tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: making security constraints configureable
Date Wed, 09 Nov 2011 10:43:22 GMT
Leon Rosenberg wrote:
> Hello Andre,
> sorry for the late response.
> Putting a httpd or lightttpd or nginx in front of our staging tomcat
> came to our mind too. The problem with this approach is however, that
> it
> reduces the idea of having a staging environment to absurdity, at
> least in technical sense, because its not similar to the production
> environment anymore.
> In this setup we couldn't make any reliable loadtesting against
> preproduction/staging, because its simple not the same as production
> ;-)
Response 2 :

Taking into account your various requirements, and if you do not want a front-end, then I

think that the only practical solution would be to switch from container-driven AAA (in 
web.xml), to servlet-filter based AAA, and create your own servlet filter for ditto.
This servlet filter would then be present inside both your production and staging app, 
thus be part of your normal deployment.
Only, some run-time parameter would either enable or disable its AAA function according to

where it's used.
One problem is that you'd have to write your own servlet filter for that, because I can't

think off-hand of an existing one which does all that you need.
The closest may be the SecurityFilter (, code of 
which you could modify to add client IP discrimination e.g. (and an on-off switch).
Or maybe combine that one with the UrlRewriteFilter (  Both together may 
come close to what you need.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message