To the right of the top menu on the siark.com website is the ‘admin’ link that accesses the administration (create, update and delete) pages. The hierarchy of the pages are such that the admin pages are in a series of admin directories (the admin pages for the galleries are in /gallery/admin, the admin pages for the keywords are in /keyword/admin and so on). Therefore it is necessary to restrict access to any pages to all of the admin subdirectories. This restriction is done by specifying security settings in the web-xml
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" version="2.5"> <display-name>igallery</display-name> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> <servlet> <servlet-name>igallery</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <init-param> <param-name>contextConfigLocation</param-name> <param-value> /WEB-INF/igallery-servlet.xml </param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>igallery</servlet-name> <url-pattern>*.html</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>Admin Security</web-resource-name> <url-pattern>/gallery/admin/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>myrole</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config> <security-role> <role-name>myrole</role-name> </security-role> </web-app>
As I am using Tomcat 6, I can simply specify user and role information in the tomcat-users.xml file. To do this from the server instance in Eclipse, expand the ‘Servers’ directory in the ‘Project Explorer’, then expand the appropriate server, and you’ll see the file. There are sample roles and users in the file already. Create a role to match the role used in the web.xml file (in this case myrole).
<?xml version="1.0" encoding="UTF-8"?> <tomcat-users> <role rolename="myrole" /> <user username="myuser" password="mypassword" roles="myrole" /> </tomcat-users>
Note: It’s possible to specify the HTTP methods in the web.xml web-resource-collection, however this will mean that *only* these methods to the url-pattern specified will be secured and other methods will be unsecured (see http://www.aspectsecurity.com/documents/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf).