On 1:59 PM, André Warnier wrote:
Terence M. Bandoian wrote:
On 1:59 PM, Konstantin Kolinko wrote:
2011/11/3 Leon Rosenberg<rosenberg.l...@gmail.com>:
I have a situation where an application is accessable from outside in
staging and production environment, but shouldn't be open for public
in staging environment.
Put it behind Apache HTTPD (or any other proxy) and let HTTPD handle
authentication& authorization instead of Tomcat.
I'd advise against using BASIC auth in public internet, unless the
channel is protected with HTTPS.
What we did so far was, that we excluded everyone via web.xml:
You can automate the above. If you pack your war file using Ant, you
can use<replaceregexp> task.
Best regards,
Konstantin Kolinko
I'm not sure what "open for public" means above.
What about using a system property (e.g.
myorg.myapp.isStagingEnv=true) in a filter or valve to accept or
reject requests?
If I (belatedly) understand the requirements properly, Leon does not
not want to reject /all/ requests (that, he could do by undeploying
the application). It is more something like this :
- requests originating from a range of IP addresses (e.g. the internal
LAN) should be accepted, without authentication
- requests originating from anywhere else should be submitted to
authentication.
Practical case : the application is in a testing state, and should not
be available to the public at large, only to inside testers. The
inside testers should not have to login for that.
However, occasionally, someone may be sitting in an Internet Cafe and
want to do a demo for a customer from there. He should be able to
access the application, but only after logging in.
Leon, if the above is not the right description, please correct it.
In such matters, the devil is in the details.
The system property that indicates whether or not the application is in
a staging or test environment would be used in conjunction with a test
against, for example, request.getRemoteUser() or request.isUserInRole()
or request.getRemoteAddr().
-Terence Bandoian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
