Application Integration (On-Premises) : Incorporating web applications : Incorporating Web Applications into Integration Server : About Securing the Web Application : Recommendations for Setting Up Security in a Deployment Descriptor File : Setting Up Web Application Authorization
Setting Up Web Application Authorization
Add a <security-constraint> section to the deployment descriptor to set up authorization of web applications. Security you set in the global deployment descriptor file applies to all web applications.
You can set security for all web applications by specifying security restraints in the global deployment descriptor file. You can override or augment the global security restraints for a particular web application by specifying different constraints in the deployment descriptor file for the package that is associated with the web application. The deployment descriptor file for a specific web application is located at Integration Server_directory \instances\instance_name\packages\PackageName\web\WEB-INF\web.xml.
Important:  
Protection of web applications is as crucial as protecting DSPs and Integration Server services. If your web application does not provide its own authentication and authorization, you should add a <security constraint> section to either the global deployment descriptor file or to the web.xml file of the package containing the web application.
Some web applications provide their own authentication and require anonymous access to the application. In these cases, omit the <security-constraint> section from both the global deployment descriptor file and from the application’s deployment descriptor file so that users are not prompted for a password. Omitting the <security-constraint> section entirely is not recommended except in these special circumstances. Ensure the other applications on your server are adequately protected and plan this approach carefully with your company’s security advisors.
To set up web application authorization
1. If you want to set up global security for all web applications, do the following:
Note:  
If you do not set up global security, skip step 1. However, be sure the web.xml files in each package contain their own <security-constraint> sections. Doing so prevents unauthorized access to the web applications contained within them.
a. Create a <security-constraint> section in the global deployment descriptor file ( Integration Server_directory \instances\instance_name\web\conf\web.xml).
b. Define the <security-constraint> section as follows:
Change this sub-element...
To reflect the...
<web-resource-name>
Name for the collection of URLs to which you are restricting access. Use this name to reflect the type of security you are applying to the URLs deployed in the web application (for example, Administrators or No Authentication).
<url-pattern>
Pattern, or path, of the URLs to be protected by the role you specify in <role-name>.
<role-name>
Name of a valid Integration Server ACL whose members can access the URLs specified in <url-pattern>.
If you plan to override or augment your global security settings for some web applications, be careful how you set up your URL patterns. If the global web.xml file specifies a “superset” URL pattern (for example, /*), a package’s web.xml file will not override this security constraint.
Examples:
*To protect all files in a web application by the same ACL, specify a URL pattern of /* and a role name that matches the ACL you want to use. In this example, all files in the web application are protected by the Administrators ACL:
<security-constraint>
<web-resource-collection>
<web-resource-name>All
Restricted</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Administrators</role-name>
</auth-constraint>
</security-constraint>
*To protect selected files in the web application, specify multiple <security-constraint> sections. You can use multiple URL patterns and multiple role names in the same <security-constraint> section:
<!-- Protect files in admin/* and private/* by Administrators ACL.-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Administrators</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<url-pattern>/private/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Administrators</role-name>
</auth-constraint>
</security-constraint>
<!--Protect files in internal/* by Developers/Administrators ACLs.-->
<security-constraint>
<web-resource-collection>
<web-resource-name>Internal</web-resource-name>
<url-pattern>/internal/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Developers</role-name>
<role-name>Administrators</role-name>
</auth-constraint>
</security-constraint>
<!-- For all other files, allow anyone to view -->
<!-- with no authentication -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>
c. Save and close the web.xml file.
d. Reload the WmTomcat package.
2. If you want to set up security for a specific web application, do the following:
a. Create a <security-constraint> section in the deployment descriptor file for the web application ( Integration Server_directory \instances\instance_name\packages\PackageName\web\WEB-INF\web.xml).
b. Define the <security-constraint> section. For more information about the tags to use, refer to the previous step.
c. Save and close the web.xml file.
d. Reload the package.
e. Repeat step 2 for each web application for which you want to override or augment global security.
3. Test your web applications to ensure the authorization is set properly. For more information, see About Testing the Web Application. Because your browser might cache previous credentials, you might have to close your browser and reopen it to reflect the new security settings.
Copyright © 2015- 2016 Software AG, Darmstadt, Germany.
Product LogoContact Support   |   Community   |   Feedback