tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: making security constraints configureable
Date Mon, 07 Nov 2011 09:22:31 GMT
Leon Rosenberg wrote:
> Hello Konstantin,
> On Mon, Nov 7, 2011 at 4:30 AM, Konstantin Kolinko
> <> wrote:
>> 2011/11/3 Leon Rosenberg <>:
>>> I have a situation where an application is accessable from outside in
>>> staging and production environment, but shouldn't be open for public
>>> in staging environment.
>> Put it behind Apache HTTPD (or any other proxy) and let HTTPD handle
>> authentication & authorization instead of Tomcat.
> That would be the last and least acceptable choice...
>> I'd advise against using BASIC auth in public internet, unless the
>> channel is protected with HTTPS.
>>> What we did so far was, that we excluded everyone via web.xml:
>> You can automate the above. If you pack your war file using Ant, you
>> can use <replaceregexp> task.
> This doesn't work, cause we use exactly the same war in prod and preprod.
> But thanx for suggestions anyway!

What kind of user authentication is being used in the background ?
And how many authenticated users can there be ?

If there are not that many, the idea : in your auth constraints, specify that the 
application is accessible by the role "myapp".
Then depending on who should be able to access at any particular time, update your users 
database to only give this role to whoever can access at that time, and not to the others.
If some users can access this all the time, then add another role to the auth-constraints

(e.g. "testers"), and add this role only to the "permanent" users.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message