You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Falco Schwarz <hi...@falco.me> on 2014/07/04 16:37:32 UTC
web.xml processing order of directives - filter vs security-constraint
All,
I am trying to set up the jmx proxy servlet and am kinda stuck on security.
I would like to:
- restrict access to localhost
- restrict access to require basic authentication
Currently it works, though in the wrong order. This is how the request is
being processed right now:
1) user accesses /infra/jmx
2) user has to authenticate
3) user is being denied
Is it possible to switch step 2 and 3?
Relevant parts of web.xml, webapp is called infra:
<servlet>
<servlet-name>JMXProxy</servlet-name>
<servlet-class>org.apache.catalina.manager.JMXProxyServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>JMXProxy</servlet-name>
<url-pattern>/jmx/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>JMX Proxy interface</web-resource-name>
<url-pattern>/jmx/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>jmx</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JMX Proxy</realm-name>
</login-config>
<security-role>
<description>
The role that is required to access the JMX Proxy
</description>
<role-name>jmx</role-name>
</security-role>
Re: web.xml processing order of directives - filter vs security-constraint
Posted by Felix Schumacher <fe...@internetallee.de>.
On 5. Juli 2014 19:04:26 MESZ, Falco Schwarz <hi...@falco.me> wrote:
>On Sat, Jul 5, 2014 at 6:17 PM, Hassan Schroeder
><ha...@gmail.com> wrote:
>> (Sorry, late to the thread but ...) if you just want to restrict
>access to
>> a resource to localhost, why not os-level e.g. an iptables rule?
>
>Well, the reason behind the restriction is that I would like to use
>tomcats jmxproxy for our production systems, as our current monitoring
>solution is quite limited. Therefore I am planning to deploy an
>additional webapp to each tomcat. I would also restrict the access to
>our real web applications if I would restrict the whole connector.
You could add a virtual host or even another service in which you could deploy the jmxproxy and restrict ips at the same time.
Regards
Felix
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
Posted by Falco Schwarz <hi...@falco.me>.
On Sat, Jul 5, 2014 at 6:17 PM, Hassan Schroeder
<ha...@gmail.com> wrote:
> (Sorry, late to the thread but ...) if you just want to restrict access to
> a resource to localhost, why not os-level e.g. an iptables rule?
Well, the reason behind the restriction is that I would like to use
tomcats jmxproxy for our production systems, as our current monitoring
solution is quite limited. Therefore I am planning to deploy an
additional webapp to each tomcat. I would also restrict the access to
our real web applications if I would restrict the whole connector.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
Posted by Hassan Schroeder <ha...@gmail.com>.
On Sat, Jul 5, 2014 at 9:00 AM, Falco Schwarz <hi...@falco.me> wrote:
> In the end I found a solution which suits my needs: combining the
> RemoteAddrFilter with Spring Security. This way the RemoteAddrFilter
> always prevents access if the client is not localhost.
(Sorry, late to the thread but ...) if you just want to restrict access to
a resource to localhost, why not os-level e.g. an iptables rule?
FWIW,
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
http://about.me/hassanschroeder
twitter: @hassan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
Posted by Falco Schwarz <hi...@falco.me>.
On Sun, Jul 6, 2014 at 1:35 PM, Konstantin Kolinko
<kn...@gmail.com> wrote:
> I think you can inject RemoteAddrFilter into Spring Security filter
> chain (that is if you do not want to configure it separately in
> web.xml),
You are right, I did not think of that.
FWIW this is easily doable using custom filters [1] with Shiro, so it
should be possible with Spring Security as well.
Thanks again for your help,
Falco
[1] http://shiro.apache.org/web.html#Web-AvailableFilters
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-07-05 20:00 GMT+04:00 Falco Schwarz <hi...@falco.me>:
> On Sat, Jul 5, 2014 at 12:39 PM, Mark Thomas <ma...@homeinbox.net> wrote:
>> Maybe look at a third party security plugin like Spring Security? Not sure if this is supported but worth a look.
>>
>> Mark
>
> Thanks Mark and Konstantin for your quick replies. I tried to
> accomplish this only using Spring Security and I also got kinda stuck
> with the processing ordering. It is possible to use expressions like:
>
> <security:http>
> <security:intercept-url pattern="/**"
> access="hasIpAddress('127.0.0.1') and hasRole('ROLE_JMX')" />
> <security:http-basic />
> </security:http>
>
> ... but yet again, because of the http-basic tag, the user is always
> presented with an authentication instead of being denied.
