Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to apply a tomcat security role for all URLs but one?

Tags:

security

tomcat

web.xml

My administrative web application is secured using basic-auth:

<security-constraint>
  <web-resource-collection>
    <web-resource-name>myApp</web-resource-name>
    <description>
      Security constraint for
      Admin resources
    </description>
    <url-pattern>/*</url-pattern>
    <http-method>POST</http-method>
    <http-method>GET</http-method>
  </web-resource-collection>
  <auth-constraint>
    <description>
      constraint
    </description>
    <role-name>myrolename</role-name>
  </auth-constraint>
  <user-data-constraint>
    <description>SSL not required</description>
    <transport-guarantee>NONE</transport-guarantee>
  </user-data-constraint>
</security-constraint>
<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Admin Login</realm-name>
</login-config>

However, I need to establish an exclusion for a single URL (say /check/, used by an automated service checking whether the web application is still up in regular intervals.

Unfortunately I cannot activate basic authentication for this service.

How I can achieve this?

Thanks a lot.

like image 650
peterp Avatar asked Mar 15 '12 15:03

peterp

People also ask

Which of the method Can be used for Tomcat security?

Realms. One method of controlling access to resources in Tomcat is the use of Realms - components that access databases of users that should have access to a given application or group of applications, and the roles/privileges they have within the application once they have logged in.

What is security constraint in Web XML?

A security constraint is used to define the access privileges to a collection of resources using their URL mapping. If your web application uses a servlet, you can express the security constraint information by using annotations.

1 Answers

Adding another constraint before with <transport-guarantee>NONE</transport-guarantee> did the trick

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Status page, accessed internally by application</web-resource-name>
        <url-pattern>/status/</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
like image 59
peterp Avatar answered Dec 25 '22 05:12

peterp
Sign in to Comment

Related questions

Are Intel's PTT and TPM equivalent
Potential legal issues with storing Social Security/Insurance Numbers (SSNs/SINs)? [closed]
Best way to authenticate users in a web application
Generating 128-bit keys with keytool
User.IsInRole returning false
How to protect an online judge against malicious code?
Make a connection to a HTTPS server from Java and ignore the validity of the security certificate
PHP htmlentities() on input before DB insert, instead of on output
Enforcing Facebook Authentication: Client-side and server-side
Is Transport Level Security Necessary When Using Message Level Security in WCF?
Key Management: Public/Subordinate key
Security for Web Apps
Online c# interpreter security issues
What is a secure choice for an internet facing web server in Java?
ASP.NET - Hacking the yellow screen of death
Response when requested by the Original code - PHP
Why many servers change its uid and gid,what's the benefit?
Is this password generator biased? [closed]
Git: Access Control? How to do in practice
The Java ClassLoader Security Model

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!