Re: web.xml processing order of directives - filter vs security-constraint
Konstantin, On Sat, Jul 5, 2014 at 3:26 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: You can either perform IP filtering in a Valve (that will be in the pipeline before an Authenticator), or you can remove security-constraint and implement authentication and authorization in a filter (such as Security Filter, or using Spring Security framework) . http://wiki.apache.org/tomcat/AddOns#Filters in search of something simpler than Spring Security I stumbled upon Apache Shiro. I quite like the way it is set up and it gets the job done. Perhaps you might want to add this to the 3rd party filters in the Wiki, too? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
On 5. Juli 2014 19:04:26 MESZ, Falco Schwarz hid...@falco.me wrote: On Sat, Jul 5, 2014 at 6:17 PM, Hassan Schroeder hassan.schroe...@gmail.com wrote: (Sorry, late to the thread but ...) if you just want to restrict access to a resource to localhost, why not os-level e.g. an iptables rule? Well, the reason behind the restriction is that I would like to use tomcats jmxproxy for our production systems, as our current monitoring solution is quite limited. Therefore I am planning to deploy an additional webapp to each tomcat. I would also restrict the access to our real web applications if I would restrict the whole connector. You could add a virtual host or even another service in which you could deploy the jmxproxy and restrict ips at the same time. Regards Felix - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
2014-07-06 13:45 GMT+04:00 Falco Schwarz hid...@falco.me: Konstantin, On Sat, Jul 5, 2014 at 3:26 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: You can either perform IP filtering in a Valve (that will be in the pipeline before an Authenticator), or you can remove security-constraint and implement authentication and authorization in a filter (such as Security Filter, or using Spring Security framework) . http://wiki.apache.org/tomcat/AddOns#Filters in search of something simpler than Spring Security I stumbled upon Apache Shiro. I quite like the way it is set up and it gets the job done. Perhaps you might want to add this to the 3rd party filters in the Wiki, too? Done. Thank you. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
2014-07-05 20:00 GMT+04:00 Falco Schwarz hid...@falco.me: On Sat, Jul 5, 2014 at 12:39 PM, Mark Thomas m...@homeinbox.net wrote: Maybe look at a third party security plugin like Spring Security? Not sure if this is supported but worth a look. Mark Thanks Mark and Konstantin for your quick replies. I tried to accomplish this only using Spring Security and I also got kinda stuck with the processing ordering. It is possible to use expressions like: security:http security:intercept-url pattern=/** access=hasIpAddress('127.0.0.1') and hasRole('ROLE_JMX') / security:http-basic / /security:http ... but yet again, because of the http-basic tag, the user is always presented with an authentication instead of being denied. In the end I found a solution which suits my needs: combining the RemoteAddrFilter with Spring Security. This way the RemoteAddrFilter always prevents access if the client is not localhost. If the client is localhost then Spring Security kicks in and finally authenticates the User. Quite complicated for such a simple task and I really did not expect to find so little information regarding such an issue on the internet. Ask spring security people? (They wrote recently that they shut down all their forums, and support is currently provided via stackoverflow. http://spring.io/blog/2014/06/18/retiring-the-forum-spring-io-website ) I think you can inject RemoteAddrFilter into Spring Security filter chain (that is if you do not want to configure it separately in web.xml), http://docs.spring.io/spring-security/site/docs/3.2.4.RELEASE/reference/htmlsingle/#ns-custom-filters From a systems administrator perspective there is no way I would present a login form first and then deny via ip filters, but I guess that is just how the servlet spec is defined. I think that admins usually do not want to bother with web application internals such as web.xml. The usual solution is to configure a RemoteAddrValve. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
On Sun, Jul 6, 2014 at 1:35 PM, Konstantin Kolinko knst.koli...@gmail.com wrote: I think you can inject RemoteAddrFilter into Spring Security filter chain (that is if you do not want to configure it separately in web.xml), You are right, I did not think of that. FWIW this is easily doable using custom filters [1] with Shiro, so it should be possible with Spring Security as well. Thanks again for your help, Falco [1] http://shiro.apache.org/web.html#Web-AvailableFilters - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
I should add that the IP restriction is applied via filter, not with a tomcat Valve. Essentially the question breaks down to this: Is it possible in any way for a filter to be applied before the evaluation of the security-constraint? Or is there any other way of setting up an IP filter combined with authentication given the order from above? Any hint for the right direction would be greatly appreciated. Thanks, Falco On Fri, Jul 4, 2014 at 4:37 PM, Falco Schwarz hid...@falco.me wrote: All, I am trying to set up the jmx proxy servlet and am kinda stuck on security. I would like to: - restrict access to localhost - restrict access to require basic authentication Currently it works, though in the wrong order. This is how the request is being processed right now: 1) user accesses /infra/jmx 2) user has to authenticate 3) user is being denied Is it possible to switch step 2 and 3? Relevant parts of web.xml, webapp is called infra: servlet servlet-nameJMXProxy/servlet-name servlet-classorg.apache.catalina.manager.JMXProxyServlet/servlet-class /servlet servlet-mapping servlet-nameJMXProxy/servlet-name url-pattern/jmx/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameJMX Proxy interface/web-resource-name url-pattern/jmx/*/url-pattern /web-resource-collection auth-constraint role-namejmx/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameJMX Proxy/realm-name /login-config security-role description The role that is required to access the JMX Proxy /description role-namejmx/role-name /security-role
Re: web.xml processing order of directives - filter vs security-constraint
