7 Replies Latest reply on Mar 21, 2008 4:53 AM by antoine_h

Best practice: secure direct web app access

carstenrudat Mar 20, 2008 5:22 AM

Hi all,

I'd like to know how I secure the access to a web app that runs as a portlet. I have the portlet secured by a <security-constraint> in the *-object.xml, but if I call http(s)://server:port/my-web-app-context-root/folder-in-war/resource I get the content delivered without being logged in.

Now, if I configured a <security-constraint> in my web.xml (with the same user role and security-domain as for the portlet) JBoss asks for a username and password (BASIC-auth). That's quite good, but it asks for username and password for the portlet, too - even if I logged in.

What are the best practices for that?

Thanks,
Carsten

1. Re: Best practice: secure direct web app access

peterj Mar 20, 2008 11:34 AM (in response to carstenrudat)

You cannot secure portlet windows in *-object.xml. Instead, you need to secure the portlet instance in portlet-instances.xml - move the security-constraint.
Actions
2. Re: Best practice: secure direct web app access

carstenrudat Mar 20, 2008 12:37 PM (in response to carstenrudat)

Hi PeterJ,

ok, thanks - I moved the security-constraint to the portlet-instances.xml.

But what can I do to prevent direct access to my war? I cannot set up a security-constraint in my web.xml, because I will be asked for username/password, when I call my app from JBoss Portal.
Or is this a "single-sign-on"-issue and I have to configure jboss-web.deployer anyhow to recognize, that I'm already logged on via the portal login?

Thank you very much for a tip or hint.
Carsten
Actions
3. Re: Best practice: secure direct web app access

bdaw Mar 20, 2008 12:42 PM (in response to carstenrudat)

You can avoid double login (in portal after webapp) using Tomcat SSO valve. Look here: http://docs.jboss.com/jbportal/v2.6.4/referenceGuide/html/sso.html#d0e9623
Actions
4. Re: Best practice: secure direct web app access

peterj Mar 20, 2008 12:47 PM (in response to carstenrudat)

For the various portlets I put together, all of the contents of the war are under WEB-INF and therefore are not accessible. What do you have that is outside of WEB-INF?
Actions
5. Re: Best practice: secure direct web app access

carstenrudat Mar 20, 2008 1:23 PM (in response to carstenrudat)

Hi PeterJ,

good point - I will remove everything into WEB-INF. Currently, I have javascripts, images, CSS-files and all *.xhtml parallel to WEB-INF.

Thanks,
Carsten
Actions
6. Re: Best practice: secure direct web app access

peterj Mar 20, 2008 1:33 PM (in response to carstenrudat)

Any content you reference in your portlet code (within Java or a JSP) you can place into WEB-INF, but anything that will be referenced via a URL embedded in an html document sent to the browser will need to remain outside of WEB-INF. Thus you might have to leave the css, javascripts and images outside WEB-INF. One possible alternative is to place these items into CMS and access them from there; you can even apply access control to them so they cannot be accessed except by people logged into the portal.
Actions
7. Re: Best practice: secure direct web app access

antoine_h Mar 21, 2008 4:53 AM (in response to carstenrudat)

This security thing are also usually done by some http server in front
(apache...).

another thing to think of : if you use some ajax features, it usually have it's own servlet and calls it's own resources (scripts files) in the web app.

this also need to be secure, but let the ajax feature access it's resources.
Actions

Go to original post