>
> In the end I found a solution which suits my needs: combining the
> RemoteAddrFilter with Spring Security. This way the RemoteAddrFilter
> always prevents access if the client is not localhost. If the client
> is localhost then Spring Security kicks in and finally authenticates
> the User.
>
> Quite complicated for such a simple task and I really did not expect
> to find so little information regarding such an issue on the internet.
Ask spring security people?
(They wrote recently that they shut down all their forums, and support
is currently provided via stackoverflow.
http://spring.io/blog/2014/06/18/retiring-the-forum-spring-io-website
)
I think you can inject RemoteAddrFilter into Spring Security filter
chain (that is if you do not want to configure it separately in
web.xml),
http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#ns-custom-filters
> From a systems administrator perspective there is no way I would
> present a login form first and then deny via ip filters, but I guess
> that is just how the servlet spec is defined.
>
I think that admins usually do not want to bother with web application
internals such as web.xml. The usual solution is to configure a
RemoteAddrValve.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
Posted by Falco Schwarz <hi...@falco.me>.
On Sat, Jul 5, 2014 at 12:39 PM, Mark Thomas <ma...@homeinbox.net> wrote:
> Maybe look at a third party security plugin like Spring Security? Not sure if this is supported but worth a look.
>
> Mark
Thanks Mark and Konstantin for your quick replies. I tried to
accomplish this only using Spring Security and I also got kinda stuck
with the processing ordering. It is possible to use expressions like:
<security:http>
<security:intercept-url pattern="/**"
hasIpAddress('127.0.0.1') and hasRole('ROLE_JMX')" />
<security:http-basic />
</security:http>
... but yet again, because of the http-basic tag, the user is always
presented with an authentication instead of being denied.
In the end I found a solution which suits my needs: combining the
RemoteAddrFilter with Spring Security. This way the RemoteAddrFilter
always prevents access if the client is not localhost. If the client
is localhost then Spring Security kicks in and finally authenticates
the User.
Quite complicated for such a simple task and I really did not expect
to find so little information regarding such an issue on the internet.
>From a systems administrator perspective there is no way I would
present a login form first and then deny via ip filters, but I guess
that is just how the servlet spec is defined.
Anyway, thanks again and keep up the good work.
Falco
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
Posted by Mark Thomas <ma...@homeinbox.net>.
On 5 July 2014 08:41:52 BST, Falco Schwarz <hi...@falco.me> wrote:
>I should add that the IP restriction is applied via filter, not with a
>tomcat Valve. Essentially the question breaks down to this:
>
>Is it possible in any way for a filter to be applied before the
>evaluation
>of the security-constraint?
No.
>Or is there any other way of setting up an
>IP
>filter combined with authentication given the order from above?
Maybe look at a third party security plugin like Spring Security? Not sure if this is supported but worth a look.
Mark
>
>Any hint for the right direction would be greatly appreciated.
>
>Thanks,
>Falco
>
>
>On Fri, Jul 4, 2014 at 4:37 PM, Falco Schwarz <hi...@falco.me> wrote:
>
>> All,
>>
>> I am trying to set up the jmx proxy servlet and am kinda stuck on
>> security. I would like to:
>>
>> - restrict access to localhost
>> - restrict access to require basic authentication
>>
>> Currently it works, though in the wrong order. This is how the
>request is
>> being processed right now:
>>
>> 1) user accesses /infra/jmx
>> 2) user has to authenticate
>> 3) user is being denied
>>
>> Is it possible to switch step 2 and 3?
