Dynamic Security Constraints?

[Leo Donahue - PLANDEVX <Le...@mail.maricopa.gov>]

I'm not sure this is the right subject line, but if I wanted to use Tomcat to publish large files (several GB) for different customers to download, and each customer wanted their own secure URL (form based login over HTTPS) from which to download their data, how would I add a new security constraint url-pattern for authentication for new customers without restarting the server?  Is that even the correct approach?

Or would it just be easier to deploy a new pre-configured webapp for each customer?

Tomcat 6.0.35

Leo

Re: Dynamic Security Constraints?

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Leo,

On 3/9/12 4:44 PM, Leo Donahue - PLANDEVX wrote:
> I'm not sure this is the right subject line, but if I wanted to
> use Tomcat to publish large files (several GB) for different
> customers to download, and each customer wanted their own secure
> URL (form based login over HTTPS) from which to download their
> data, how would I add a new security constraint url-pattern for
> authentication for new customers without restarting the server?  Is
> that even the correct approach?

Sounds like a custom filter would be best. You could map the filter to
some root, say "/dynamic-security/*" and then always publish to URLs
that would be served by resources in that URL space.

You can do whatever you want in your filter. For example, you could
have a map of URLs to clients and make sure that the current-user "is"
the proper client. You can even write a simple management servlet that
allows you to modify that map. (Don't forget to protect that admin
servlet :)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9eI4QACgkQ9CaO5/Lv0PDKqQCfSy1N9i9j21k9AZRqvWmrc0l/
SaMAn2BD8euUBYQj9cbXqCB5iMKmmze+
=nVbi
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Dynamic Security Constraints?

[Konstantin Kolinko <kn...@gmail.com>]

2012/3/10 André Warnier <aw...@ice-sa.com>:
>
> 3) Before you even start this, it may be wise to do a quick back-of-hand
> calculation about the time it takes to download such a file over the average
> communications link. Tens of GB is hundreds of Gigabits. You may be
> surprised at the number of hours your customers would need, to download such
> a file.  Neither you nor them may be pleased at saturating your respective
> Internet links for the duration; nor at having to restart the download in
> case there's a hiccup after 90%.
> (tip : at 1 Mbit/s download speed, it would take close to 3 hours to
> download 1 Gbyte)
> It may be better to send them a USB stick by post..
>

They will have to use a download manager to resume downloads. E.g.
good old "wget".


Note that it cannot deal with "FORM" authentication (because it relies
on HTTP session and cookies), but it works good with BASIC (and maybe
with DIGEST) one and it works over HTTPS.

Using physical delivery is only good if you trust the courier.
Generally you have to encrypt the media. There was a story when postal
service lost magnetic tapes that one bank was sending to their backup
storage.

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Dynamic Security Constraints?

[André Warnier <aw...@ice-sa.com>]

Leo Donahue - PLANDEVX wrote:

>> -----Original Message-----
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Subject: Re: Dynamic Security Constraints?
>>
>> Addenda :
>> 1) ... You'd have to think carefully of where you place these
>> files to download, so that Tomcat does not unwittingly provide the
>> possibility for a user to download such a file directly (bypassing the
>> login) by providing a URL that points to the file directly.
> 
> Not to change the subject, but I hear a lot of people talking about the point you're making about where to place the file and unwittingly providing a URL to access it outside of a security constraint.
> 
> Perhaps there is some design history to this that people used to do that I am just missing, so could someone please enlighten me?
> 
> If I place a file in a webapp context of customerx, and restrict access to everything in the customerx url pattern to a specific login, how can that URL be accessed outside of a security check?  Are people doing something else when they deploy their apps that would allow the situation you are describing?  Are they creating a separate docBase?
> 

Let me give one example :

Imagine that you have a front-end webserver like Apache httpd or IIS, and one back-end 
tomcat on the same host.
Then imagine that you would be of the opinion that it must be more efficient to have the 
front-end server serve any static content (pure html, images, stylesheets) directly, 
rather than proxying this to Tomcat and having Tomcat deliver that content through the 
connector etc..
But for maintenance reasons, it is still easier to have all this content in one single 
application directory, together with your JSP pages and webapps, under Tomcat /webapps/myapp.
So you would think : hey, why do I not define a <Location> (or a "virtual directory" or 
whatever IIS calls it) in my front-end server, allowing it to serve the static content of 
my Tomcat /webapps/myapp directly ?
The problem with this, is that the front-end server, by default, has no idea that the 
/WEB-INF/ and /META-INF/ directories are special to Tomcat, and may contain things that 
you do not want to serve to the outside world.  So if a request URL, at the front-end 
level, looks like it addresses a static file like /webapps/myapp/WEB-INF/passwords.xml, it 
will happily serve it directly, never even asking Tomcat's opinion.

You'd be amazed at how many people have come here with configurations which do exactly 
that.  And how many additional ones have never come here but have the same layout.

There are subtler cases, involving uppercase/lowercase sensitivity; or involving doing the 
login under HTTPS, but the rest of the session not, etc..

