Security considerations
Introduction
Cadcorp recommend that users set up their Web Map Layers server/domain with SSL security, this means that the address for the site will include https.
This is to allow access from clients where the Firewall rules are in place to prevent users from making POST requests. This is a symptom of using the GeognoSIS HTTP API.
Cadcorp recommend that the Web Map Layers server itself has it’s own SSL certificate applied, which should be carried out by the customer’s IT department. Alternatively, a certificate can be applied to GeognoSIS, through the GeognoSIS Manager.
There is no security risk from using the HTTP API, but malicious requests can be sent by the client and these firewall rules are normally in place to prevent this.
For our hosted solutions – Cadcorp will, as a matter of course, apply certificates to the servers where Web Map Layers 8.0 is installed and running.
Instructions to set up a https WML
Once an SSL certificate has been applied you will then be accessing Web Map Layers on an HTTPS connection e.g. https://server/WebMapLayers8/map.aspx
You will now need to make sure that the requests sent to GeognoSIS are also made on a HTTPS connection, as if they are left as HTTP then site users will receive warnings of ‘mixed content’ or the site could be blocked as unsecure.
In the Admin interface, go to Manage Layers, and make sure the URL to your base mapping uses the HTTPS connection:
In the Admin interface go to the Maps Settings, and change the Proxy Host to pre-fix the current value with the full HTTPS path:
In the Admin interface go to the Site Settings, and change the InitialMapLocation.MapUrl to use the https connection:
Open the file "C:\inetpub\wwwroot\WebMapLayers8\map.aspx" and "C:\inetpub\wwwroot\WebMapLayers8\Mobile\Map.aspx"
Change the following link to use HTTPS:
<script type="text/javascript" src="https://maps.google.com/maps/api/js?v=3&sensor=false"></script>
If you are using an Embedded Map, you need to make this change to "C:\inetpub\wwwroot\WebMapLayers8\EmbeddedMapSample\index.html" as well. Make sure your source URL in the embedded script also uses HTTPS.
Open the file "C:\inetpub\wwwroot\WebMapLayers8\App_Data\webMapLayersConfig.db" in a SQLite Browser, and go to the Watermarks table. Change this value from a relative url to a fully qualified https url:
Send comments on this topic.