Sunday, January 24, 2010

Restricting Access to Web application through Tomcat configuration

I have an external client that needed access to an internal web server for testing purposes. In the past, we solved this problem by restricting access on based on World IPs. That is, most of our clients had static IPs that remained unchanged regardless of which network they belonged to. With this in mind, we were able to allow access through the firewall based on IP.

In this case, our client had dynamic IPs. That is, their IP was always changing and the above solution wouldn't work. In other workplaces, this problem was typically solved using VPN, however the network admins didn't support this at the time.

I did not want to build a custom authentication mechanism at the application level just for testing purposes. That would mean changing the behaviour of my application just for testing! GAH!

Instead I applied a login-based security mechanism at the Tomcat level as follows.

In my web.xml file of the web application I added the following:
  <!-- Define a Security Constraint on this Application -->
      <web-resource-name>Block access to entire application</web-resource-name>
       <!-- NOTE:  This role is not present in the default users file -->

  <!-- Define the Login Configuration for this Application -->

  <!-- Security roles referenced by this web application -->
      The role that is required to log in to the Zebrafish Application

And in the /conf/tomcat-users.xml I added a new user and role as follows:

<user username="philip" password="philip" roles="zebrafish"/>  

Upon application redeployment and server restart, any access to the web application requires authentication via a popup dialog and once we go to production, it is very easy to disable.

No comments:

Post a Comment