>>
>> Relevant parts of web.xml, webapp is called infra:
>>
>> <servlet>
>> <servlet-name>JMXProxy</servlet-name>
>>
>>
><servlet-class>org.apache.catalina.manager.JMXProxyServlet</servlet-class>
>> </servlet>
>> <servlet-mapping>
>> <servlet-name>JMXProxy</servlet-name>
>> <url-pattern>/jmx/*</url-pattern>
>> </servlet-mapping>
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>JMX Proxy interface</web-resource-name>
>> <url-pattern>/jmx/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>jmx</role-name>
>> </auth-constraint>
>> </security-constraint>
>> <login-config>
>> <auth-method>BASIC</auth-method>
>> <realm-name>JMX Proxy</realm-name>
>> </login-config>
>> <security-role>
>> <description>
>> The role that is required to access the JMX Proxy
>> </description>
>> <role-name>jmx</role-name>
>> </security-role>
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-07-06 13:45 GMT+04:00 Falco Schwarz <hi...@falco.me>:
> Konstantin,
>
> On Sat, Jul 5, 2014 at 3:26 PM, Konstantin Kolinko
> <kn...@gmail.com> wrote:
>> You can either perform IP filtering in a Valve (that will be in the
>> pipeline before an Authenticator), or you can remove
>> security-constraint and implement authentication and authorization in
>> a filter (such as Security Filter, or using Spring Security framework)
>> .
>> http://wiki.apache.org/tomcat/AddOns#Filters
>
> in search of something simpler than Spring Security I stumbled upon
> Apache Shiro. I quite like the way it is set up and it gets the job
> done. Perhaps you might want to add this to the 3rd party filters in
> the Wiki, too?
Done. Thank you.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
Posted by Falco Schwarz <hi...@falco.me>.
Konstantin,
On Sat, Jul 5, 2014 at 3:26 PM, Konstantin Kolinko
<kn...@gmail.com> wrote:
> You can either perform IP filtering in a Valve (that will be in the
> pipeline before an Authenticator), or you can remove
> security-constraint and implement authentication and authorization in
> a filter (such as Security Filter, or using Spring Security framework)
> .
> http://wiki.apache.org/tomcat/AddOns#Filters
in search of something simpler than Spring Security I stumbled upon
Apache Shiro. I quite like the way it is set up and it gets the job
done. Perhaps you might want to add this to the 3rd party filters in
the Wiki, too?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
Posted by Konstantin Kolinko <kn...@gmail.com>.
2014-07-05 11:41 GMT+04:00 Falco Schwarz <hi...@falco.me>:
> I should add that the IP restriction is applied via filter, not with a
> tomcat Valve. Essentially the question breaks down to this:
>
> Is it possible in any way for a filter to be applied before the evaluation
> of the security-constraint? Or is there any other way of setting up an IP
> filter combined with authentication given the order from above?
No. A security-constraint is applied before the request reaches a web
application.
You can either perform IP filtering in a Valve (that will be in the
pipeline before an Authenticator), or you can remove
security-constraint and implement authentication and authorization in
a filter (such as Security Filter, or using Spring Security framework)
.
http://wiki.apache.org/tomcat/AddOns#Filters
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
Posted by Falco Schwarz <hi...@falco.me>.
I should add that the IP restriction is applied via filter, not with a
tomcat Valve. Essentially the question breaks down to this:
Is it possible in any way for a filter to be applied before the evaluation
of the security-constraint? Or is there any other way of setting up an IP
filter combined with authentication given the order from above?
Any hint for the right direction would be greatly appreciated.
Thanks,
Falco
On Fri, Jul 4, 2014 at 4:37 PM, Falco Schwarz <hi...@falco.me> wrote:
> All,
>
> I am trying to set up the jmx proxy servlet and am kinda stuck on
> security. I would like to:
>
> - restrict access to localhost
> - restrict access to require basic authentication
>
> Currently it works, though in the wrong order. This is how the request is
> being processed right now:
>
> 1) user accesses /infra/jmx
> 2) user has to authenticate
> 3) user is being denied
>
> Is it possible to switch step 2 and 3?
>
> Relevant parts of web.xml, webapp is called infra:
>
> <servlet>
> <servlet-name>JMXProxy</servlet-name>
>
> <servlet-class>org.apache.catalina.manager.JMXProxyServlet</servlet-class>
> </servlet>
> <servlet-mapping>
> <servlet-name>JMXProxy</servlet-name>
> <url-pattern>/jmx/*</url-pattern>
> </servlet-mapping>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>JMX Proxy interface</web-resource-name>
> <url-pattern>/jmx/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>jmx</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>JMX Proxy</realm-name>
> </login-config>
> <security-role>
> <description>
> The role that is required to access the JMX Proxy
> </description>
> <role-name>jmx</role-name>
> </security-role>
>
>