You are right that in your case, if you define one separate webapp per customer, and each 
webapp requires a login, and the files to download by one customer are within that 
webapp's directory, you will not have a security problem.
On the other hand, if you want a single webapp, but each customer should be able only to 
download his own files, then your setup must be a bit more careful, and the links that you 
provide to one customer to access his file(s), should not be so that he can just change 
one or two characters in it and download someone else's files.
And if all the files are in the same directory, you should not allow them to obtain a 
"directory index" page.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Dynamic Security Constraints?

[Leo Donahue - PLANDEVX <Le...@mail.maricopa.gov>]

>-----Original Message-----
>From: André Warnier [mailto:aw@ice-sa.com]
>Subject: Re: Dynamic Security Constraints?
>
>Addenda :
>1) ... You'd have to think carefully of where you place these
>files to download, so that Tomcat does not unwittingly provide the
>possibility for a user to download such a file directly (bypassing the
>login) by providing a URL that points to the file directly.

Not to change the subject, but I hear a lot of people talking about the point you're making about where to place the file and unwittingly providing a URL to access it outside of a security constraint.

Perhaps there is some design history to this that people used to do that I am just missing, so could someone please enlighten me?

If I place a file in a webapp context of customerx, and restrict access to everything in the customerx url pattern to a specific login, how can that URL be accessed outside of a security check?  Are people doing something else when they deploy their apps that would allow the situation you are describing?  Are they creating a separate docBase?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Dynamic Security Constraints?

[André Warnier <aw...@ice-sa.com>]

André Warnier wrote:
> Leo Donahue - PLANDEVX wrote:
>>> -----Original Message-----
>>> From: André Warnier [mailto:aw@ice-sa.com]
>>> Subject: Re: Dynamic Security Constraints?
>>>
>>> Leo Donahue - PLANDEVX wrote:
>>>> I'm not sure this is the right subject line, but if I wanted to use
>>> Tomcat to publish large files (several GB) for different customers to
>>> download, and each customer wanted their own secure URL (form based
>>> login over HTTPS) from which to download their data, how would I add a
>>> new security constraint url-pattern for authentication for new customers
>>> without restarting the server?  Is that even the correct approach?
>>>> Or would it just be easier to deploy a new pre-configured webapp for
>>> each customer?
>>> Your own choice of phrasing above is a bit ambiguous, but indeed your
>>> last solution seems to be the easiest to implement.
>>>
>>> Among other reasons, since you do not know who they are before they
>>> login, it would be difficult to present each one of them with their own
>>> specific login page.
>>> (That's the ambiguous part, so I'm not sure that I understand your
>>> requirement correctly).
>>
>> Occasionally I get requests for GIS data in the tens of gigabytes.  
>> Our ftp won't let us upload that amount of data, so I thought why not 
>> zip it and place it on Tomcat for them to download.  This data was 
>> sensitive in nature and they wanted a secure login to whatever URL I 
>> provided for them to download that data.
>>
>> Example:  http://planning.maricopa.gov/customerx  when they access 
>> this URL, they are presented with a form based login over HTTPS, and 
>> once authenticated, Tomcat serves up a directory with their zip file.  
>> Essentially, I would already have a preconfigured SQL database with 
>> users/roles and just whip up a webapp and send the customer a 
>> url/username/password with which to login.  I was thinking I would 
>> just have webapp template that I modify when I get a request like 
>> that, deploy and then undeploy it after they get their data.  Is there 
>> a better way? 
> 
> Well, if they can all use the same login page, then after they login you 
> know who they are.  And if you anyway have a database back-end, then 
> whatever webapp they are logged-in to, can do a database lookup and 
> retrieve /their/ download link from the database, and display it on the 
> response page.  Then you need only one webapp, and all you need to do is 
> add or modify or delete a record in the database.
> 
> Just don't make the download link too obvious, not to encourage one of 
> them to change it a little bit just to try..
> For example, I would not make it like :
> https://planning.maricopa.gov/customer001/secret_download_file.gis
> ;-)
> 

Addenda :
1) there is a bit more to this, in terms of the logic of that application. You'd have to 
think carefully of where you place these files to download, so that Tomcat does not 
unwittingly provide the possibility for a user to download such a file directly (bypassing 
the login) by providing a URL that points to the file directly.
2) if the files being downloaded are really "in the tens of GB", you may want to pay 
attention to the overhead of delivering them under HTTPS, which would have your host 
encrypt the whole communication for downloading the files also.
I am not sure how much impact that would have on your host, be it may be significant.
3) Before you even start this, it may be wise to do a quick back-of-hand calculation about 
the time it takes to download such a file over the average communications link. Tens of GB 
is hundreds of Gigabits. You may be surprised at the number of hours your customers would 
need, to download such a file.  Neither you nor them may be pleased at saturating your 
respective Internet links for the duration; nor at having to restart the download in case 
there's a hiccup after 90%.
(tip : at 1 Mbit/s download speed, it would take close to 3 hours to download 1 Gbyte)
It may be better to send them a USB stick by post..

