This document covers the following topics:
The Natural Web I/O Interface client comes as a Java EE-based application. For the ease of installation, the access to this application is by default not secured. You might, however, wish to restrict the access to certain parts of the application to certain users. An important example is the configuration tool , which enables you to modify the Natural session definitions and the logging configuration of the Natural Web I/O Interface client . Another example is the Natural logon page.
This section does not cover the concepts of JAAS-based security in full extent. It provides, however, sufficient information to activate the preconfigured security settings of the Natural Web I/O Interface client and to adapt them to your requirements.
Security is configured in the file web.xml . This file is located in the following directory:
<tomcat-install-dir> /webapps/natuniweb/WEB-INF
Great care must be taken when editing and changing the configuration file web.xml . After a change, the application server must be restarted.
Edit the file web.xml and look for the section that is commented with "Uncomment the next lines to add security constraints and roles." . Uncomment this section by removing the comment marks shown in boldface below:
<!-- Uncomment the next lines to add security constraints and roles. --> <!-- <security-constraint> <web-resource-collection> <web-resource-name>Configuration Tool</web-resource-name> <url-pattern>/conf_index.jsp</url-pattern> <url-pattern>/faces/*</url-pattern> </web-resource-collection> ... <security-role> <description>Administrator</description> <role-name>nwoadmin</role-name> </security-role> -->
The security constraints defined by default are just examples. A
<security-constraint>
element contains of a number of
<web-resource-collection>
elements combined with an
<auth-constraint>
element. The
<auth-constraint>
element contains a
<role-name>
. The whole
<security-constraint>
element describes which roles
have access to the specified resources.
Example - the following definition specifies that only users in the role "nwoadmin" have access to the configuration tool:
<security-constraint> <web-resource-collection> <web-resource-name>Configuration Tool</web-resource-name> <url-pattern>/conf_index.jsp</url-pattern> <url-pattern>/faces/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>nwoadmin</role-name> </auth-constraint> </security-constraint>
In the following section, you will see where and how the roles are defined.
A few lines below in the file web.xml , there is a section
<security-role>
. Here, the roles that can be used in
<security-constraint>
elements are defined. You can
define additional roles as needed. The assignment of users to roles is done outside this
file and will often be done in a user management that is already established at your site.
Example:
<security-role> <description>Administrator</description> <role-name>nwoadmin</role-name> </security-role>
In the file web.xml , there is a section
<login-config>
. The only element that should possibly
be adapted here is <auth-method>
. You can choose between
the authentication methods "FORM" and
"BASIC" . Form-based authentication displays a specific page
on which users who try to access a restricted resource can authenticate themselves. Basic
authentication advises the web browser to retrieve the user credentials with its own
dialog box.
Example:
<login-config> <auth-method>FORM</auth-method> ... </login-config>
In the tomcat-users.xml file (which is located in the conf directory), specify the role "nwoadmin" for any desired user name and password. For example:
<user username="pepe" password="pepe123" roles="nwoadmin"/>
For detailed information on the necessary realm configuration for Tomcat, see http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#UserDatabaseRealm .