Is it possible to "hide" tomcat resource from outside?

[einojah <ei...@gmail.com>]

Hello, 

I have an admin area in my application I want to secure. 
I know I can define a security constraint to set a basic or digest
authentication for a url pattern. 

But, I don't want the /admin area to be shown outside at all. The basic
authentication is extremely weak and digest auth. also doesn't provide
enough security. 

Is it possible to "hide" an url pattern on the outside, but have it
available when accessing from the server machine? 

thanks.. 

-- 
View this message in context: http://www.nabble.com/Is-it-possible-to-%22hide%22-tomcat-resource-from-outside--tp20349038p20349038.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Is it possible to "hide" tomcat resource from outside?

[Pierre Goupil <go...@gmail.com>]

Can't you just block the port ? That's what I do on my machine : the port
8080 is unavailable from the outside, just from localhost. So my manager
webapp is almost flawlessly protected. I only redirect those apps that I
need to port 80 using apache / mod_jk.

HTH,

Pierre


On Wed, Nov 5, 2008 at 10:54 PM, einojah <ei...@gmail.com> wrote:

>
> Hello,
>
> I have an admin area in my application I want to secure.
> I know I can define a security constraint to set a basic or digest
> authentication for a url pattern.
>
> But, I don't want the /admin area to be shown outside at all. The basic
> authentication is extremely weak and digest auth. also doesn't provide
> enough security.
>
> Is it possible to "hide" an url pattern on the outside, but have it
> available when accessing from the server machine?
>
> thanks..
>
> --
> View this message in context:
> http://www.nabble.com/Is-it-possible-to-%22hide%22-tomcat-resource-from-outside--tp20349038p20349038.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


-- 
Parce que c'est la nuit qu'il est beau de croire en la lumière.

Re: Is it possible to "hide" tomcat resource from outside?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

espinchi,

espinchi wrote:
> That's cool, but a little overkill for some use cases.

Like what? Just because a tool can do way more than you need it to do
doesn't mean it's less useful for the task at hand.

> For instance, in a portlet-based portal application, you might have
> individual portlets registered to the patterns
> "/PortletInvoker/MyPortletName". We need the portal to access them, but a
> user shouldn't be able to access a portlet directly from a URL like
> "http://myserver/PortletInvoker/MyPortletName", so I'd like to serve a 404
> before that portlet (ie, the servlet that manages it) is hit.
> 
> Is there any simple solutions to this problem in Tomcat?

The "simpler" solution is to write your own Filter (or Valve, I suppose,
if you want to lock yourself into using Tomcat) that replicates the
capability you're looking for.

I suppose if your portlet uses FORWARD or INCLUDE to gather this
information rather than a loopback request, you can even write a filter
that simply unconditionally returns 404 and map it only to the "REQUEST"
type of dispatcher.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkklfZwACgkQ9CaO5/Lv0PBdSwCdEehPtVD/JhkzCtIh67M11TDM
J78AmwVUV6hCoSv48hKojAd0P48YueCI
=L+C8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Is it possible to "hide" tomcat resource from outside?

[espinchi <pa...@gmail.com>]

That's cool, but a little overkill for some use cases.

For instance, in a portlet-based portal application, you might have
individual portlets registered to the patterns
"/PortletInvoker/MyPortletName". We need the portal to access them, but a
user shouldn't be able to access a portlet directly from a URL like
"http://myserver/PortletInvoker/MyPortletName", so I'd like to serve a 404
before that portlet (ie, the servlet that manages it) is hit.

Is there any simple solutions to this problem in Tomcat?

Thanks!


awarnier wrote:
> 
> 
> I'm beginning to sound as if I had a sales commission on that module, 
> but I really like it..
> Also, there might be a better method, but what I'm thinking of would be 
> based on this module :
> 
> http://www.tuckey.org/urlrewrite/
> 
> You can test "from where" the request is coming, and in case it is not 
> "from inside", re-direct it to some standard html page that you would 
> create on your server, and would look like a 404 response.
> I mean that it would not actually be a 404 response (it would be a 
> normal 200 OK response), but the content of the page would be "sorry, 
> this URL could not be found".
> 
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Is-it-possible-to-%22hide%22-tomcat-resource-from-outside--tp20349038p20599645.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Is it possible to "hide" tomcat resource from outside?

[André Warnier <aw...@ice-sa.com>]

espinchi wrote:
> 
> Christopher Schultz-2 wrote:
>>
>>> Is it possible to "hide" an url pattern on the outside, but have it
>>> available when accessing from the server machine? 
>> There are ways to do this, but the best way depends on what you want to
>> actually happen when someone requests a URL from /admin. So, let me know
>> and I'll make a recommendation.
>>
>>
> 
> I would like to serve an ordinary 404 error. To the external user, that
> pattern should behave as if it didn't exist.
> 
> I think that can be achieved in Tomcat, but I can't find how :(
> 
I'm beginning to sound as if I had a sales commission on that module, 
but I really like it..
Also, there might be a better method, but what I'm thinking of would be 
based on this module :

http://www.tuckey.org/urlrewrite/

You can test "from where" the request is coming, and in case it is not 
"from inside", re-direct it to some standard html page that you would 
create on your server, and would look like a 404 response.
I mean that it would not actually be a 404 response (it would be a 
normal 200 OK response), but the content of the page would be "sorry, 
this URL could not be found".


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Is it possible to "hide" tomcat resource from outside?

[espinchi <pa...@gmail.com>]

Christopher Schultz-2 wrote:
> 
> 
>> Is it possible to "hide" an url pattern on the outside, but have it
>> available when accessing from the server machine? 
> 
> There are ways to do this, but the best way depends on what you want to
> actually happen when someone requests a URL from /admin. So, let me know
> and I'll make a recommendation.
> 
> 

I would like to serve an ordinary 404 error. To the external user, that
pattern should behave as if it didn't exist.

I think that can be achieved in Tomcat, but I can't find how :(

-- 
View this message in context: http://www.nabble.com/Is-it-possible-to-%22hide%22-tomcat-resource-from-outside--tp20349038p20598970.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Is it possible to "hide" tomcat resource from outside?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

einojah,

einojah wrote:
> I have an admin area in my application I want to secure. 
> I know I can define a security constraint to set a basic or digest
> authentication for a url pattern. 
> 
> But, I don't want the /admin area to be shown outside at all.

What do you want the behavior to be when someone tries to access an
/admin URL from the outside?

> The basic
> authentication is extremely weak and digest auth. also doesn't provide
> enough security. 

Why won't digest auth provide enough security for you? Have you
considered form-based auth over SSL?

> Is it possible to "hide" an url pattern on the outside, but have it
> available when accessing from the server machine? 

There are ways to do this, but the best way depends on what you want to
actually happen when someone requests a URL from /admin. So, let me know
and I'll make a recommendation.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkkTSvIACgkQ9CaO5/Lv0PAc+gCfUEzxdRxYPsQ245n5HrmbBDuG
l8wAmwbmVsWda69cTUk3rTDitN0a6rrT
=ZFg4
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org