File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes JBoss/WildFly and the fly likes Client-Cert authentication not protecting specified URL pattern Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Client-Cert authentication not protecting specified URL pattern" Watch "Client-Cert authentication not protecting specified URL pattern" New topic
Author

Client-Cert authentication not protecting specified URL pattern

Kenny Johnson
Ranch Hand

Joined: Jan 01, 2007
Posts: 37
I am working on a pre-exisiting Jboss deployed web application. In my web.xml I have a security-constraint that protects the application from being accessed by people who do not have a PKI certificate. Here is the web.xml snippit:




When I go to the /warehouse/* URL pattern, it does not perform any authorization - although if i attempt to go to it with no cert at all - I get a 404. When I go to the /jsf/* URL pattern, my authentication and authorization work fine. Of note is that the /warehouse is an external directory outside of JBoss , which I set up in my server.xml file under the Hosts section ( I added a Context element - as described here: http://community.jboss.org/message/182804#182804 ). Not sure if thats why /jsf works fine but /warehouse dosn't.

Any help is appreciated.
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5779
    
    7

Your hunch is probably correct - the contents of the /warehouse/ directory are not governed by this web.xml since the directory is not actually a part of the WAR.


JBoss In Action
Kenny Johnson
Ranch Hand

Joined: Jan 01, 2007
Posts: 37
How do I protect a resource that is outside of the web application then? Does anyone have ideas of what to search for in google? I'm 100% stumped.
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5779
    
    7

A few possibilities:

a) Package the external files in an exploded WAR and add the WAR (or the directory it is in) to the directories scanned by the deployer. Then use the standard WAR mechanisms to control access.
b) Don't allow direct access to the external files. Instead, route all requests for such files through a servlet (while will serve up those files), and secure the servlet.
Kenny Johnson
Ranch Hand

Joined: Jan 01, 2007
Posts: 37
Can you elaborate on the servlet option? Would I basicly set up some kind of redirection servelet - which I would map out in my real web application - and in the servlet code all requests to it would then get forwarded to /warehouse?
Peter Johnson
author
Bartender

Joined: May 14, 2008
Posts: 5779
    
    7

No. The servlet would interpret the URL to determine which file to determine which file to serve, open that file, and write it to the response output stream, and setting the contentType to the correct MIME type.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Client-Cert authentication not protecting specified URL pattern
 
Similar Threads
req.isUserInRole("admin"); return false??
About the security and role in web.xml
Certificate based security
Which one is first? Authentication/Authorisation
Problems with FORM Authentication