tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Context Path for a subdirectory
Date Fri, 30 Nov 2012 23:44:52 GMT
Leo Donahue - RDSA IT wrote:
>> -----Original Message-----
>> From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
>> Sent: Friday, November 30, 2012 4:04 PM
>> To: Tomcat Users List
>> Subject: RE: Context Path for a subdirectory
>>
>>> From: Leo Donahue - RDSA IT [mailto:LeoDonahue@mail.maricopa.gov]
>>> Subject: RE: Context Path for a subdirectory
>>> what were my options to restrict access to just a subdirectory of a
>>> web app in Tomcat 6.0.35?
>> Using just spec-provided mechanisms, such access can be limited to specific
>> users by including the appropriate security constraint elements in the
>> webapp's WEB-INF/web.xml.  The wrinkle you want is to limit by IP address,
>> which is not a capability the servlet spec covers.
>>
>>> I'll admit, contexts are confusing to me.
>> The main thing to remember is that each webapp (context) is expected to be
>> physically separate from all other webapps.  (This has nothing to do with the
>> URLs used to access the webapps, just the location of the webapps in the
>> server's file system, database, memory, paper tape, or whatever medium
>> they're stored on.)
>>
>>> What is the right way to do this in Tomcat 6.0.35?
>> Probably the easiest is just to pick up the filter from Tomcat 7 and use it in 6.
>> The SecurityFilter from sourceforge might be able to do it, but I'm not sure
>> (Chris should know).
>>
>> - Chuck
>>
> 
> I considered the security constraint, but wouldn't that have required me to set up SSL
(for a secure user/password submittal) and get someone to pay for a public certificate - which
would probably not happen.  Sure, I could generate a cert myself.  But I would still have
to convince our office of enterprise tech that leaving an admin related webapp visible to
the public is ok (authentication enabled or not).  The last admin related webapp on our site
had to be restricted by a valve, but that was for the whole context.
> 
> The software company that we use also provides these kinds of web services to the whole
world.  They don't even bother restricting their /rest/admin directory, which really surprises
me.  Maybe I'm being paranoid by trying to one up them.
> 
...
Maybe a bit of lateral thinking here.
What does the admin webapp really do ?  For what it is doing, does it need to even "live"

in the same website/host as the main application ?
If it's actions are confined to managing some files on disk, or some data in a back-end 
database, maybe it can do that without being really integrated into your main application
?
You could then set up a separate Host, running under SSL or whatever, to run this admin 
part.  It's URL would never be visible under your main site.  And you'd have all the 
flexibility to set up any security constraints you want, without interfering with the main

user site.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message