Geek Answers Handbook

Define <security-constraint> outside of web.xml (e.g. on server)

I would like to apply security restrictions for all web applications deployed on a Tomcat7 server. To do this, I created a kingdom and a valve. I understand that the contents of context.xml is part of all the applications deployed on the server - this part seems to work, since I can add all the settings, and I see the effects, as they are included in the various deployed application contexts. It works great to ensure consistency between web applications.

Something that doesn't seem to be working is trying to define a security constraint similar to what is outside of web.xml:

<security-constraint> <web-resource-collection> <web-resource-name>myServletWAR</web-resource-name> <url-pattern>*.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>my_role</role-name> </auth-constraint> </security-constraint>

I am doing this in a .xml context between context tags. No complaints from Tomcat, but no security restrictions apply, for example, I can get into the application without a password. With the above restriction in context.xml, I see:

 Aug 14, 2013 3:03:32 PM org.apache.catalina.authenticator.AuthenticatorBase invoke FINE: Not subject to any constraint

... in the logs and may fall into a "secure" resource without authentication.

Moving the same restriction to webapps web.xml, of course, leads to the expected behavior of the restrictions, but I need to ensure that the restriction is applied sequentially in all deployed applications on this server.

Is a web application security restriction required? If so, how can I define a security constraint for several (as yet deployed) web applications, if not in the context of .xml?

This is exactly what I am trying to customize, but I want the forced restriction of the external (above) web.xml. Again, so that it is consistent across the entire server.

I saw another similar question , but I'm trying to find a way to do this in the Tomcat configuration without having to use the Servlet API from the code base (this is already written).

Thanks!

+2
security tomcat tomcat7 security-constraint
source share
1 answer

The second after I posted my question, I realized that:

$CATALINA_BASE/conf/web.xml was the answer I was looking for.

This root element, as you would expect, is a web application, and content is added to each deployed web application (for example, context.xml for each context) by adding security-constraint .

I had to restart Tomcat (it is clearly not deployed for changes to this file), but this is not a problem since it should not change during production.

+1
source share

More articles:


All Articles