<security-constraint> only for remote access

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

<security-constraint> only for remote access

Jürgen Weber
Hi,

I'd like to have web app security if accessed from outside the local network.

if (!local)
   check <security-constraint>


Is this possible? with RemoteHostValve ?

Thx,
Juergen

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: <security-constraint> only for remote access

Christopher Schultz-2
Jürgen,

On 11/12/20 06:30, Jürgen Weber wrote:
> I'd like to have web app security if accessed from outside the local network.
>
> if (!local)
>     check <security-constraint>
>
>
> Is this possible? with RemoteHostValve ?

You cam simulate it, but you can't use <security-constraint> in web.xml
and also get a "local" carve-out for it.

What kind of <security-constraint> are you trying to remove?

Here are some options:

1. Review why you want to do this in the first place. What makes "local"
so special?

2. Deploy two instances of your application, one of which only allows
"local" access and does NOT have the <security-constraint> in web.xml.

3. Remove the <security-constraint> from web.xml completely, and use a
Filter/Valve to enforce your security policy.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: <security-constraint> only for remote access

Jürgen Weber
Chris,

it is just authentication basic.

I definitely want authentication for remote access, but I had hoped I
could override this with a Valve for local access.

Anyway, I'll spare the two apps and do two Servlet mappings

/local
/remote

protect /remote with <security-constraint>
and check in the servlet code if Servlet Path == local && remote IP in
local network

And I'll try to mod_rewrite /remote to /local if in local network.


Juergen

Am Do., 12. Nov. 2020 um 14:43 Uhr schrieb Christopher Schultz
<[hidden email]>:

>
> Jürgen,
>
> On 11/12/20 06:30, Jürgen Weber wrote:
> > I'd like to have web app security if accessed from outside the local network.
> >
> > if (!local)
> >     check <security-constraint>
> >
> >
> > Is this possible? with RemoteHostValve ?
>
> You cam simulate it, but you can't use <security-constraint> in web.xml
> and also get a "local" carve-out for it.
>
> What kind of <security-constraint> are you trying to remove?
>
> Here are some options:
>
> 1. Review why you want to do this in the first place. What makes "local"
> so special?
>
> 2. Deploy two instances of your application, one of which only allows
> "local" access and does NOT have the <security-constraint> in web.xml.
>
> 3. Remove the <security-constraint> from web.xml completely, and use a
> Filter/Valve to enforce your security policy.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: <security-constraint> only for remote access

Christopher Schultz-2
Jürgen,

On 11/12/20 09:50, Jürgen Weber wrote:
> Chris,
>
> it is just authentication basic.
>
> I definitely want authentication for remote access, but I had hoped I
> could override this with a Valve for local access.
 >
> Anyway, I'll spare the two apps and do two Servlet mappings
>
> /local
> /remote
>
> protect /remote with <security-constraint>
> and check in the servlet code if Servlet Path == local && remote IP in
> local network

You can definitely do that with the RemoteIPValve and/or RemoteIPFilter.
No need to write any new code.

> And I'll try to mod_rewrite /remote to /local if in local network.

That would work, but be aware of playing games with URL spaces. It can
be a real pain in the neck to hit every case.

What's wrong with local users authenticating? I don't trust my network
that much.

-chris

> Am Do., 12. Nov. 2020 um 14:43 Uhr schrieb Christopher Schultz
> <[hidden email]>:
>>
>> Jürgen,
>>
>> On 11/12/20 06:30, Jürgen Weber wrote:
>>> I'd like to have web app security if accessed from outside the local network.
>>>
>>> if (!local)
>>>      check <security-constraint>
>>>
>>>
>>> Is this possible? with RemoteHostValve ?
>>
>> You cam simulate it, but you can't use <security-constraint> in web.xml
>> and also get a "local" carve-out for it.
>>
>> What kind of <security-constraint> are you trying to remove?
>>
>> Here are some options:
>>
>> 1. Review why you want to do this in the first place. What makes "local"
>> so special?
>>
>> 2. Deploy two instances of your application, one of which only allows
>> "local" access and does NOT have the <security-constraint> in web.xml.
>>
>> 3. Remove the <security-constraint> from web.xml completely, and use a
>> Filter/Valve to enforce your security policy.
>>
>> -chris
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]