RE: R: Apache / Tomcat Load Balanced mode
Hi Thx for the reply restrict based on roles so in /conf/tomcat-users.xml By using the AAA Realm, UserId / Passwd would be definitely an usage , But the intension for doing the same is NOT to expose the /admin/* to INTERNET and reply with ERROR 404 for the same, But in case of INTRANET usage access for /admin/* should be provided Note:- The admin also has a set of Log-in credentials as similar to normal non admin case, So using realm would double up the process un-necessarily. Please appreciate this process for more ideas ! With regards Karthik -Original Message- From: Martin Gainty [mailto:mgai...@hotmail.com] Sent: Tuesday, April 21, 2009 8:10 PM To: Tomcat Users List Subject: RE: R: Apache / Tomcat Load Balanced mode you can restrict based on roles so in /conf/tomcat-users.xml you can define username fubar to role 'newrole' user username=fubar password=fubar roles=newrole/ then in WebAppName/WEB/INF/web.xml !-- Define a Security Constraint on this Application -- security-constraint web-resource-collection web-resource-nameHTMLManger and Manager command/web-resource-name url-pattern/admin/*/url-pattern /web-resource-collection auth-constraint !-- NOTE: This role is not present in the default users file -- role-namenewrole/role-name /auth-constraint security-role role-namenewrole/role-name /security-role /security-constraint any access to YourWebAppName/admin are enabled only to role='newrole' Martin __ Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: karthik.nanjang...@xius-bcgi.com To: users@tomcat.apache.org Date: Tue, 21 Apr 2009 18:19:42 +0530 Subject: RE: R: Apache / Tomcat Load Balanced mode Hi Thx for the same Web application would be installed on 3 nodes of Tomcat below the single load balancer of Apache http 2.x server www.acme.com being exposed to INTERNET www.acme.com/adminbeing exposed to INTRANET We would like to block the /admin from the INTERNET access If some body uses /admin the response should be blocked If the same /admin is to be used within the INTRANET local access We should be able to display the credentials How To achieve the same ? With regards karthik -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Tuesday, April 21, 2009 12:51 PM To: Tomcat Users List Subject: Re: R: Apache / Tomcat Load Balanced mode On 21.04.2009 09:06, Leandro Dardini wrote: -Messaggio originale- Da: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Inviato: martedì 21 aprile 2009 7.34 A: Tomcat Users List Oggetto: Apache / Tomcat Load Balanced mode Hi Would the same work with Apache / Tomcat Load Balanced mode Configuration for single installation of the web application acme www.acme.com being exposed to INTERNET www.acme.com/adminbeing exposed to INTRANET Reason : The application uses a single DB to request of orders (from Subscribers) and same URL with *admin* would process the orders ( Internal Employees) and should not be exposed to outside world. Is there any Configuration with in Apache or Tomcat to achieve the same? With regards Karthik Maybe I don't understand your question, but to me there is no difference in configuring access in Load Balanced or not Load Balanced mode. As regarding the admin section, you can filter it using apache access control. I agree, load balancing seems to be not related to the question
RE: R: Apache / Tomcat Load Balanced mode
From: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Subject: RE: R: Apache / Tomcat Load Balanced mode But the intension for doing the same is NOT to expose the /admin/* to INTERNET and reply with ERROR 404 for the same, But in case of INTRANET usage access for /admin/* should be provided Write a filter that rejects requests for /admin or /admin/* when the request arrives from a non-intranet address. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: R: Apache / Tomcat Load Balanced mode
Caldarale, Charles R wrote: From: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Subject: RE: R: Apache / Tomcat Load Balanced mode But the intension for doing the same is NOT to expose the /admin/* to INTERNET and reply with ERROR 404 for the same, But in case of INTRANET usage access for /admin/* should be provided Write a filter that rejects requests for /admin or /admin/* when the request arrives from a non-intranet address. http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Remote Address Filter or Remote Host Filter Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: R: Apache / Tomcat Load Balanced mode
Mark Thomas wrote: Caldarale, Charles R wrote: From: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Subject: RE: R: Apache / Tomcat Load Balanced mode But the intension for doing the same is NOT to expose the /admin/* to INTERNET and reply with ERROR 404 for the same, But in case of INTRANET usage access for /admin/* should be provided Write a filter that rejects requests for /admin or /admin/* when the request arrives from a non-intranet address. http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Remote Address Filter or Remote Host Filter Wait, does that not block *all* accesses to that host ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: R: Apache / Tomcat Load Balanced mode
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: R: Apache / Tomcat Load Balanced mode http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Remote Address Filter or Remote Host Filter Wait, does that not block *all* accesses to that host ? Yes, which is why I suggested a filter, which could be configured for just /admin/*. I'm not aware of any means of configuring valves for specific URL patterns. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: R: Apache / Tomcat Load Balanced mode
