2 Replies Latest reply on Aug 30, 2002 4:30 PM by sildani

How do I restrict access to a webapp resource?

sildani Aug 28, 2002 12:49 PM

I am running JBoss 3.0 with Jetty.

I want to restrict access to certain dirs in my webapp in the same fashion /WEB-INF is restricted (my /images dir, for example). How do I go about doing this?

Thanks!
Dan

1. Re: How do I restrict access to a webapp resource?

sildani Aug 29, 2002 2:26 PM (in response to sildani)

I did some more research. I found that I could specify a security contstraint on certain resources in the web.xml DD.

I put this in the end of my web.xml file:


<security-constraint>
<web-resource-collection>
<web-resource-name>Images</web-resource-name>
<url-pattern>/images</url-pattern>
<url-pattern>/images/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Etc</web-resource-name>
<url-pattern>/etc</url-pattern>
<url-pattern>/etc/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>

... but despite the above, I can still browse those URL-patterns.

Any thoughts?

Dan
Actions
2. Re: How do I restrict access to a webapp resource?

sildani Aug 30, 2002 4:30 PM (in response to sildani)

After doing some research, I figured out how to use the secutiry-constraint element in web.xml to serve my particular purpose.

Secutiry constraint simply makes sure that before the declared resource is reached, the user is authenticated as belonging in a particular role. Therefore what I did was declare a role that I would intentionally never use and applied the contraints to that particular role. The result is those resources get restricted, albeit in an unnatural way.

Here is the final snippet of code used in my web.xml file:


<security-constraint>
<web-resource-collection>
<web-resource-name>Images</web-resource-name>
<url-pattern>/images</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Images</web-resource-name>
<url-pattern>/images/</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Attachments</web-resource-name>
<url-pattern>/attachments</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Attachments</web-resource-name>
<url-pattern>/attachments/</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Etc</web-resource-name>
<url-pattern>/etc</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<web-resource-collection>
<web-resource-name>Etc</web-resource-name>
<url-pattern>/etc/</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>neverauth</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>neverauth</role-name>
</security-role>

If there is a problem with this way, please let me know your thoughts!
Actions

Go to original post