Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Jetty webserver security

I have a website powered by Jetty.

I'd like to make the site password protected (or similar).

Is there a way to do this by configuration alone (without touching the code).

All help much appreciated.

Dan

like image 441
Dan Avatar asked Mar 16 '11 10:03

Dan


People also ask

Is Jetty a web server?

Jetty provides a web server and servlet container, additionally providing support for HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS and many other integrations. These components are open source and are freely available for commercial use and distribution.

Is Jetty an application server?

Jetty is another application server (this one developed by Eclipse Foundation) that isn't technically a fully featured Java EE container. Just like Tomcat, it lacks support for many Java EE features. And just like Tomcat, you can still use most of the features by including additional third-party dependencies.

How does Jetty server work?

The Jetty Server is the plumbing between a collection of Connectors that accept HTTP connections, and a collection of Handlers that service requests from the connections and produce responses, with the work being done by threads taken from a thread pool.


1 Answers

One way to do this is by setting up basic authentication for your application. You should only do this if you use ssl, but then login without ssl is not secure anyway so I guess you have that already.

There is many ways to do this in Jetty, and this is only one of them.

First, you must define a realm where you define all users, passwords, roles etc. The default settings in Jetty already defines a realm called "Test Realm". The realm is defined in the file /etc/jetty-testrealm.xml. You may use this realm or create a new one. If you define a new, you may define it in the same file or in a separate file. If you create a separate file, remember to include that file in start.ini.

The /etc/jetty-testrealm.xml has a reference to /etc/realm.properties. This is where you create your users. If you want to just use the test-realm, remember to delete the default users that already is defined in realm.properties.

There are also other kind of realm implementations that use i.e. a database for user data.

Next, open the /etc/webdefault.xml file and add something like this at the bottom:

<security-constraint>
  <web-resource-collection>
    <url-pattern>/*</url-pattern>      <!--The url that should be protected -->
  </web-resource-collection>
  <auth-constraint>
    <role-name>admin</role-name>       <!--The required roles for accessing the url -->
    <role-name>user</role-name>
    <role-name>moderator</role-name>
  </auth-constraint>
</security-constraint>

<login-config>
  <auth-method>BASIC</auth-method>     <!-- Use http basic authentication -->
  <realm-name>Test Realm</realm-name>  <!-- Users are defined in this realm -->
</login-config>
like image 120
sstendal Avatar answered Oct 31 '22 02:10

sstendal