Protecting Yanel realm by Tomcat [WAS: Re: [Yanel-dev] Fwd: etwas für's wiki]

Michael Wechner michael.wechner at wyona.com
Wed Dec 22 15:50:25 CET 2010


Hi Balz

Thanks very much for this. I will try to add this to the documentation

http://www.yanel.org/en/documentation/index.html

Thanks

Michael

On 12/22/10 3:29 PM, Balz Schreier wrote:
> Dear all,
>
> I work on a Internet web site which has two environments, TEST and =

> PROD, both reachable through the normal Internet.
> We just noticed that Google indexed also some pages from the TEST =

> environment (despite our efforts not to publicly point to the TEST =

> environment at all, but somehow Google found it out).
>
> How to avoid being indexed?
> - One solution is to put that robots.txt file at the root of the =

> site... But then you are not sure whether the bots will really follow =

> the directions in there
> - Another solution is to protect the whole REALM by configuring "/" in =

> the map-rc file and having a policy in place that protects it
> - The latter solution might be fine in some cases but we want to test =

> our site how it looks like if the user is not logged into the =

> application (public users). In order to test with a public user but =

> still with some protection against bots, see next solution:
> - We configured Tomcat so that the whole "/" web app is protected by a =

> technical user configured in tomcat's tomcat-users.xml. in Yanel's =

> web.xml we declared some security constraints so that the basic auth =

> popup appears. Now you can login to the Servlet Container's security =

> context and when you have done that, you're in the yanel context as =

> public user. Of course, you then can login again to your application, =

> triggering the whole Yanel specific security context.
>
> Below was my mail to Michael with the configuration for Tomcat. It =

> might be helpful for some others in future, maybe ;-)
>
> Cheers
> Balz
>
> ---------- Forwarded message ----------
> From: *Balz Schreier* <balz.schreier at gmail.com =

> <mailto:balz.schreier at gmail.com>>
> Date: 2010/12/22
> Subject: etwas f=FCr's wiki
> To: Michael Michi Wechner <michael.wechner at wyona.com =

> <mailto:michael.wechner at wyona.com>>
>
>
> hoi michi,
>
> w=E4re vielleicht etwas f=FCr's wiki, dann muss man es nicht jedesmal suc=
hen.
>
> TASK: Secure the whole realm with basic authentication of Tomcat =

> without impacting Yanel's security setup (yanel users and roles).
>
> DESCRIPTION:
>
> Details for Tomcat Basic Authentication Setup:
>
>     * Configure this in tomcat-users.xml:
>
>
>       <user rolename=3D"tester"/>
>
>
>       <user username=3D"testuser" password=3D"..." roles=3D"tester"/>
>     * Configure this in Yanel=92s web.xml:
>
>
>       <security-constraint>
>
>           o <display-name>My Realm</display-name>
>           o <web-resource-collection>
>
>
>             <web-resource-name>My Realm</web-resource-name>
>             <url-pattern>/*</url-pattern>
>             </web-resource-collection>
>           o <auth-constraint>
>           o <role-name>tester</role-name>
>           o </auth-constraint>
>           o <user-data-constraint>
>
>
>             <transport-guarantee>NONE</transport-guarantee>
>             </user-data-constraint>
>             </security-constraint>
>             <login-config>
>           o <auth-method>BASIC</auth-method>
>           o <realm-name/>
>
>
>             </login-config>
>             <security-role>
>           o <role-name>tester</role-name>
>
>
>             </security-role>
>
>
> Gruss
> Balz
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.wyona.org/pipermail/yanel-development/attachments/2010122=
2/40775c08/attachment-0001.htm


More information about the Yanel-development mailing list