tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Falco Schwarz <hid...@falco.me>
Subject Re: web.xml processing order of directives - filter vs security-constraint
Date Sat, 05 Jul 2014 16:00:11 GMT
On Sat, Jul 5, 2014 at 12:39 PM, Mark Thomas <mark@homeinbox.net> wrote:
> Maybe look at a third party security plugin like Spring Security? Not sure if this is
supported but worth a look.
>
> Mark

Thanks Mark and Konstantin for your quick replies. I tried to
accomplish this only using Spring Security and I also got kinda stuck
with the processing ordering. It is possible to use expressions like:

    <security:http>
        <security:intercept-url pattern="/**"
hasIpAddress('127.0.0.1') and hasRole('ROLE_JMX')" />
        <security:http-basic />
    </security:http>

... but yet again, because of the http-basic tag, the user is always
presented with an authentication instead of being denied.

In the end I found a solution which suits my needs: combining the
RemoteAddrFilter with Spring Security. This way the RemoteAddrFilter
always prevents access if the client is not localhost. If the client
is localhost then Spring Security kicks in and finally authenticates
the User.

Quite complicated for such a simple task and I really did not expect
to find so little information regarding such an issue on the internet.
>From a systems administrator perspective there is no way I would
present a login form first and then deny via ip filters, but I guess
that is just how the servlet spec is defined.

Anyway, thanks again and keep up the good work.

Falco

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message