Secure Access to Your Jetty Web Application

    Today’s post focuses on the web application security related features of Jetty app server. After reading this article you should be able to configure security realms to provide authentication and access control for your Jetty web application, as well as to grant access to your app for dedicated IP-addresses only. Before we start let’s examine what Jetty realm is. Realm is a login service, which is available to all web applications on a server if you define it in a Jetty configuration file. Each realm is composed of a set of users and has its unique name. Every specified user has authentication information and a set of roles associated with it. One or many different realms can be configured depending on your needs.

    As always we start with creating an environment with Jetty app server and then deploying the application into this environment.

    Authentication

    1. Once your Jetty web application is successfully deployed click Config button for your server.

    jetty-config

    2. Navigate to Server directory, open realm.properties file and create a new user. If you want to just use the default test realm, it’s better to delete the default users that already exist in realm.properties file.

    jetty-realm-properties

    3. In the same folder find the webdefault.xml and specify the security constraint for the newly created user.

    <security-constraint>
      <web-resource-collection>
        <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>admin</role-name>
        <role-name>user</role-name>
        <role-name>moderator</role-name>
      </auth-constraint>
    </security-constraint>
    
    <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>Test Realm</realm-name>
    </login-config>
    

    jetty-security-constraint

    4. Open Jetty web application in a browser and you’ll see the authentication form.

    Jetty Authentication Required

    Access for dedicated IP-Addresses

    Note: This feature is available beginning from Jelastic 1.9.2.2.

    1. Click Config button for Jetty and create .htaccess file in the root directory of your web application.

    As an example we use configuration, which allows access only for one IP-address (192.168.152.1):

    <Limit>
    satisfy all
    order deny,allow
    deny from all
    allow from 192.168.152.1
    </Limit>

    jetty-htaccess

    2. Find in $jetty_home/contexts xml file, which corresponds to the name of your Jetty web application (test.xml in our case) and protect access to your application by HTAccessHandler, that uses the .htaccess policy file. Finally your context xml file should look like the next one:

    Configure id="test" class="org.mortbay.jetty.webapp.WebAppContext">
    
      <Set name="contextPath">/test</Set>
      <Set name="war"><SystemProperty name="jetty.home" default="."/>/webapps/test.war</Set>
    
      <Set name="extractWAR">true</Set>
      <Set name="copyWebDir">false</Set>
      <Set name="defaultsDescriptor"><SystemProperty name="jetty.home" default="."/>/etc/webdefault.xml</Set>
    
        <Call name="setSecurityHandler">
            <Arg>
                <New class="org.mortbay.jetty.security.HTAccessHandler">
                    <Set name="protegee">
                        <Ref id="test"/>
                    </Set>
                </New>
            </Arg>
        </Call>
    
      <New id="wadiCluster" class="org.mortbay.jetty.servlet.wadi.WadiCluster">
        <Arg>CLUSTER</Arg>
        <Arg><SystemProperty name="node.name" default="red"/></Arg>
        <Arg>http://localhost:<SystemProperty name="jetty.port" default="8080"/>/</Arg>
        <Call name="start"/>
      </New>
    
      <Set name="SessionHandler">
        <New class="org.mortbay.jetty.servlet.wadi.WadiSessionHandler">
          <Arg>
            <New id="wadiSessionManager" class="org.mortbay.jetty.servlet.wadi.WadiSessionManager">
              <Arg><Ref id="wadiCluster"/></Arg>
              <Arg type="int">2</Arg>
              <Arg type="int">24</Arg>
              <Arg type="int">360</Arg>
              <Arg type="boolean">true</Arg>
              <Arg type="boolean">false</Arg>
            </New>
          </Arg>
        </New>
      </Set>
    
    </Configure>
    

    Jetty security

    3. Save the changes and restart Jetty application server.

    4. Open your app in a browser (don’t use allowed IP address in this case) to ensure that it’s protected.

    jetty-access

    As you can see it’s pretty easy to protect your Jetty web application from unauthorized access using standard server features and the Jelastic set of tools. If you have, or have had, such an experience please let us know in the comment section below.

    Leave a Reply

    Your email address will not be published.