-
1. Re: Best practice: secure direct web app access
peterj Mar 20, 2008 11:34 AM (in response to carstenrudat)You cannot secure portlet windows in *-object.xml. Instead, you need to secure the portlet instance in portlet-instances.xml - move the security-constraint.
-
2. Re: Best practice: secure direct web app access
carstenrudat Mar 20, 2008 12:37 PM (in response to carstenrudat)Hi PeterJ,
ok, thanks - I moved the security-constraint to the portlet-instances.xml.
But what can I do to prevent direct access to my war? I cannot set up a security-constraint in my web.xml, because I will be asked for username/password, when I call my app from JBoss Portal.
Or is this a "single-sign-on"-issue and I have to configure jboss-web.deployer anyhow to recognize, that I'm already logged on via the portal login?
Thank you very much for a tip or hint.
Carsten -
3. Re: Best practice: secure direct web app access
bdaw Mar 20, 2008 12:42 PM (in response to carstenrudat)You can avoid double login (in portal after webapp) using Tomcat SSO valve. Look here: http://docs.jboss.com/jbportal/v2.6.4/referenceGuide/html/sso.html#d0e9623
-
4. Re: Best practice: secure direct web app access
peterj Mar 20, 2008 12:47 PM (in response to carstenrudat)For the various portlets I put together, all of the contents of the war are under WEB-INF and therefore are not accessible. What do you have that is outside of WEB-INF?
-
5. Re: Best practice: secure direct web app access
carstenrudat Mar 20, 2008 1:23 PM (in response to carstenrudat)Hi PeterJ,
good point - I will remove everything into WEB-INF. Currently, I have javascripts, images, CSS-files and all *.xhtml parallel to WEB-INF.
Thanks,
Carsten -
6. Re: Best practice: secure direct web app access
peterj Mar 20, 2008 1:33 PM (in response to carstenrudat)Any content you reference in your portlet code (within Java or a JSP) you can place into WEB-INF, but anything that will be referenced via a URL embedded in an html document sent to the browser will need to remain outside of WEB-INF. Thus you might have to leave the css, javascripts and images outside WEB-INF. One possible alternative is to place these items into CMS and access them from there; you can even apply access control to them so they cannot be accessed except by people logged into the portal.
-
7. Re: Best practice: secure direct web app access
antoine_h Mar 21, 2008 4:53 AM (in response to carstenrudat)This security thing are also usually done by some http server in front
(apache...).
another thing to think of : if you use some ajax features, it usually have it's own servlet and calls it's own resources (scripts files) in the web app.
this also need to be secure, but let the ajax feature access it's resources.