I should add that the IP restriction is applied via filter, not with a tomcat Valve. Essentially the question breaks down to this:
Is it possible in any way for a filter to be applied before the evaluation of the security-constraint? Or is there any other way of setting up an IP filter combined with authentication given the order from above? Any hint for the right direction would be greatly appreciated. Thanks, Falco On Fri, Jul 4, 2014 at 4:37 PM, Falco Schwarz <hid...@falco.me> wrote: > All, > > I am trying to set up the jmx proxy servlet and am kinda stuck on > security. I would like to: > > - restrict access to localhost > - restrict access to require basic authentication > > Currently it works, though in the wrong order. This is how the request is > being processed right now: > > 1) user accesses /infra/jmx > 2) user has to authenticate > 3) user is being denied > > Is it possible to switch step 2 and 3? > > Relevant parts of web.xml, webapp is called infra: > > <servlet> > <servlet-name>JMXProxy</servlet-name> > > <servlet-class>org.apache.catalina.manager.JMXProxyServlet</servlet-class> > </servlet> > <servlet-mapping> > <servlet-name>JMXProxy</servlet-name> > <url-pattern>/jmx/*</url-pattern> > </servlet-mapping> > > <security-constraint> > <web-resource-collection> > <web-resource-name>JMX Proxy interface</web-resource-name> > <url-pattern>/jmx/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>jmx</role-name> > </auth-constraint> > </security-constraint> > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>JMX Proxy</realm-name> > </login-config> > <security-role> > <description> > The role that is required to access the JMX Proxy > </description> > <role-name>jmx</role-name> > </security-role> > >
