GeoServe 跨域头和X-frame跨域设置

GeoServe 跨域头和X-frame跨域设置

Geoserver跨域头

服务器默认的跨域是没开启的，http跨域设置只需要放开两个配置就行好。
修改共两处
约177行处，将这个注释放开

   
   <filter>
        <filter-name>cross-originfilter-name>
        <filter-class>org.eclipse.jetty.servlets.CrossOriginFilterfilter-class>
       <init-param>
           <param-name>chainPreflightparam-name>
           <param-value>falseparam-value>
       init-param>
       <init-param>
           <param-name>allowedOriginsparam-name>
           <param-value>*param-value>
       init-param>
       <init-param>
           <param-name>allowedMethodsparam-name>
           <param-value>GET,POST,PUT,DELETE,HEAD,OPTIONSparam-value>
       init-param>
       <init-param>
           <param-name>allowedHeadersparam-name>
           <param-value>*param-value>
       init-param>
    filter>

大约200行处，把注释放开

   
    <filter-mapping>
        <filter-name>cross-originfilter-name>
        <url-pattern>/*url-pattern>
    filter-mapping>

X-Frame-Options跨域设置

X-Frame跨域用来设置GeoServer站点页面是否允许被其他网页使用iframe方式引用
X-Frame-Options三个参数:
1、DENY
表示该页面不允许在frame中展示，即便是在相同域名的页面中嵌套也不允许。
2、SAMEORIGIN
表示该页面可以在相同域名页面的frame中展示。
3、ALLOW-FROM uri
表示该页面可以在指定来源的frame中展示

官网说明

跨域头的过滤器是在下面这个类里面，具体链接如下

设置X-Frame跨域

In order to prevent clickjacking attacks GeoServer defaults to setting the X-Frame-Options HTTP header to SAMEORIGIN. 
This prevents GeoServer from being embedded into an iFrame, 
which prevents certain kinds of security vulnerabilities. See the OWASP Clickjacking entry for details.
If you wish to change this behavior you can do so through the following properties:
geoserver.xframe.shouldSetPolicy: controls whether the X-Frame-Options filter should be set at all. Default is true.
geoserver.xframe.policy: controls what the set the X-Frame-Options header to.
 Default is SAMEORIGIN valid options are DENY, SAMEORIGIN and ALLOW-FROM [uri]
These properties can be set either via Java system property, command line argument (-D), 
environment variable or web.xml init parameter

大概意思就是说，需要设置连个属性geoserver.xframe.shouldSetPolicy、geoserver.xframe.policy
而geoserver.xframe.policy默认值是SAMEORIGIN

过滤器源码地址

看源码能知道，geoserver.xframe.shouldSetPolicy默认是true，可以不用设置
所以只要设置geoserver.xframe.policy就可以了
配置我还是放在web.xml里面了

    <context-param>
        <param-name>geoserver.xframe.shouldSetPolicyparam-name>
        <param-value>trueparam-value>
    context-param>
    <context-param>
        <param-name>geoserver.xframe.policyparam-name>
        <param-value>ALLOW-FROMparam-value>
    context-param>

随便扔进去了。
然后重启geoserver即可。
再次请求结果是可以出来了，但是会出现下面的错误
Invalid 'X-Frame-Options' header encountered when loading '。。。。。
326&format=application/openlayers': 'ALLOW-FROM' is not a recognized directive. The header will be ignored.
这是因为ALLOW-FROM[uri]后面参数没设置，不影响使用