Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Client-Cert authentication not protecting specified URL pattern

 
Kenny Johnson
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am working on a pre-exisiting Jboss deployed web application. In my web.xml I have a security-constraint that protects the application from being accessed by people who do not have a PKI certificate. Here is the web.xml snippit:




When I go to the /warehouse/* URL pattern, it does not perform any authorization - although if i attempt to go to it with no cert at all - I get a 404. When I go to the /jsf/* URL pattern, my authentication and authorization work fine. Of note is that the /warehouse is an external directory outside of JBoss , which I set up in my server.xml file under the Hosts section ( I added a Context element - as described here: http://community.jboss.org/message/182804#182804 ). Not sure if thats why /jsf works fine but /warehouse dosn't.

Any help is appreciated.
 
Peter Johnson
author
Bartender
Posts: 5852
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Your hunch is probably correct - the contents of the /warehouse/ directory are not governed by this web.xml since the directory is not actually a part of the WAR.
 
Kenny Johnson
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How do I protect a resource that is outside of the web application then? Does anyone have ideas of what to search for in google? I'm 100% stumped.
 
Peter Johnson
author
Bartender
Posts: 5852
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A few possibilities:

a) Package the external files in an exploded WAR and add the WAR (or the directory it is in) to the directories scanned by the deployer. Then use the standard WAR mechanisms to control access.
b) Don't allow direct access to the external files. Instead, route all requests for such files through a servlet (while will serve up those files), and secure the servlet.
 
Kenny Johnson
Ranch Hand
Posts: 37
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can you elaborate on the servlet option? Would I basicly set up some kind of redirection servelet - which I would map out in my real web application - and in the servlet code all requests to it would then get forwarded to /warehouse?
 
Peter Johnson
author
Bartender
Posts: 5852
7
Android Eclipse IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No. The servlet would interpret the URL to determine which file to determine which file to serve, open that file, and write it to the response output stream, and setting the contentType to the correct MIME type.
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic