On 13.06.2014 19:03, Christopher Schultz wrote: > All, > > I'm interested in locking-down my jk-status page so that certain users > can view the information but not modify it. > > Unfortunately, the jk-status page is implemented using a single URL as > a controller with GET-parameters controlling what actually happens. > Even the "edit worker" page uses GET instead of POST, so I can't just > disable POST for all but some blessed set of users. > > Does anyone have any suggestions for how jk-status could be > locked-down? I'm guessing that a whole lot of mod_rewrite rules could > do the trick by looking for certain "write" operations and rejecting > them, but that would mean being very careful about a lot of "magic" > that's being sent-around in URL parameters. > > Has anyone done anything like this before?
It's a build in feature, set the read_only attribute of that status worker to "true". You can even have multiple status workers, like one read-write and one read-only. For instance the worker.properties in the source code release of mod_jk has: http://svn.apache.org/viewvc/tomcat/jk/trunk/conf/workers.properties?view=co # Define two status worker: # - jk-status for read-only use # - jk-manager for read/write use worker.list=jk-status worker.jk-status.type=status worker.jk-status.read_only=true worker.list=jk-manager worker.jk-manager.type=status That means whatever URL you mount to the worker jk-status will be read-only and whatever url you mount to jk-manager will be read-write. You can choose those names and also the URLs arbitrarily as long as that snippet stays consistent. Regards, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org