-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Shanti,
On 9/7/12 11:32 AM, Shanti Suresh wrote: > Also, what I would like to achieve is to have a secure jmxproxy > servlet for "set" operations. But have no authentication and > authorization for get operations. I personally think that's a bad idea: just set some simple username and password and have your client use it: any decent command-line HTTP client should support HTTP BASIC authentication. > I tried might to "tighten" only the "set" operations of the > "jmxproxy" servlet by modifying manager/WEB-INF/web.xml as > follows, and it didn't work. I actually tried the url-pattern > below with "/jmxproxy/?get*", but I was still able to query > successfully without a "401 Unauthorized" failure. So I figured > that I may not be using the right pattern. A url-pattern of > "/jmxproxy/*" does return a 401 Unauthorized error message on > "get". > > -------snippet from manager/web.xml:----- <security-constraint> > <web-resource-collection> <web-resource-name>JMX Proxy > interface</web-resource-name> > <url-pattern>/jmxproxy/?set*</url-pattern> > </web-resource-collection> <auth-constraint> > <role-name>manager-jmx</role-name> </auth-constraint> > </security-constraint> > > -----end of snippet---- You can't do that: the servlet spec's url-pattern matching only matches the path of the URL and does not include the query string. > I am further restricting who may access the manager application in > "conf/Catalina/localhost/manager.xml" to localhost: > > ----manager.xml:---- <Context path="/manager" privileged="true" > docBase="/opt/tomcat/mgmt/apache/webapps/manager"> <Valve > className="org.apache.catalina.valves.RemoteAddrValve" > allow="127\.0\.0\.1"/> </Context> ------------- That's good. > So I can somehow secure the "set" but open up the "get" and "qry", > I will be in happy curl-land. Log it as an enhancement request in Bugzilla. I proposed this kind of thing a few months ago though I can't seem to find the thread at the moment. It was mildly rejected due to lack of interest, but but it seems we have a real use-case where a user wants this capability. Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBKNMwACgkQ9CaO5/Lv0PDVNgCfRIUWq2gs1W0OUa8Qkpzl1fx6 4CMAoIk7z8cTYFm+14WBjVVyFavzbNVY =ymJa -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
