tomcat-users mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	"Terence M. Bandoian" <tere...@tmbsw.com>
Subject	Re: making security constraints configureable
Date	Tue, 08 Nov 2011 19:44:16 GMT
On 1:59 PM, André Warnier wrote: > Terence M. Bandoian wrote: >> On 1:59 PM, Konstantin Kolinko wrote: >>> 2011/11/3 Leon Rosenberg<rosenberg.leon@gmail.com>: >>>> I have a situation where an application is accessable from outside in >>>> staging and production environment, but shouldn't be open for public >>>> in staging environment. >>> Put it behind Apache HTTPD (or any other proxy) and let HTTPD handle >>> authentication& authorization instead of Tomcat. >>> >>> I'd advise against using BASIC auth in public internet, unless the >>> channel is protected with HTTPS. >>> >>>> What we did so far was, that we excluded everyone via web.xml: >>>> >>> You can automate the above. If you pack your war file using Ant, you >>> can use<replaceregexp> task. >>> >>> Best regards, >>> Konstantin Kolinko >> >> I'm not sure what "open for public" means above. >> >> What about using a system property (e.g. >> myorg.myapp.isStagingEnv=true) in a filter or valve to accept or >> reject requests? >> > If I (belatedly) understand the requirements properly, Leon does not > not want to reject /all/ requests (that, he could do by undeploying > the application). It is more something like this : > > - requests originating from a range of IP addresses (e.g. the internal > LAN) should be accepted, without authentication > - requests originating from anywhere else should be submitted to > authentication. > > Practical case : the application is in a testing state, and should not > be available to the public at large, only to inside testers. The > inside testers should not have to login for that. > However, occasionally, someone may be sitting in an Internet Cafe and > want to do a demo for a customer from there. He should be able to > access the application, but only after logging in. > > Leon, if the above is not the right description, please correct it. > In such matters, the devil is in the details. > The system property that indicates whether or not the application is in a staging or test environment would be used in conjunction with a test against, for example, request.getRemoteUser() or request.isUserInRole() or request.getRemoteAddr(). -Terence Bandoian --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org
Mime	Unnamed text/plain (inline, 8-Bit, 2389 bytes)
	View raw message