1 Reply Latest reply on Aug 30, 2002 4:29 PM by sildani

    How do I restrict access to a webapp resource?

    sildani

      I am running JBoss 3.0 with Jetty.

      I want to restrict access to certain dirs in my webapp in the same fashion /WEB-INF is restricted (my /images dir, for example). How do I go about doing this?

      I did some research and found that I could specify a security contstraint on certain resources in the web.xml DD.

      I put this in the end of my web.xml file:

      <!-- Secutiry contraint on certain resources -->
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Images</web-resource-name>
      <url-pattern>/images</url-pattern>
      <url-pattern>/images/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <web-resource-collection>
      <web-resource-name>Etc</web-resource-name>
      <url-pattern>/etc</url-pattern>
      <url-pattern>/etc/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      </security-constraint>

      ... but despite the above, I can still browse those URL-patterns. I am trying to avoid that very thing.

      Any thoughts?

        • 1. Re: How do I restrict access to a webapp resource?
          sildani

          After doing some research, I figured out how to use the secutiry-constraint element in web.xml to serve my particular purpose.

          Secutiry constraint simply makes sure that before the declared resource is reached, the user is authenticated as belonging in a particular role. Therefore what I did was declare a role that I would intentionally never use and applied the contraints to that particular role. The result is those resources get restricted, albeit in an unnatural way.

          Here is the final snippet of code used in my web.xml file:

          <!-- Secutiry constraint on certain resources -->
          <security-constraint>
          <web-resource-collection>
          <web-resource-name>Images</web-resource-name>
          <url-pattern>/images</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
          </web-resource-collection>
          <web-resource-collection>
          <web-resource-name>Images</web-resource-name>
          <url-pattern>/images/</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
          </web-resource-collection>
          <web-resource-collection>
          <web-resource-name>Attachments</web-resource-name>
          <url-pattern>/attachments</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
          </web-resource-collection>
          <web-resource-collection>
          <web-resource-name>Attachments</web-resource-name>
          <url-pattern>/attachments/</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
          </web-resource-collection>
          <web-resource-collection>
          <web-resource-name>Etc</web-resource-name>
          <url-pattern>/etc</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
          </web-resource-collection>
          <web-resource-collection>
          <web-resource-name>Etc</web-resource-name>
          <url-pattern>/etc/</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
          <role-name>neverauth</role-name>
          </auth-constraint>
          </security-constraint>
          <security-role>
          <role-name>neverauth</role-name>
          </security-role>

          If there is a problem with this way, please let me know your thoughts!