André Warnier wrote: Mark Thomas wrote: Caldarale, Charles R wrote: From: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Subject: RE: R: Apache / Tomcat Load Balanced mode But the intension for doing the same is NOT to expose the /admin/* to INTERNET and reply with ERROR 404 for the same, But in case of INTRANET usage access for /admin/* should be provided Write a filter that rejects requests for /admin or /admin/* when the request arrives from a non-intranet address. http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Remote Address Filter or Remote Host Filter Wait, does that not block *all* accesses to that host ? I'd assumed that admin was a separate context and therefore could have a valve applied. If not, just do it in httpd. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: R: Apache / Tomcat Load Balanced mode
Mark Thomas wrote: André Warnier wrote: Mark Thomas wrote: Caldarale, Charles R wrote: From: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Subject: RE: R: Apache / Tomcat Load Balanced mode But the intension for doing the same is NOT to expose the /admin/* to INTERNET and reply with ERROR 404 for the same, But in case of INTRANET usage access for /admin/* should be provided Write a filter that rejects requests for /admin or /admin/* when the request arrives from a non-intranet address. http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html Remote Address Filter or Remote Host Filter Wait, does that not block *all* accesses to that host ? I'd assumed that admin was a separate context and therefore could have a valve applied. If not, just do it in httpd. Do you mean that the Valve can be inserted at the context.xml level, rather than inside the Host ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: R: Apache / Tomcat Load Balanced mode
André Warnier wrote: Mark Thomas wrote: André Warnier wrote: Mark Thomas wrote: I'd assumed that admin was a separate context and therefore could have a valve applied. If not, just do it in httpd. Do you mean that the Valve can be inserted at the context.xml level, rather than inside the Host ? Yes. Valves are valid at Engine, Host and Context level. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: R: Apache / Tomcat Load Balanced mode
From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: R: Apache / Tomcat Load Balanced mode Do you mean that the Valve can be inserted at the context.xml level, rather than inside the Host ? Yes. I had made the opposite assumption to Mark T, in that I thought admin was part of the ROOT context. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
R: Apache / Tomcat Load Balanced mode
-Messaggio originale- Da: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Inviato: martedì 21 aprile 2009 7.34 A: Tomcat Users List Oggetto: Apache / Tomcat Load Balanced mode Hi Would the same work with Apache / Tomcat Load Balanced mode Configuration for single installation of the web application acme www.acme.com being exposed to INTERNET www.acme.com/adminbeing exposed to INTRANET Reason : The application uses a single DB to request of orders (from Subscribers) and same URL with *admin* would process the orders ( Internal Employees) and should not be exposed to outside world. Is there any Configuration with in Apache or Tomcat to achieve the same? With regards Karthik Maybe I don't understand your question, but to me there is no difference in configuring access in Load Balanced or not Load Balanced mode. As regarding the admin section, you can filter it using apache access control. Leandro - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: R: Apache / Tomcat Load Balanced mode
On 21.04.2009 09:06, Leandro Dardini wrote: -Messaggio originale- Da: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Inviato: martedì 21 aprile 2009 7.34 A: Tomcat Users List Oggetto: Apache / Tomcat Load Balanced mode Hi Would the same work with Apache / Tomcat Load Balanced mode Configuration for single installation of the web application acme www.acme.com being exposed to INTERNET www.acme.com/adminbeing exposed to INTRANET Reason : The application uses a single DB to request of orders (from Subscribers) and same URL with *admin* would process the orders ( Internal Employees) and should not be exposed to outside world. Is there any Configuration with in Apache or Tomcat to achieve the same? With regards Karthik Maybe I don't understand your question, but to me there is no difference in configuring access in Load Balanced or not Load Balanced mode. As regarding the admin section, you can filter it using apache access control. I agree, load balancing seems to be not related to the question. One first decision would be, whether you are able to deploy your application twice, once as the ROOT context and once as admin. Then everything will become obvious. If you only want to deploy it once, e.g. as admin, then you will need to do URL rewriting in the Apache-Layer. When using mod_proxy, you can find info about that at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html When using mod_jk, look at http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: R: Apache / Tomcat Load Balanced mode
