.security.proxy.ProxyFilterService</type>
    <init-params>
        <values-param>
        <!-- The white list -->
            <name>white-list</name>
            <!-- We accept anything not black listed -->
            <value>*</value>
        </values-param>
        <values-param>
            <name>black-list</name>
            <value>*.evil.org</value>
        </values-param>
    </init-params>
</component>

How does it work?

Multiple values can be added (by adding more value tags) and wildcards can be used, as in the following example:


<component>
    <key>org.exoplatform.web.security.proxy.ProxyFilterService</key>
    <type>org.exoplatform.web.security.proxy.ProxyFilterService</type>
    <init-params>
        <values-param>
            <name>white-list</name>
            <value>*.example.com</value>
            <value>www.example.net</value>
        </values-param>

        <values-param>
            <name>black-list</name>
            <value>evil.example.com</value>
        </values-param>
    </init-params>
</component>

See also

Copyright ©. All rights reserved. eXo Platform SAS
blog comments powered byDisqus