Preventing direct resource linking without authorization.

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Preventing direct resource linking without authorization.

sent2null@netzero.net
Hello all,
 
I have Jetty running embedded as a secure http and servlet server. I have ssl enabled but I'd like to prevent direct linking to any files on the server via authorization checks of sessions associated with the requests that come in. Is there a way to do this using Jetty? I am currently using Jetty version 4.2.24  I looked at the javadoc for the HttpServer class and it appears I'll have to somehow use a Realm but I am not sure how that will ensure that *every* request is checked, nor am I sure on how I would tie in my existing db authentication scheme into the one used by Jetty. It would be cool if I could have Jetty make a call to my authentication logic to authorize each server requests session, if the session has an authorized user, this should grant the request, if the session is expired or doesn't exist, the request should be denied. (this needs to happen across all loaded contexts and listeners)
 
So any ideas on the matter? My thanks in advance for your time.
 
Regards,
 
David


______________________________________________________________________
NetZero Is Giving Away $3,000 A Day!
Sign up for NetZero HiSpeed 3G with Instant On!
Visit http://www.netzero.com/3Gsweeps TODAY for your chance to win!



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss
Reply | Threaded
Open this post in threaded view
|

RE: Preventing direct resource linking without authorization.

Schopp, James (Jimi)
[jetty-discuss] Preventing direct resource linking without authorization.
David,
   To do what you ask, you would want to create a web application (WAR) and configure your servlets in the web.xml file. In that file, you would also specify security constraints over a set of URLs (such as which roles are valid, for which URLs; you can use wildcards). The roles specified in this file coincide with the ones defined in your realm.
 
   Then, instead of telling Jetty to add servlets, you would tell it to add a web applciation (which in turn contains your servlets). Also, making Jetty use your authentication logic isntead of it's own would require implementing your own realm. Then, in Jetty's config file, you just specify to use your realm class (instead of one of the Jetty defaults).
 
A sample jetty config file might be:
 
<Call name="addListener">
    <Arg>
      <New class="org.mortbay.http.SslListener">
        <Set name="Port">8443</Set>    
        <Set name="Keystore">Jetty.keystore</Set>
  <Set name="Password">changeit</Set>
  <Set name="KeyPassword">changeit</Set>
      </New>
    </Arg>
  </Call>
  <Call name="addRealm">
    <Arg>
      <New class="org.mortbay.http.HashUserRealm"> <!-- or use your own realm that you develop... there are some JDBC realms available... -->
        <Arg>SomeArbitraryRealmName</Arg>
        <Call name="put"><Arg>user1</Arg><Arg>pass1</Arg></Call>
        <Call name="addUserToRole"><Arg>user1</Arg><Arg>MyRole</Arg></Call>        
        <Call name="put"><Arg>user3</Arg><Arg>pass2</Arg></Call>
        <Call name="addUserToRole"><Arg>user2</Arg><Arg>MyRole</Arg></Call>
      </New>
    </Arg>
  </Call>
  <Call name="addWebApplication">
    <Arg>YourWebAppDirectory</Arg>
    <Arg>YourWebApp.war</Arg>
  </Call>
 
 
 
A sample web.xml file might look like:
 
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web
Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
  <display-name>NetConnect WebService</display-name>
   
   
  <servlet>
    <servlet-name>YourServlet</servlet-name>
    <display-name>YourServlet</display-name>
    <servlet-class>com.your.Servlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>YourServlet</servlet-name>
    <url-pattern>*</url-pattern>
  </servlet-mapping>

<security-constraint>
    <web-resource-collection>
      <web-resource-name>Everything</web-resource-name>
      <url-pattern>/</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>MyRole</role-name>
    </auth-constraint>
  </security-constraint>
  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>SomeArbitraryRealmName</realm-name>
  </login-config>
  <security-role>
    <role-name>MyRole</role-name>
  </security-role>
</web-app>
 
 
 
 
good luck,
jimi
 
 
 
 
 


From: [hidden email] on behalf of [hidden email]
Sent: Fri 9/16/2005 11:52 AM
To: [hidden email]
Subject: [jetty-discuss] Preventing direct resource linking without authorization.

Hello all,

I have Jetty running embedded as a secure http and servlet server. I have ssl enabled but I'd like to prevent direct linking to any files on the server via authorization checks of sessions associated with the requests that come in. Is there a way to do this using Jetty? I am currently using Jetty version 4.2.24  I looked at the javadoc for the HttpServer class and it appears I'll have to somehow use a Realm but I am not sure how that will ensure that *every* request is checked, nor am I sure on how I would tie in my existing db authentication scheme into the one used by Jetty. It would be cool if I could have Jetty make a call to my authentication logic to authorize each server requests session, if the session has an authorized user, this should grant the request, if the session is expired or doesn't exist, the request should be denied. (this needs to happen across all loaded contexts and listeners)

So any ideas on the matter? My thanks in advance for your time.

Regards,

David


______________________________________________________________________
NetZero Is Giving Away $3,000 A Day!
Sign up for NetZero HiSpeed 3G with Instant On!
Visit http://www.netzero.com/3Gsweeps TODAY for your chance to win!



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss

Reply | Threaded
Open this post in threaded view
|

Re: Preventing direct resource linking without authorization.

Greg Wilkins-5
In reply to this post by sent2null@netzero.net
David,

You have two choices:  Use the standard based security constraint mechanism as
James Schopp has described and if that is not sufficient for your needs, you can
write a Filter that will perform arbitrary security checks.

regards



[hidden email] wrote:

> Hello all,
>  
> I have Jetty running embedded as a secure http and servlet server. I have ssl enabled but I'd like to prevent direct linking to any files on the server via authorization checks of sessions associated with the requests that come in. Is there a way to do this using Jetty? I am currently using Jetty version 4.2.24  I looked at the javadoc for the HttpServer class and it appears I'll have to somehow use a Realm but I am not sure how that will ensure that *every* request is checked, nor am I sure on how I would tie in my existing db authentication scheme into the one used by Jetty. It would be cool if I could have Jetty make a call to my authentication logic to authorize each server requests session, if the session has an authorized user, this should grant the request, if the session is expired or doesn't exist, the request should be denied. (this needs to happen across all loaded contexts an
>  d listeners)
>  
> So any ideas on the matter? My thanks in advance for your time.
>  
> Regards,
>  
> David
>
>
> ______________________________________________________________________
> NetZero Is Giving Away $3,000 A Day!
> Sign up for NetZero HiSpeed 3G with Instant On!
> Visit http://www.netzero.com/3Gsweeps TODAY for your chance to win!
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by:
> Tame your development challenges with Apache's Geronimo App Server. Download
> it for free - -and be entered to win a 42" plasma tv or your very own
> Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php



-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP.  Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
jetty-discuss mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-discuss