I am working on a pre-exisiting Jboss deployed web application. In my web.xml I have a security-constraint that protects the application from being accessed by people who do not have a PKI certificate. Here is the web.xml snippit:
When I go to the /warehouse/* URL pattern, it does not perform any authorization - although if i attempt to go to it with no cert at all - I get a 404. When I go to the /jsf/* URL pattern, my authentication and authorization work fine. Of note is that the /warehouse is an external directory outside of JBoss , which I set up in my server.xml file under the Hosts section ( I added a Context element - as described here: http://community.jboss.org/message/182804#182804 ). Not sure if thats why /jsf works fine but /warehouse dosn't.
a) Package the external files in an exploded WAR and add the WAR (or the directory it is in) to the directories scanned by the deployer. Then use the standard WAR mechanisms to control access.
b) Don't allow direct access to the external files. Instead, route all requests for such files through a servlet (while will serve up those files), and secure the servlet.
Joined: Jan 01, 2007
Can you elaborate on the servlet option? Would I basicly set up some kind of redirection servelet - which I would map out in my real web application - and in the servlet code all requests to it would then get forwarded to /warehouse?
No. The servlet would interpret the URL to determine which file to determine which file to serve, open that file, and write it to the response output stream, and setting the contentType to the correct MIME type.
subject: Client-Cert authentication not protecting specified URL pattern