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Dynamic Security Constraints?

[André Warnier <aw...@ice-sa.com>]

Leo Donahue - PLANDEVX wrote:
>> -----Original Message-----
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Subject: Re: Dynamic Security Constraints?
>>
>> Leo Donahue - PLANDEVX wrote:
>>> I'm not sure this is the right subject line, but if I wanted to use
>> Tomcat to publish large files (several GB) for different customers to
>> download, and each customer wanted their own secure URL (form based
>> login over HTTPS) from which to download their data, how would I add a
>> new security constraint url-pattern for authentication for new customers
>> without restarting the server?  Is that even the correct approach?
>>> Or would it just be easier to deploy a new pre-configured webapp for
>> each customer?
>> Your own choice of phrasing above is a bit ambiguous, but indeed your
>> last solution seems to be the easiest to implement.
>>
>> Among other reasons, since you do not know who they are before they
>> login, it would be difficult to present each one of them with their own
>> specific login page.
>> (That's the ambiguous part, so I'm not sure that I understand your
>> requirement correctly).
> 
> Occasionally I get requests for GIS data in the tens of gigabytes.  Our ftp won't let us upload that amount of data, so I thought why not zip it and place it on Tomcat for them to download.  This data was sensitive in nature and they wanted a secure login to whatever URL I provided for them to download that data.
> 
> Example:  http://planning.maricopa.gov/customerx  when they access this URL, they are presented with a form based login over HTTPS, and once authenticated, Tomcat serves up a directory with their zip file.  Essentially, I would already have a preconfigured SQL database with users/roles and just whip up a webapp and send the customer a url/username/password with which to login.  I was thinking I would just have webapp template that I modify when I get a request like that, deploy and then undeploy it after they get their data.  Is there a better way?  
> 

Well, if they can all use the same login page, then after they login you know who they 
are.  And if you anyway have a database back-end, then whatever webapp they are logged-in 
to, can do a database lookup and retrieve /their/ download link from the database, and 
display it on the response page.  Then you need only one webapp, and all you need to do is 
add or modify or delete a record in the database.

Just don't make the download link too obvious, not to encourage one of them to change it a 
little bit just to try..
For example, I would not make it like :
https://planning.maricopa.gov/customer001/secret_download_file.gis
;-)

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Dynamic Security Constraints?

[Leo Donahue - PLANDEVX <Le...@mail.maricopa.gov>]

>-----Original Message-----
>From: André Warnier [mailto:aw@ice-sa.com]
>Subject: Re: Dynamic Security Constraints?
>
>Leo Donahue - PLANDEVX wrote:
>> I'm not sure this is the right subject line, but if I wanted to use
>Tomcat to publish large files (several GB) for different customers to
>download, and each customer wanted their own secure URL (form based
>login over HTTPS) from which to download their data, how would I add a
>new security constraint url-pattern for authentication for new customers
>without restarting the server?  Is that even the correct approach?
>>
>> Or would it just be easier to deploy a new pre-configured webapp for
>each customer?
>>
>Your own choice of phrasing above is a bit ambiguous, but indeed your
>last solution seems to be the easiest to implement.
>
>Among other reasons, since you do not know who they are before they
>login, it would be difficult to present each one of them with their own
>specific login page.
>(That's the ambiguous part, so I'm not sure that I understand your
>requirement correctly).

Occasionally I get requests for GIS data in the tens of gigabytes.  Our ftp won't let us upload that amount of data, so I thought why not zip it and place it on Tomcat for them to download.  This data was sensitive in nature and they wanted a secure login to whatever URL I provided for them to download that data.

Example:  http://planning.maricopa.gov/customerx  when they access this URL, they are presented with a form based login over HTTPS, and once authenticated, Tomcat serves up a directory with their zip file.  Essentially, I would already have a preconfigured SQL database with users/roles and just whip up a webapp and send the customer a url/username/password with which to login.  I was thinking I would just have webapp template that I modify when I get a request like that, deploy and then undeploy it after they get their data.  Is there a better way?  

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Dynamic Security Constraints?

[André Warnier <aw...@ice-sa.com>]

Leo Donahue - PLANDEVX wrote:
> I'm not sure this is the right subject line, but if I wanted to use Tomcat to publish large files (several GB) for different customers to download, and each customer wanted their own secure URL (form based login over HTTPS) from which to download their data, how would I add a new security constraint url-pattern for authentication for new customers without restarting the server?  Is that even the correct approach?
> 
> Or would it just be easier to deploy a new pre-configured webapp for each customer?
> 
Your own choice of phrasing above is a bit ambiguous, but indeed your last solution seems 
to be the easiest to implement.

Among other reasons, since you do not know who they are before they login, it would be 
difficult to present each one of them with their own specific login page.
(That's the ambiguous part, so I'm not sure that I understand your requirement correctly).

You could use per-customer virtual hosts, but that would be more difficult to set up than 
just dropping a war-file in ../webapps/, in particular on-the-fly.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org