tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Falco Schwarz <hid...@falco.me>
Subject Re: web.xml processing order of directives - filter vs security-constraint
Date Sat, 05 Jul 2014 07:41:52 GMT
I should add that the IP restriction is applied via filter, not with a
tomcat Valve. Essentially the question breaks down to this:

Is it possible in any way for a filter to be applied before the evaluation
of the security-constraint? Or is there any other way of setting up an IP
filter combined with authentication given the order from above?

Any hint for the right direction would be greatly appreciated.

Thanks,
Falco


On Fri, Jul 4, 2014 at 4:37 PM, Falco Schwarz <hiding@falco.me> wrote:

> All,
>
> I am trying to set up the jmx proxy servlet and am kinda stuck on
> security. I would like to:
>
> - restrict access to localhost
> - restrict access to require basic authentication
>
> Currently it works, though in the wrong order. This is how the request is
> being processed right now:
>
> 1) user accesses /infra/jmx
> 2) user has to authenticate
> 3) user is being denied
>
> Is it possible to switch step 2 and 3?
>
> Relevant parts of web.xml, webapp is called infra:
>
>   <servlet>
>     <servlet-name>JMXProxy</servlet-name>
>
> <servlet-class>org.apache.catalina.manager.JMXProxyServlet</servlet-class>
>   </servlet>
>   <servlet-mapping>
>     <servlet-name>JMXProxy</servlet-name>
>     <url-pattern>/jmx/*</url-pattern>
>   </servlet-mapping>
>
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>JMX Proxy interface</web-resource-name>
>       <url-pattern>/jmx/*</url-pattern>
>     </web-resource-collection>
>     <auth-constraint>
>       <role-name>jmx</role-name>
>     </auth-constraint>
>   </security-constraint>
>   <login-config>
>     <auth-method>BASIC</auth-method>
>     <realm-name>JMX Proxy</realm-name>
>   </login-config>
>   <security-role>
>     <description>
>       The role that is required to access the JMX Proxy
>     </description>
>     <role-name>jmx</role-name>
>   </security-role>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message