>-----Original Message----- >From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] >Sent: Friday, November 30, 2012 4:04 PM >To: Tomcat Users List >Subject: RE: Context Path for a subdirectory > >> From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov] >> Subject: RE: Context Path for a subdirectory > >> what were my options to restrict access to just a subdirectory of a >> web app in Tomcat 6.0.35? > >Using just spec-provided mechanisms, such access can be limited to specific >users by including the appropriate security constraint elements in the >webapp's WEB-INF/web.xml. The wrinkle you want is to limit by IP address, >which is not a capability the servlet spec covers. > >> I'll admit, contexts are confusing to me. > >The main thing to remember is that each webapp (context) is expected to be >physically separate from all other webapps. (This has nothing to do with the >URLs used to access the webapps, just the location of the webapps in the >server's file system, database, memory, paper tape, or whatever medium >they're stored on.) > >> What is the right way to do this in Tomcat 6.0.35? > >Probably the easiest is just to pick up the filter from Tomcat 7 and use it in >6. >The SecurityFilter from sourceforge might be able to do it, but I'm not sure >(Chris should know). > > - Chuck >
I considered the security constraint, but wouldn't that have required me to set up SSL (for a secure user/password submittal) and get someone to pay for a public certificate - which would probably not happen. Sure, I could generate a cert myself. But I would still have to convince our office of enterprise tech that leaving an admin related webapp visible to the public is ok (authentication enabled or not). The last admin related webapp on our site had to be restricted by a valve, but that was for the whole context. The software company that we use also provides these kinds of web services to the whole world. They don't even bother restricting their /rest/admin directory, which really surprises me. Maybe I'm being paranoid by trying to one up them. http://services.arcgisonline.com/ArcGIS/rest/services http://services.arcgisonline.com/ArcGIS/rest/admin --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
