-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rainer,
On 6/13/14, 1:58 PM, Rainer Jung wrote: > On 13.06.2014 19:03, Christopher Schultz wrote: >> All, >> >> I'm interested in locking-down my jk-status page so that certain >> users can view the information but not modify it. >> >> Unfortunately, the jk-status page is implemented using a single >> URL as a controller with GET-parameters controlling what actually >> happens. Even the "edit worker" page uses GET instead of POST, so >> I can't just disable POST for all but some blessed set of users. >> >> Does anyone have any suggestions for how jk-status could be >> locked-down? I'm guessing that a whole lot of mod_rewrite rules >> could do the trick by looking for certain "write" operations and >> rejecting them, but that would mean being very careful about a >> lot of "magic" that's being sent-around in URL parameters. >> >> Has anyone done anything like this before? > > It's a build in feature, set the read_only attribute of that > status worker to "true". Aw, geez... I wasn't even thinking along those lines. > You can even have multiple status workers, like one read-write and > one read-only. Seems like that would be the most obvious way to deploy: one read-only and one read/write, then just allow access to the read-write one to special users (which can be done via httpd.conf). > For instance the worker.properties in the source code release of > mod_jk has: > > http://svn.apache.org/viewvc/tomcat/jk/trunk/conf/workers.properties?view=co > > # Define two status worker: # - jk-status for read-only use # - > jk-manager for read/write use worker.list=jk-status > worker.jk-status.type=status worker.jk-status.read_only=true > > worker.list=jk-manager worker.jk-manager.type=status > > That means whatever URL you mount to the worker jk-status will be > read-only and whatever url you mount to jk-manager will be > read-write. You can choose those names and also the URLs > arbitrarily as long as that snippet stays consistent. Thanks! - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTm0X5AAoJEBzwKT+lPKRYnkgP/0He8kBhqdSrNo/XjH1ZVWEd TOSevWuW7vj3rUZuAyFHnOFVhFC1ALVqQsi96BEKnoJUWyvVgmUk02zOoxrCRruB iN1mdRBXiXQsL57YODNemz25aq6MLoibuv+7O9PcfxZf6Y2NJNecpniKKo7CS4GG GWAJtcOdKl81AwKsxf69u5WhnohkTOHVeOfTGGU+0zJXBOrA6mI2HQe3Q1deW05A fLc8SoV3Wt6cQoR4bqIEWoP28nR3+HvOnDuzFNavJ2eIXxwfecVLYKnwCpfRD4xa bu1XbU0Gdalg4J5gTTqUFaiZtZBNZT2SGb6f2JGUGxvQI3494MpqIzobIRlpDd+g noHj625TeuzRl6tkVjNpMFXuoimUyvovDlLUdEIz80bGqjFzI391D1SXr7O2u5Ok otf+j+esD25Pv6Hw17NKguhOXGa/6tzsjgLOwUUmBQdihrqVJWJ/8ipqKfPMV4WA nDpNsKtLNNqKmtk/Ifjeaix4OjaWDT4/OeU/WawmZ+iTofgohGsnqCS6oICWtdqC qYMCUUnvP4w7pStngQtHriG4VQcEL7hOFX2C/9Xot69RE/HtYdkTSqmJTLKMG/2I czh/rSXFlhu2TxZiyj/g7uhGXTl4gKF8vRvUAmIh7evv4fEEa9HrmKV/pExfpLTZ WOlAzruHIY6TtOko+WMb =7Qg3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org