[Yanel-dev] Fwd: etwas für's wiki

Balz Schreier balz.schreier at gmail.com
Wed Dec 22 15:29:53 CET 2010 

Dear all,

I work on a Internet web site which has two environments, TEST and PROD,
both reachable through the normal Internet.
We just noticed that Google indexed also some pages from the TEST
environment (despite our efforts not to publicly point to the TEST
environment at all, but somehow Google found it out).

How to avoid being indexed?
- One solution is to put that robots.txt file at the root of the site... But
then you are not sure whether the bots will really follow the directions in
there
- Another solution is to protect the whole REALM by configuring "/" in the
map-rc file and having a policy in place that protects it
- The latter solution might be fine in some cases but we want to test our
site how it looks like if the user is not logged into the application
(public users). In order to test with a public user but still with some
protection against bots, see next solution:
- We configured Tomcat so that the whole "/" web app is protected by a
technical user configured in tomcat's tomcat-users.xml. in Yanel's web.xml
we declared some security constraints so that the basic auth popup appears.
Now you can login to the Servlet Container's security context and when you
have done that, you're in the yanel context as public user. Of course, you
then can login again to your application, triggering the whole Yanel
specific security context.

Below was my mail to Michael with the configuration for Tomcat. It might be
helpful for some others in future, maybe ;-)

Cheers
Balz

---------- Forwarded message ----------
From: Balz Schreier <balz.schreier at gmail.com>
Date: 2010/12/22
Subject: etwas f=FCr's wiki
To: Michael Michi Wechner <michael.wechner at wyona.com>


hoi michi,

w=E4re vielleicht etwas f=FCr's wiki, dann muss man es nicht jedesmal suche=
n.

TASK: Secure the whole realm with basic authentication of Tomcat without
impacting Yanel's security setup (yanel users and roles).

DESCRIPTION:

Details for Tomcat Basic Authentication Setup:

   - Configure this in tomcat-users.xml:
   <user rolename=3D"tester"/>
   <user username=3D"testuser" password=3D"..." roles=3D"tester"/>
   - Configure this in Yanel=92s web.xml:
   <security-constraint>


   -  <display-name>My Realm</display-name>
      -  <web-resource-collection>
         <web-resource-name>My Realm</web-resource-name>
         <url-pattern>/*</url-pattern>
       </web-resource-collection>
      -  <auth-constraint>
      -    <role-name>tester</role-name>
      -  </auth-constraint>
      -  <user-data-constraint>
         <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
      </security-constraint>
      <login-config>
      -  <auth-method>BASIC</auth-method>
      -  <realm-name/>
      </login-config>
      <security-role>
      -  <role-name>tester</role-name>
      </security-role>


Gruss
Balz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.wyona.org/pipermail/yanel-development/attachments/2010122=
2/ad5d4a5c/attachment.htm

More information about the Yanel-development mailing list