Application Server Solutions for Microsoft IIS and ASP.NET
       solutions   products   partners   company   support   downloads         store
JTurbo Self-Help: FAQ
Back to Search >  Back to Search Results

Faq ID 114
Product ServletExec
Category Admin Username and Password, Administration, Security
Question How can I restrict access to the main ServletExec Admin UI ?
Answer With SE 5.x & newer:
  • The admin UI is deployed as a standard web application (WEB-INF folder, web.xml file). Therefore the available options for restricting access to it include all the declarative security features mandated by the Java Servlet specification. These currently include Form-based authentication (which is the default for that webapp), BASIC authentication, and Client-Cert (SSL) authentication. See the SE User Guide and the Java Servlet Spec for more information about Declarative Security in webapps.
  • Each page in the SE admin UI (and a webapp's admin UI) uses a unique URL, so you can restrict access to certain admin pages, while leaving other pages less restricted, or totally unrestricted. All without having to write any code (i.e. declaritively)
  • By default the servletexec webapp defines a Security Constraint named "EntireApplication" which is configured to use Form-based authentication, and to which the following prefix alias patterns are mapped:
    "/admin/*" "/webadmin/*" But you could modify that security constraint, and/or map different aliases to it. Or you could use the admin UI to add another security constraint, just as you could do for any webapp.
  • You could also write your own custom authentication filter and deploy it into the servletexec Admin UI webapp, mapping various URL patterns to it. The exampleWebApp that comes with SE shows how a request filter can be used to do BASIC authentication. If you want to do BASIC auth you should just configure the existing Auth Constraint in the servletexec webapp to use BASIC instead of Form-based auth. But the filter example in exampleWebApp is a good place to learn how to write your own filter which could do its own custom authentication however you want it to (i.e. look in your database for usernames, passwords etc...)


With SE 4.x or older:
  • Your options include:
    1. setting a username & password
    2. restricting which client IP addresses will be allowed
    3. requiring that SSL (https) be used
    4. any combination of the 3 options given above
    Note: Don't require SSL unless your webserver actually supports SSL
  • Restrictions on accessing the main ServletExec Admin UI can only be set if ServletExec 4.x or older has been registered with a license key. Once this has been done, simply access:
    http://<host-name>/servlet/admin
    And then go to the page where you entered your license key (the "license & security" page) of the main ServletExec Admin UI. There you will see text areas and radio buttons where you can:
    enter a username (and possibly a password), edit the allowed IP's field, or choose to require SSL.
    Note: With ServletExec ISAPI, there will not be a password field. In this case, the username you enter must be that of a valid Windows user on the machine which SE ISAPI is running. The password used will be the password that is associated with that Windows user.



   
company media information terms of use privacy policy contact us