You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jürgen Weber <ju...@jwi.de> on 2020/11/12 11:30:05 UTC
only for remote access
Hi,
I'd like to have web app security if accessed from outside the local network.
if (!local)
check <security-constraint>
Is this possible? with RemoteHostValve ?
Thx,
Juergen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: only for remote access
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jürgen,
On 11/12/20 09:50, Jürgen Weber wrote:
> Chris,
>
> it is just authentication basic.
>
> I definitely want authentication for remote access, but I had hoped I
> could override this with a Valve for local access.
>
> Anyway, I'll spare the two apps and do two Servlet mappings
>
> /local
> /remote
>
> protect /remote with <security-constraint>
> and check in the servlet code if Servlet Path == local && remote IP in
> local network
You can definitely do that with the RemoteIPValve and/or RemoteIPFilter.
No need to write any new code.
> And I'll try to mod_rewrite /remote to /local if in local network.
That would work, but be aware of playing games with URL spaces. It can
be a real pain in the neck to hit every case.
What's wrong with local users authenticating? I don't trust my network
that much.
-chris
> Am Do., 12. Nov. 2020 um 14:43 Uhr schrieb Christopher Schultz
> <ch...@christopherschultz.net>:
>>
>> Jürgen,
>>
>> On 11/12/20 06:30, Jürgen Weber wrote:
>>> I'd like to have web app security if accessed from outside the local network.
>>>
>>> if (!local)
>>> check <security-constraint>
>>>
>>>
>>> Is this possible? with RemoteHostValve ?
>>
>> You cam simulate it, but you can't use <security-constraint> in web.xml
>> and also get a "local" carve-out for it.
>>
>> What kind of <security-constraint> are you trying to remove?
>>
>> Here are some options:
>>
>> 1. Review why you want to do this in the first place. What makes "local"
>> so special?
>>
>> 2. Deploy two instances of your application, one of which only allows
>> "local" access and does NOT have the <security-constraint> in web.xml.
>>
>> 3. Remove the <security-constraint> from web.xml completely, and use a
>> Filter/Valve to enforce your security policy.
>>
>> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: only for remote access
Posted by Jürgen Weber <ju...@jwi.de>.
Chris,
it is just authentication basic.
I definitely want authentication for remote access, but I had hoped I
could override this with a Valve for local access.
Anyway, I'll spare the two apps and do two Servlet mappings
/local
/remote
protect /remote with <security-constraint>
and check in the servlet code if Servlet Path == local && remote IP in
local network
And I'll try to mod_rewrite /remote to /local if in local network.
Juergen
Am Do., 12. Nov. 2020 um 14:43 Uhr schrieb Christopher Schultz
<ch...@christopherschultz.net>:
>
> Jürgen,
>
> On 11/12/20 06:30, Jürgen Weber wrote:
> > I'd like to have web app security if accessed from outside the local network.
> >
> > if (!local)
> > check <security-constraint>
> >
> >
> > Is this possible? with RemoteHostValve ?
>
> You cam simulate it, but you can't use <security-constraint> in web.xml
> and also get a "local" carve-out for it.
>
> What kind of <security-constraint> are you trying to remove?
>
> Here are some options:
>
> 1. Review why you want to do this in the first place. What makes "local"
> so special?
>
> 2. Deploy two instances of your application, one of which only allows
> "local" access and does NOT have the <security-constraint> in web.xml.
>
> 3. Remove the <security-constraint> from web.xml completely, and use a
> Filter/Valve to enforce your security policy.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: only for remote access
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Jürgen,
On 11/12/20 06:30, Jürgen Weber wrote:
> I'd like to have web app security if accessed from outside the local network.
>
> if (!local)
> check <security-constraint>
>
>
> Is this possible? with RemoteHostValve ?
You cam simulate it, but you can't use <security-constraint> in web.xml
and also get a "local" carve-out for it.
What kind of <security-constraint> are you trying to remove?
Here are some options:
1. Review why you want to do this in the first place. What makes "local"
so special?
2. Deploy two instances of your application, one of which only allows
"local" access and does NOT have the <security-constraint> in web.xml.
3. Remove the <security-constraint> from web.xml completely, and use a
Filter/Valve to enforce your security policy.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org