"fhh" wrote : You said: | P.S.: When I said the "the hostname I use to reach your machine is entirely under my control" I was not talking about http referers. I was refering to the idea of the original poster to make security depend on the hostname you use to access the site. I generally agree with what you're saying, this is a touch pendantic, but... Technically if you support multiple apps on multiple hostnames, that's exactly what you're doing. You're using the security in the appserver as opposed to rolling your own, but its otherwise exactly the same. After all, your JBoss server is serving both pages, and acting differently based entirely on the URL.
Also please note that in my (original poster's) case, in no way shape or form would I consider not securing the controlling hostname's pages. This would merely be a convenience, not-security-related feature so that when someone requested the "unknown" URL from one of the hostnames that should not know anything about it, they receive the 404 error which, if you think about it, does mean "The complete URL as you stated it does not exist," not "This server doesn't know anything about the second half of this URL on any of its hosted domains." I would not recommend, as the previous poster mentioned, sending a 404 error to someone using the correct administrative URL who was not logged in (or not logged in as an admin). That does break consistency, doesn't follow the definition of a 404, and eliminates the opportunity to ask them to re-authenticate themselves. In my case, no-one will ever be able to access the page through the stated URL, so I'll stand by my 404 delivery. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4035624#4035624 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4035624 _______________________________________________ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user
