• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Client-Cert authentication not protecting specified URL pattern

 
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am working on a pre-exisiting Jboss deployed web application. In my web.xml I have a security-constraint that protects the application from being accessed by people who do not have a PKI certificate. Here is the web.xml snippit:




When I go to the /warehouse/* URL pattern, it does not perform any authorization - although if i attempt to go to it with no cert at all - I get a 404. When I go to the /jsf/* URL pattern, my authentication and authorization work fine. Of note is that the /warehouse is an external directory outside of JBoss , which I set up in my server.xml file under the Hosts section ( I added a Context element - as described here: http://community.jboss.org/message/182804#182804 ). Not sure if thats why /jsf works fine but /warehouse dosn't.

Any help is appreciated.
 
author
Posts: 5856
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Your hunch is probably correct - the contents of the /warehouse/ directory are not governed by this web.xml since the directory is not actually a part of the WAR.
 
Kenny Johnson
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
How do I protect a resource that is outside of the web application then? Does anyone have ideas of what to search for in google? I'm 100% stumped.
 
Peter Johnson
author
Posts: 5856
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
A few possibilities:

a) Package the external files in an exploded WAR and add the WAR (or the directory it is in) to the directories scanned by the deployer. Then use the standard WAR mechanisms to control access.
b) Don't allow direct access to the external files. Instead, route all requests for such files through a servlet (while will serve up those files), and secure the servlet.
 
Kenny Johnson
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Can you elaborate on the servlet option? Would I basicly set up some kind of redirection servelet - which I would map out in my real web application - and in the servlet code all requests to it would then get forwarded to /warehouse?
 
Peter Johnson
author
Posts: 5856
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
No. The servlet would interpret the URL to determine which file to determine which file to serve, open that file, and write it to the response output stream, and setting the contentType to the correct MIME type.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic