Docstoc

Secure Setup

Document Sample
Secure Setup Powered By Docstoc
					                    LivCos 0.4: Secure Setup                        1/4




LivCos 0.4

Secure Setup




             /livcos.org/LivCos/data/deploy/SecureSetup.pdf   2011-08-19
                                               LivCos 0.4: Secure Setup                                                               2/4


Table of Contents
  1 Introduction ........................................................................................................   3
  2 Access Control ....................................................................................................     3
  3 Communication ...................................................................................................       3
  4 Tomcat Setup ......................................................................................................     3
  4.1 HTTPS Connector ..............................................................................................        3
  4.2 User Realm and Security Roles ...........................................................................             3
  4.3 Securing the Web Application .............................................................................            3
  5 Apache Web Server .............................................................................................         3
  5.1 SSL Module ......................................................................................................     3
  5.2 Authenticate .....................................................................................................    3
  5.3 AJP Connector ..................................................................................................      4
  5.4 Proxy Module ...................................................................................................      4




                                      /livcos.org/LivCos/data/deploy/SecureSetup.pdf                                            2011-08-19
                                     LivCos 0.4: Secure Setup                                           3/4




1 Introduction
  This document explains simple LivCos setups, providing all-or-nothing access for the users.


2 Access Control
  Access control is handled by the Web server. So certain URLs can be blocked to public access,
  others can be opened.
  Access to the LivCos Web application should be blocked or opened completely. Since a user can
  modify the data within the Cosmos via various URLs, it is difficult to limit access only to certain
  objects (URLs). Also AJAX calls cannot handle "access denied" responses yet, so most of the edit
  actions will not function properly.


3 Communication
  To secure the authentification data and the protected content from the Cosmos, we need to have
  a secure communication channel between the client and the LivCos server.
  Currently the only way needed for the client to access the LivCos system is over the Web server.
  So the communication can be secured with the HTTPS protocol.


4 Tomcat Setup
  This setup uses the Apache Tomcat server to directly serv the LivCos Web user interface.


4.1 HTTPS Connector
  See the SSL Configuration Guide and learn how to generate an SSL Certificate and setup the
  HTTPS connector for Tomcat 6.
  Consult the J2EE Tutorial to force a secure connection for certain URLs.


4.2 User Realm and Security Roles
  Let the Tomcat server know all the valid users and their roles. The server wants to access your
  user "database" with a user realm implementation (see the MemoryRealm as an example).
  You also need to specify the security roles in the Web Application deployment descriptor
  (web.xml).
  The specified security roles should match the user roles, provided by the realm.


4.3 Securing the Web Application
  With the deployment descriptor file (web.xml) you can set security constraints on certain URLs
  (see "Specifying Security Constraints" in the J2EE Tutorial).
  Choose the way the user needs to authenticate himself (login) to the server (see "Specifying an
  Authentication Mechanism" in the J2EE Tutorial).


5 Apache Web Server
  In this setup the Apache Web Server acts as a facade to the client. The Web application runtime
  for LivCos Web (Tomcat, Jetty,...) is not accessible directly.


5.1 SSL Module
  Enable the mod_ssl module for the Apache httpd server. You also need to create and configure an
  SSL Certificate.


5.2 Authenticate
  Setup users and authentication for the URLs to access LivCos.



                              /livcos.org/LivCos/data/deploy/SecureSetup.pdf                      2011-08-19
                                    LivCos 0.4: Secure Setup                                        4/4



5.3 AJP Connector
  Configure the AJP (Apache JServ Protocol) Connector in the Tomcat server, running LivCos.
  For security reasons configure the AJP connector to accept only connections
  from the Apache server. For example use <Connector port="8009"
  protocol="AJP/1.3" tomcatAuthentication="false" address="127.0.0.1" />, if the Apache server
  runs on the same host.


5.4 Proxy Module
  Handle Apache Web Server requests with the LivCos Web instance, running on the Tomcat server.
  We used the mod_proxy and the mod_proxy_ajp module for the Apache Web Server.




                             /livcos.org/LivCos/data/deploy/SecureSetup.pdf                   2011-08-19

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:2/1/2012
language:
pages:4