You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by joeweder <jo...@gmail.com> on 2009/11/16 20:13:09 UTC
How2 Disable Browser Access to specific port
We have an application where the user comes in through 8443 via https.
But the same app also communicates headlessly with other apps through a
separate data port (also https).
When client authentication is turned on for 8443 the user/browser can get
through the data port without being challenged (we don't turn on
client-authentication for the data port).
Question: How can I disable browser access through a specific port but
continue to allow headless https through?
--
View this message in context: http://old.nabble.com/How2-Disable-Browser-Access-to-specific-port-tp26377695p26377695.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How2 Disable Browser Access to specific port
Posted by Peter Crowther <pe...@melandra.com>.
2009/11/16 joeweder <jo...@gmail.com>:
> Question: How can I disable browser access through a specific port but
> continue to allow headless https through?
You *could* write a Filter that sniffed at the User-Agent header in
the https: request, but most browsers have ways of faking that - you
can't rely on *any* data coming in over the https stream to be
original rather than altered or injected by a cracker. In essence,
there is no secure way of doing what you want.
Security by obscurity is poor security. Have you thought about
designing the application correctly, so that headless https clients
have to authenticate?
- Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How2 Disable Browser Access to specific port
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joe,
On 11/16/2009 2:13 PM, joeweder wrote:
> We have an application where the user comes in through 8443 via https.
>
> But the same app also communicates headlessly with other apps through a
> separate data port (also https).
What port is that? Do these apps happen to be on the same machine? Same
network segment? Can you predict where officially-sanctioned requests
are coming from?
> Question: How can I disable browser access through a specific port but
> continue to allow headless https through?
Short answer: bind the "private" <Connector> to 127.0.0.1 and outside
clients cannot connect. Not on localhost? You could use an SSH tunnel,
or you could use IP-based filtering to reject requests not coming from
known hosts.
I agree with Peter's response, that you ought to force your clients to
authenticate themselves to your webapp -- including "trusted" webapp
clients.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksBvrIACgkQ9CaO5/Lv0PC8FQCfZiNynoSUktL96iZEFRxszGlv
O2EAn3DgpUO4EoGqcaTUm/dEkyG3kJP+
=vGPs
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org