1

I am trying to secure few pages on tomcat6 for a vended application. I was successful with securing using URL-pattern for the most of the URLs except two (marked with double asterisks in the code below). These two URLs are different in that they take parameters that determine the view. I would like to restrict those two views and hence have specified the exact URLs to be blocked/secured/authenticated as shown below. But tomcat does not secure them. 

 <security-constraint>
            <web-resource-collection>
                    <web-resource-name>TopBraid</web-resource-name>
                    <description>Restrict few pages that need security.</description>
                    <url-pattern>/tbl/admin/*</url-pattern>
                    <url-pattern>/tbl/sparql/*</url-pattern>
                    **<url-pattern>/tbl/swp?_viewClass=appConfig:ServerConfigEditor</url-pattern>**
                    **<url-pattern>/tbl/swp?_viewClass=adminConfig:AdminEditPage</url-pattern>**
                    <url-pattern>/tbl/sp_reset</url-pattern>
                    <url-pattern>/tbl/sp_redeploy</url-pattern>
            </web-resource-collection>
            <auth-constraint>
                    <role-name>SERVER_ADMINS</role-name>
            </auth-constraint>
    </security-constraint>
    <security-role>
            <role-name>SERVER_ADMINS</role-name>
    </security-role>
    <login-config>
            <auth-method>FORM</auth-method>
            <realm-name>TopBraid</realm-name>
            <form-login-config>
                    <form-login-page>/logon.html</form-login-page>
                    <form-error-page>/logonError.html</form-error-page>
            </form-login-config>
    </login-config>
    <security-constraint>
            <web-resource-collection>
                <web-resource-name>Public</web-resource-name>
                <description>Matches any page.</description>
                <url-pattern>/*</url-pattern>
            </web-resource-collection>
    </security-constraint>

I know the JSR spec might call them as invalid pattern. Wondering if the pattern could be somehow specified such that it is acceptable. Or are there other ways to restrict access to the two URLs I have listed above?

Improve this question
2
  • Why don't you use /tbl/swp instead of them? Commented Feb 28, 2013 at 20:34
  • There are other urls that have /tbl/swp pattern in it that do not need authentication like /tbl/swp?_viewName=home. Commented Feb 28, 2013 at 22:02

1 Answer 1

Reset to default
1

Restricting access to specific URL parameters and their values, like you are trying to do above /tbl/swp?_viewClass=tblconfig:ConfigEditor /tbl/swp?_viewClass=admins:AdminsEditorPage is not possible from the web or application server. This type of filtering/URL restriction will have to be performed by the application itself, through creating a unique session for those views.

When the application server parses incoming URLs, their job is done once they reach the first "?" which is the first parameter to be passed to the application. From here, any type of filtering/access control must be handled by the application.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for your answer. Would you think coding a custom Tomcat Valve that could intercept all requests and then authenticate might help. I have the idea but do not know how to proceed on this.
No, that would not help for those two examples. This will have to be handled by the Java code, not by the application server. There is no Tomcat Valve that will be able to do this.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.