I wanted to set up a secure update center for a NetBeans Platform application Tetrad IT is working on. I also wanted to play with Amazon EC2…
As the update center is for Tetrad staff only I wanted to do the simplest thing that would work, so I used the MemoryRealm to store user credentials in Tomcat. I also wanted to be able to update the user credentials by deploying the WAR and not have to mess about with the Tomcat configuration files.
For the impatient, the EC2 specific portion of the setup is here.
Tell your application it needs security
To tell you web application how to secure itself you configure the web.xml.
The security-constraint section tells the application to allow only users with the role netbeans-application to access the updates folder. The login-config section indicates that basic authentication is to be used. security-role defines the role we’ll be using.
<?xml version="1.0" encoding="UTF-8"?> <web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"> <session-config> <session-timeout> 30 </session-timeout> </session-config> <security-constraint> <display-name>UserConstraint</display-name> <web-resource-collection> <web-resource-name>UserConstraint</web-resource-name> <description/> <url-pattern>/updates/*</url-pattern> </web-resource-collection> <auth-constraint> <description/> <role-name>netbeans-application</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>file</realm-name> </login-config> <security-role> <description>NetBeans Platform application role</description> <role-name>netbeans-application</role-name> </security-role> </web-app>
Who gets through security
Normally you would edit the tomcat-users.xml file in the Tomcat conf directory. Instead we’ll create a users.xml file in the web application WEB-INF directory. This file contains the credentials of the users who will be given access to the updates directory.
<?xml version="1.0" encoding="UTF-8"?> <tomcat-users> <role rolename="netbeans-application"/> <user username="user1" password="password" roles="netbeans-application"/> <user username="user2" password="password" roles="netbeans-application"/> <user username="user3" password="password" roles="netbeans-application"/> </tomcat-users>
Where to find the users
Your application is not looking for the user credential information in users.xml by default. To show your application where to find the user information create the file context.xml in the META-INF directory of your web application.
The important part to note is the pathname attribute. As far as I can tell it needs to be an absolute path as all non absolute paths are relative to the Tomcat directory. This particular path is specific to the Elastic Beanstalk default setup.
<?xml version="1.0" encoding="UTF-8"?> <Context antiJARLocking="true" path="/EC2Example"> <Realm className="org.apache.catalina.realm.MemoryRealm" pathname="/opt/tomcat7/webapps/ROOT/WEB-INF/users.xml"/> </Context>
Your web application structure should look something like this:
Pointing your NetBeans Platform application toward the secure update center should result in you being asked for a username and password: