You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2014/06/13 19:03:23 UTC
Read-only mod_jk jk-status?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I'm interested in locking-down my jk-status page so that certain users
can view the information but not modify it.
Unfortunately, the jk-status page is implemented using a single URL as
a controller with GET-parameters controlling what actually happens.
Even the "edit worker" page uses GET instead of POST, so I can't just
disable POST for all but some blessed set of users.
Does anyone have any suggestions for how jk-status could be
locked-down? I'm guessing that a whole lot of mod_rewrite rules could
do the trick by looking for certain "write" operations and rejecting
them, but that would mean being very careful about a lot of "magic"
that's being sent-around in URL parameters.
Has anyone done anything like this before?
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTmy2FAAoJEBzwKT+lPKRYZQYP/0vSiM2J5+WVC/MJ7xJZ8eIm
SriYzs3PEck/45wKrdC1W36QAqM7cvrF3V4+ojMZlkCt5rUlmhwPN2owZcgNAcWw
iO6jebIXbjlMIxV1BIFOl/IOMV4nL9AlBRsPiemhvUlJP1xzUPpAeXB0RDBXbtQe
eHOGdyLaLVn8Ub9xrIKCbEthFS76u1KfprGoVT7x1hl/EZ0o5DJHOiQVYMmEdoRV
aHGe6ogmXpi6oTG4khTGxYiCJSUOfyoeZpo5MJllqwy9Km7PpxFjRGoQndaDpC1U
L7MKPyQe9c4vTMO277rPGRijd3v02kssdi4nKCmaWP0Uu5OwK8Y2URpH3kXaeDfG
RzQ9gJY1WfuqwrTYh3l0vVFkPkkXi7Stlrb3Afxvf28taQB9CKQTdsvsj1Mt4nlL
k+tJNS5E6xDbeQm8C3hx5fyiKJY4HC6SyjFcAPIWT/mRBKPbjVrzQugfDM9VhD/z
GiNNh4jPsrPlmP5uDH+YBkKgHTrWEv+E0OFEAVLN93ETtPYfp4qVUN0ftk4BkWip
/YJxnBM1YAu6teQQin2wsw0MPgNnbDvlB7Hg52o0QNEgKxJu0RL6Yw5XDQMqDOJc
8JX/XucW/X1ZHiKtcXDe5mElB7pFJYQufaZM/Q61vEJOXeA51OV9gUjsYelve2Ml
5XhZe/6I+FPf7YB+lPpt
=Yjfd
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Read-only mod_jk jk-status?
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Rainer,
On 6/13/14, 1:58 PM, Rainer Jung wrote:
> On 13.06.2014 19:03, Christopher Schultz wrote:
>> All,
>>
>> I'm interested in locking-down my jk-status page so that certain
>> users can view the information but not modify it.
>>
>> Unfortunately, the jk-status page is implemented using a single
>> URL as a controller with GET-parameters controlling what actually
>> happens. Even the "edit worker" page uses GET instead of POST, so
>> I can't just disable POST for all but some blessed set of users.
>>
>> Does anyone have any suggestions for how jk-status could be
>> locked-down? I'm guessing that a whole lot of mod_rewrite rules
>> could do the trick by looking for certain "write" operations and
>> rejecting them, but that would mean being very careful about a
>> lot of "magic" that's being sent-around in URL parameters.
>>
>> Has anyone done anything like this before?
>
> It's a build in feature, set the read_only attribute of that
> status worker to "true".
Aw, geez... I wasn't even thinking along those lines.
> You can even have multiple status workers, like one read-write and
> one read-only.
Seems like that would be the most obvious way to deploy: one read-only
and one read/write, then just allow access to the read-write one to
special users (which can be done via httpd.conf).
> For instance the worker.properties in the source code release of
> mod_jk has:
>
> http://svn.apache.org/viewvc/tomcat/jk/trunk/conf/workers.properties?view=co
>
> # Define two status worker: # - jk-status for read-only use # -
> jk-manager for read/write use worker.list=jk-status
> worker.jk-status.type=status worker.jk-status.read_only=true
>
> worker.list=jk-manager worker.jk-manager.type=status
>
> That means whatever URL you mount to the worker jk-status will be
> read-only and whatever url you mount to jk-manager will be
> read-write. You can choose those names and also the URLs
> arbitrarily as long as that snippet stays consistent.
Thanks!
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTm0X5AAoJEBzwKT+lPKRYnkgP/0He8kBhqdSrNo/XjH1ZVWEd
TOSevWuW7vj3rUZuAyFHnOFVhFC1ALVqQsi96BEKnoJUWyvVgmUk02zOoxrCRruB
iN1mdRBXiXQsL57YODNemz25aq6MLoibuv+7O9PcfxZf6Y2NJNecpniKKo7CS4GG
GWAJtcOdKl81AwKsxf69u5WhnohkTOHVeOfTGGU+0zJXBOrA6mI2HQe3Q1deW05A
fLc8SoV3Wt6cQoR4bqIEWoP28nR3+HvOnDuzFNavJ2eIXxwfecVLYKnwCpfRD4xa
bu1XbU0Gdalg4J5gTTqUFaiZtZBNZT2SGb6f2JGUGxvQI3494MpqIzobIRlpDd+g
noHj625TeuzRl6tkVjNpMFXuoimUyvovDlLUdEIz80bGqjFzI391D1SXr7O2u5Ok
otf+j+esD25Pv6Hw17NKguhOXGa/6tzsjgLOwUUmBQdihrqVJWJ/8ipqKfPMV4WA
nDpNsKtLNNqKmtk/Ifjeaix4OjaWDT4/OeU/WawmZ+iTofgohGsnqCS6oICWtdqC
qYMCUUnvP4w7pStngQtHriG4VQcEL7hOFX2C/9Xot69RE/HtYdkTSqmJTLKMG/2I
czh/rSXFlhu2TxZiyj/g7uhGXTl4gKF8vRvUAmIh7evv4fEEa9HrmKV/pExfpLTZ
WOlAzruHIY6TtOko+WMb
=7Qg3
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Read-only mod_jk jk-status?
Posted by Rainer Jung <ra...@kippdata.de>.
On 13.06.2014 19:03, Christopher Schultz wrote:
> All,
>
> I'm interested in locking-down my jk-status page so that certain users
> can view the information but not modify it.
>
> Unfortunately, the jk-status page is implemented using a single URL as
> a controller with GET-parameters controlling what actually happens.
> Even the "edit worker" page uses GET instead of POST, so I can't just
> disable POST for all but some blessed set of users.
>
> Does anyone have any suggestions for how jk-status could be
> locked-down? I'm guessing that a whole lot of mod_rewrite rules could
> do the trick by looking for certain "write" operations and rejecting
> them, but that would mean being very careful about a lot of "magic"
> that's being sent-around in URL parameters.
>
> Has anyone done anything like this before?
It's a build in feature, set the read_only attribute of that status
worker to "true".
You can even have multiple status workers, like one read-write and one
read-only. For instance the worker.properties in the source code release
of mod_jk has:
http://svn.apache.org/viewvc/tomcat/jk/trunk/conf/workers.properties?view=co
# Define two status worker:
# - jk-status for read-only use
# - jk-manager for read/write use
worker.list=jk-status
worker.jk-status.type=status
worker.jk-status.read_only=true
worker.list=jk-manager
worker.jk-manager.type=status
That means whatever URL you mount to the worker jk-status will be
read-only and whatever url you mount to jk-manager will be read-write.
You can choose those names and also the URLs arbitrarily as long as that
snippet stays consistent.
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org