tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From chris derham <>
Subject Re: making security constraints configureable
Date Wed, 09 Nov 2011 15:30:37 GMT
This thread is quite long, but to sum up what I have understood

1) you have an application running on staging and production
2) you want to enable access to staging for public demos from anywhere on
the internet - for this you want to add access controls
3) everyone else will access the application on an intranet with no access
controls, e.g. no security constraints

Also you weren't happy with the suggestion of placing apache httpd infront
as this would make staging different from production.

Assuming the above is a fair summation of 15 emails, then

   - Why don't you expose tomcat via say port 80 and have no security
   enabled. This is what people use to access the production environment, and
   probably how you have things configured currently
   - For the "staging" server, configure exactly the same way for intranet
   - For internet access have your firewall route through to a different
   port, which apache http listens on. Then add security to apache, and if
   they make it past the security forward the requests to the tomcat instance
   via say ajp. This won't give a 100% affinity in the cyber cafe for exactly
   what people will experience in production due to the extra steps. However
   it will be pretty close and this satisfies your security requirements. Also
   satisfies your load testing requirements - you load test on staging against
   the internal port
   - FWIW to me staging is where you test the roll out scripts - you
   shouldn't let anybody on it, and certainly not be doing any performance
   testing on it. I think I would call the environment you describe UAT
   - As already mentioned, if this doesn't work for you then the only other
   viable alternative that springs to mind is to add a filter that allows you
   to configure the security constraint on and off per installation.

Anyway hope that helps


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message