Secure Access to Your Jetty Web Application

By June 17, 2013 HowTo No Comments
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Today’s post focuses on the web application security related features of Jetty app server. After reading this article you should be able to configure security realms to provide authentication and access control for your Jetty web application, as well as to grant access to your app for dedicated IP-addresses only. Before we start let’s examine what Jetty realm is. Realm is a login service, which is available to all web applications on a server if you define it in a Jetty configuration file. Each realm is composed of a set of users and has its unique name. Every specified user has authentication information and a set of roles associated with it. One or many different realms can be configured depending on your needs.

As always we start with creating an environment with Jetty app server and then deploying the application into this environment.

Authentication

1. Once your Jetty web application is successfully deployed click Config button for your server.

jetty-config

2. Navigate to Server directory, open realm.properties file and create a new user. If you want to just use the default test realm, it’s better to delete the default users that already exist in realm.properties file.

jetty-realm-properties

3. In the same folder find the webdefault.xml and specify the security constraint for the newly created user.

<security-constraint>
  <web-resource-collection>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
    <role-name>admin</role-name>
    <role-name>user</role-name>
    <role-name>moderator</role-name>
  </auth-constraint>
</security-constraint>

<login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>Test Realm</realm-name>
</login-config>

jetty-security-constraint

4. Open Jetty web application in a browser and you’ll see the authentication form.

Jetty Authentication Required

Access for dedicated IP-Addresses

Note: This feature is available beginning from Jelastic 1.9.2.2.

1. Click Config button for Jetty and create .htaccess file in the root directory of your web application.

As an example we use configuration, which allows access only for one IP-address (192.168.152.1):

<Limit>
satisfy all
order deny,allow
deny from all
allow from 192.168.152.1
</Limit>

jetty-htaccess

2. Find in $jetty_home/contexts xml file, which corresponds to the name of your Jetty web application (test.xml in our case) and protect access to your application by HTAccessHandler, that uses the .htaccess policy file. Finally your context xml file should look like the next one:

Configure id="test" class="org.mortbay.jetty.webapp.WebAppContext">

  <Set name="contextPath">/test</Set>
  <Set name="war"><SystemProperty name="jetty.home" default="."/>/webapps/test.war</Set>

  <Set name="extractWAR">true</Set>
  <Set name="copyWebDir">false</Set>
  <Set name="defaultsDescriptor"><SystemProperty name="jetty.home" default="."/>/etc/webdefault.xml</Set>

    <Call name="setSecurityHandler">
        <Arg>
            <New class="org.mortbay.jetty.security.HTAccessHandler">
                <Set name="protegee">
                    <Ref id="test"/>
                </Set>
            </New>
        </Arg>
    </Call>

  <New id="wadiCluster" class="org.mortbay.jetty.servlet.wadi.WadiCluster">
    <Arg>CLUSTER</Arg>
    <Arg><SystemProperty name="node.name" default="red"/></Arg>
    <Arg>http://localhost:<SystemProperty name="jetty.port" default="8080"/>/</Arg>
    <Call name="start"/>
  </New>

  <Set name="SessionHandler">
    <New class="org.mortbay.jetty.servlet.wadi.WadiSessionHandler">
      <Arg>
        <New id="wadiSessionManager" class="org.mortbay.jetty.servlet.wadi.WadiSessionManager">
          <Arg><Ref id="wadiCluster"/></Arg>
          <Arg type="int">2</Arg>
          <Arg type="int">24</Arg>
          <Arg type="int">360</Arg>
          <Arg type="boolean">true</Arg>
          <Arg type="boolean">false</Arg>
        </New>
      </Arg>
    </New>
  </Set>

</Configure>

Jetty security

3. Save the changes and restart Jetty application server.

4. Open your app in a browser (don’t use allowed IP address in this case) to ensure that it’s protected.

jetty-access

As you can see it’s pretty easy to protect your Jetty web application from unauthorized access using standard server features and the Jelastic set of tools. If you have, or have had, such an experience please let us know in the comment section below.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone

Leave a Reply

Subscribe to get the latest updates