Hi Thx for the same Web application would be installed on 3 nodes of Tomcat below the single load balancer of Apache http 2.x server www.acme.com being exposed to INTERNET www.acme.com/adminbeing exposed to INTRANET We would like to block the /admin from the INTERNET access If some body uses /admin the response should be blocked If the same /admin is to be used within the INTRANET local access We should be able to display the credentials How To achieve the same ? With regards karthik -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Tuesday, April 21, 2009 12:51 PM To: Tomcat Users List Subject: Re: R: Apache / Tomcat Load Balanced mode On 21.04.2009 09:06, Leandro Dardini wrote: -Messaggio originale- Da: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Inviato: martedì 21 aprile 2009 7.34 A: Tomcat Users List Oggetto: Apache / Tomcat Load Balanced mode Hi Would the same work with Apache / Tomcat Load Balanced mode Configuration for single installation of the web application acme www.acme.com being exposed to INTERNET www.acme.com/adminbeing exposed to INTRANET Reason : The application uses a single DB to request of orders (from Subscribers) and same URL with *admin* would process the orders ( Internal Employees) and should not be exposed to outside world. Is there any Configuration with in Apache or Tomcat to achieve the same? With regards Karthik Maybe I don't understand your question, but to me there is no difference in configuring access in Load Balanced or not Load Balanced mode. As regarding the admin section, you can filter it using apache access control. I agree, load balancing seems to be not related to the question. One first decision would be, whether you are able to deploy your application twice, once as the ROOT context and once as admin. Then everything will become obvious. If you only want to deploy it once, e.g. as admin, then you will need to do URL rewriting in the Apache-Layer. When using mod_proxy, you can find info about that at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html When using mod_jk, look at http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: R: Apache / Tomcat Load Balanced mode
you can restrict based on roles so in /conf/tomcat-users.xml you can define username fubar to role 'newrole' user username=fubar password=fubar roles=newrole/ then in WebAppName/WEB/INF/web.xml !-- Define a Security Constraint on this Application -- security-constraint web-resource-collection web-resource-nameHTMLManger and Manager command/web-resource-name url-pattern/admin/*/url-pattern /web-resource-collection auth-constraint !-- NOTE: This role is not present in the default users file -- role-namenewrole/role-name /auth-constraint security-role role-namenewrole/role-name /security-role /security-constraint any access to YourWebAppName/admin are enabled only to role='newrole' Martin __ Disclaimer and Confidentiality/Verzicht und Vertraulichkeitanmerkung / Note de déni et de confidentialité This message is confidential. If you should not be the intended receiver, then we ask politely to report. Each unauthorized forwarding or manufacturing of a copy is inadmissible. This message serves only for the exchange of information and has no legal binding effect. Due to the easy manipulation of emails we cannot take responsibility over the the contents. Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: karthik.nanjang...@xius-bcgi.com To: users@tomcat.apache.org Date: Tue, 21 Apr 2009 18:19:42 +0530 Subject: RE: R: Apache / Tomcat Load Balanced mode Hi Thx for the same Web application would be installed on 3 nodes of Tomcat below the single load balancer of Apache http 2.x server www.acme.com being exposed to INTERNET www.acme.com/adminbeing exposed to INTRANET We would like to block the /admin from the INTERNET access If some body uses /admin the response should be blocked If the same /admin is to be used within the INTRANET local access We should be able to display the credentials How To achieve the same ? With regards karthik -Original Message- From: Rainer Jung [mailto:rainer.j...@kippdata.de] Sent: Tuesday, April 21, 2009 12:51 PM To: Tomcat Users List Subject: Re: R: Apache / Tomcat Load Balanced mode On 21.04.2009 09:06, Leandro Dardini wrote: -Messaggio originale- Da: Karthik Nanjangude [mailto:karthik.nanjang...@xius-bcgi.com] Inviato: martedì 21 aprile 2009 7.34 A: Tomcat Users List Oggetto: Apache / Tomcat Load Balanced mode Hi Would the same work with Apache / Tomcat Load Balanced mode Configuration for single installation of the web application acme www.acme.com being exposed to INTERNET www.acme.com/adminbeing exposed to INTRANET Reason : The application uses a single DB to request of orders (from Subscribers) and same URL with *admin* would process the orders ( Internal Employees) and should not be exposed to outside world. Is there any Configuration with in Apache or Tomcat to achieve the same? With regards Karthik Maybe I don't understand your question, but to me there is no difference in configuring access in Load Balanced or not Load Balanced mode. As regarding the admin section, you can filter it using apache access control. I agree, load balancing seems to be not related to the question. One first decision would be, whether you are able to deploy your application twice, once as the ROOT context and once as admin. Then everything will become obvious. If you only want to deploy it once, e.g. as admin, then you will need to do URL rewriting in the Apache-Layer. When using mod_proxy, you can find info about that at http://httpd.apache.org/docs/2.2/mod/mod_proxy.html When using mod_jk, look at http://tomcat.apache.org/connectors-doc/generic_howto/proxy.html Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org