Leo Donahue - RDSA IT wrote:
-----Original Message-----
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
Sent: Friday, November 30, 2012 4:04 PM
To: Tomcat Users List
Subject: RE: Context Path for a subdirectory
From: Leo Donahue - RDSA IT [mailto:leodona...@mail.maricopa.gov]
Subject: RE: Context Path for a subdirectory
what were my options to restrict access to just a subdirectory of a
web app in Tomcat 6.0.35?
Using just spec-provided mechanisms, such access can be limited to specific
users by including the appropriate security constraint elements in the
webapp's WEB-INF/web.xml. The wrinkle you want is to limit by IP address,
which is not a capability the servlet spec covers.
I'll admit, contexts are confusing to me.
The main thing to remember is that each webapp (context) is expected to be
physically separate from all other webapps. (This has nothing to do with the
URLs used to access the webapps, just the location of the webapps in the
server's file system, database, memory, paper tape, or whatever medium
they're stored on.)
What is the right way to do this in Tomcat 6.0.35?
Probably the easiest is just to pick up the filter from Tomcat 7 and use it in
6.
The SecurityFilter from sourceforge might be able to do it, but I'm not sure
(Chris should know).
- Chuck
I considered the security constraint, but wouldn't that have required me to set
up SSL (for a secure user/password submittal) and get someone to pay for a
public certificate - which would probably not happen. Sure, I could generate a
cert myself. But I would still have to convince our office of enterprise tech
that leaving an admin related webapp visible to the public is ok
(authentication enabled or not). The last admin related webapp on our site had
to be restricted by a valve, but that was for the whole context.
The software company that we use also provides these kinds of web services to
the whole world. They don't even bother restricting their /rest/admin
directory, which really surprises me. Maybe I'm being paranoid by trying to
one up them.
...
Maybe a bit of lateral thinking here.
What does the admin webapp really do ? For what it is doing, does it need to even "live"
in the same website/host as the main application ?
If it's actions are confined to managing some files on disk, or some data in a back-end
database, maybe it can do that without being really integrated into your main application ?
You could then set up a separate Host, running under SSL or whatever, to run this admin
part. It's URL would never be visible under your main site. And you'd have all the
flexibility to set up any security constraints you want, without interfering with the main
user site.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