On 5 July 2014 08:41:52 BST, Falco Schwarz hid...@falco.me wrote: I should add that the IP restriction is applied via filter, not with a tomcat Valve. Essentially the question breaks down to this: Is it possible in any way for a filter to be applied before the evaluation of the security-constraint? No. Or is there any other way of setting up an IP filter combined with authentication given the order from above? Maybe look at a third party security plugin like Spring Security? Not sure if this is supported but worth a look. Mark Any hint for the right direction would be greatly appreciated. Thanks, Falco On Fri, Jul 4, 2014 at 4:37 PM, Falco Schwarz hid...@falco.me wrote: All, I am trying to set up the jmx proxy servlet and am kinda stuck on security. I would like to: - restrict access to localhost - restrict access to require basic authentication Currently it works, though in the wrong order. This is how the request is being processed right now: 1) user accesses /infra/jmx 2) user has to authenticate 3) user is being denied Is it possible to switch step 2 and 3? Relevant parts of web.xml, webapp is called infra: servlet servlet-nameJMXProxy/servlet-name servlet-classorg.apache.catalina.manager.JMXProxyServlet/servlet-class /servlet servlet-mapping servlet-nameJMXProxy/servlet-name url-pattern/jmx/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameJMX Proxy interface/web-resource-name url-pattern/jmx/*/url-pattern /web-resource-collection auth-constraint role-namejmx/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameJMX Proxy/realm-name /login-config security-role description The role that is required to access the JMX Proxy /description role-namejmx/role-name /security-role - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
2014-07-05 11:41 GMT+04:00 Falco Schwarz hid...@falco.me: I should add that the IP restriction is applied via filter, not with a tomcat Valve. Essentially the question breaks down to this: Is it possible in any way for a filter to be applied before the evaluation of the security-constraint? Or is there any other way of setting up an IP filter combined with authentication given the order from above? No. A security-constraint is applied before the request reaches a web application. You can either perform IP filtering in a Valve (that will be in the pipeline before an Authenticator), or you can remove security-constraint and implement authentication and authorization in a filter (such as Security Filter, or using Spring Security framework) . http://wiki.apache.org/tomcat/AddOns#Filters Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
On Sat, Jul 5, 2014 at 12:39 PM, Mark Thomas m...@homeinbox.net wrote: Maybe look at a third party security plugin like Spring Security? Not sure if this is supported but worth a look. Mark Thanks Mark and Konstantin for your quick replies. I tried to accomplish this only using Spring Security and I also got kinda stuck with the processing ordering. It is possible to use expressions like: security:http security:intercept-url pattern=/** hasIpAddress('127.0.0.1') and hasRole('ROLE_JMX') / security:http-basic / /security:http ... but yet again, because of the http-basic tag, the user is always presented with an authentication instead of being denied. In the end I found a solution which suits my needs: combining the RemoteAddrFilter with Spring Security. This way the RemoteAddrFilter always prevents access if the client is not localhost. If the client is localhost then Spring Security kicks in and finally authenticates the User. Quite complicated for such a simple task and I really did not expect to find so little information regarding such an issue on the internet. From a systems administrator perspective there is no way I would present a login form first and then deny via ip filters, but I guess that is just how the servlet spec is defined. Anyway, thanks again and keep up the good work. Falco - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
On Sat, Jul 5, 2014 at 9:00 AM, Falco Schwarz hid...@falco.me wrote: In the end I found a solution which suits my needs: combining the RemoteAddrFilter with Spring Security. This way the RemoteAddrFilter always prevents access if the client is not localhost. (Sorry, late to the thread but ...) if you just want to restrict access to a resource to localhost, why not os-level e.g. an iptables rule? FWIW, -- Hassan Schroeder hassan.schroe...@gmail.com http://about.me/hassanschroeder twitter: @hassan - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: web.xml processing order of directives - filter vs security-constraint
On Sat, Jul 5, 2014 at 6:17 PM, Hassan Schroeder hassan.schroe...@gmail.com wrote: (Sorry, late to the thread but ...) if you just want to restrict access to a resource to localhost, why not os-level e.g. an iptables rule? Well, the reason behind the restriction is that I would like to use tomcats jmxproxy for our production systems, as our current monitoring solution is quite limited. Therefore I am planning to deploy an additional webapp to each tomcat. I would also restrict the access to our real web applications if I would restrict the whole connector. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
web.xml processing order of directives - filter vs security-constraint
All, I am trying to set up the jmx proxy servlet and am kinda stuck on security. I would like to: - restrict access to localhost - restrict access to require basic authentication Currently it works, though in the wrong order. This is how the request is being processed right now: 1) user accesses /infra/jmx 2) user has to authenticate 3) user is being denied Is it possible to switch step 2 and 3? Relevant parts of web.xml, webapp is called infra: servlet servlet-nameJMXProxy/servlet-name servlet-classorg.apache.catalina.manager.JMXProxyServlet/servlet-class /servlet servlet-mapping servlet-nameJMXProxy/servlet-name url-pattern/jmx/*/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-nameJMX Proxy interface/web-resource-name url-pattern/jmx/*/url-pattern /web-resource-collection auth-constraint role-namejmx/role-name /auth-constraint /security-constraint login-config auth-methodBASIC/auth-method realm-nameJMX Proxy/realm-name /login-config security-role description The role that is required to access the JMX Proxy /description role-namejmx/role-name /security-role