I would like to apply security constraints for all webapps deployed on a Tomcat7 server. To do this I have set up a Realm and Valve. My understanding is that the contents of context.xml get included for all apps deployed to a server - that part seems to work as I can add all manner of configuration and I see the effects as it gets included in the various deployed app contexts. It works wonderfully for enforcing consistency across web apps.
What doesn't seem to work is trying to define a security-constraint like the one below outside of web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>myServletWAR</web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>my_role</role-name>
</auth-constraint>
</security-constraint>
I'm doing it in context.xml between the Context tags. No complaints from Tomcat, but no security constraint is applied, e.g I can hit the app without a password. With the constraint above in context.xml I see:
Aug 14, 2013 3:03:32 PM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Not subject to any constraint
...in the logs, and can get to the "protected" resource with no auth.
Moving the same constraint to a webapps's web.xml, of course, yields the expected constraint behaviour, but I need to ensure the constraint is applied consistently across all deployed apps on a given server.
Does security-constraint need to be inside of a web-app? If it does how can I define a security-constraint across several (as yet deployed) web-apps if not in context.xml?
This is exactly what I am trying to set up, but I want to enforce the constraint outside (above) web.xml. Again, so that it will be consistent for the entire server.
I did see another similar question, but I'm trying to find a way to do this in Tomcat configuration without having to use the Servlet API from the code base (that is already written).
Thanks!
The second after I posted my question I realized that:
$CATALINA_BASE/conf/web.xml
was the answer I was looking for.
It's root element, as one would expect, is web-app, and the contents get added to each deployed web app (like context.xml
for each context) adding the security-constraint
worked.
I did have to re-start Tomcat (it doesn't auto deploy for changes in that file apparently), but that is not an issue as this shouldn't change in production.