snichol 2002/10/15 20:33:20 Modified: java/docs/guide config.html Log: Add more information about securing the service manager and admin pages. Revision Changes Path 1.7 +36 -1 xml-soap/java/docs/guide/config.html Index: config.html =================================================================== RCS file: /home/cvs/xml-soap/java/docs/guide/config.html,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- config.html 7 May 2002 15:01:22 -0000 1.6 +++ config.html 16 Oct 2002 03:33:20 -0000 1.7 @@ -33,7 +33,9 @@ will see the value. If it is set in both places, the servlet initialization parameter value will override the value of the context -parameter for that particular servlet. It +parameter for that particular servlet. (Note: +these parameters are set in the web-app +configuration file <code>web.xml</code>.) It is recommended that you set the value via a context parameter; the servlet initialization parameter support was maintained mostly for @@ -108,6 +110,39 @@ directly, such as the admin JSP pages, will still be able to alter the state of the ServiceManager. </P> +<p> +Access to the admin JSP pages can be controlled in a number of ways. +For maximum security, of course, the pages (and the entire admin +directory) can be removed from the deployment. Alternatively, +they can be secured through the web-app configuration file +<code>web.xml</code>. The following snippet, for example, can protect +the pages with a password. (Note: the method for defining users and roles can vary +between servlet containers.) +</p> +<pre> + <!-- Define a Security Constraint on the Admin pages --> + <security-constraint> + <web-resource-collection> + <web-resource-name>Apache SOAP Administrator</web-resource-name> + <url-pattern>/admin/*</url-pattern> + </web-resource-collection> + <auth-constraint> + <!-- NOTE: This role is not present in the default Tomcat users file --> + <role-name>manager</role-name> + </auth-constraint> + </security-constraint> + + <!-- Define the Login Configuration for this Application --> + <login-config> + <auth-method>BASIC</auth-method> + <realm-name>Apache SOAP</realm-name> + </login-config> +</pre> +<p> +Individual servlet containers and/or Web servers will typically have additional methods +to limit access based on parameters such as client address. Tomcat 4, for example, +has Valves for remote address and remote host filters. +</p> <HR> <h3><A name="pcm"/>Pluggable Configuration Manager</A></h3> <P>The SOAP configuration manager is responsible
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
