如何防止访问受TAM WebSEAL保护的后端应用程序?
[英]How to prevent access to a back-end application that is protected by a TAM WebSEAL?
问题描述
I have a Java/JEE Web App running on Apache Tomcat 7.x. 
我有一个在Apache Tomcat 7.x上运行的Java / JEE Web App。 Let's say it's running on this URL: 假设它在此URL上运行:
http://app.example.com:9080/app
I wish to control access to this app via a WebSEAL server (TAM for eBusiness 6.0). 我希望通过WebSEAL服务器(TAM for eBusiness 6.0)控制对此应用程序的访问。 So, I created a transparent-path junction /app to access the application. 因此,我创建了一个透明路径联结/app来访问该应用程序。
So, now I can access it via the WebSEAL URL, like so: 因此,现在我可以通过WebSEAL URL来访问它,如下所示:
https://secure.example.com/app
I also created an ACL that acts as a pass-through and allows anyone to access the app using the above WebSEAL URL. 我还创建了一个ACL作为传递,并允许任何人使用上述WebSEAL URL访问该应用程序。 Authentication is controlled directly by the app. 身份验证直接由应用控制。 So, I do not need TAM to authenticate the user. 因此,我不需要TAM来验证用户身份。
My question is, how do I prevent a user from accessing the app through this URL directly: http://app.example.com:9080/app ? 我的问题是,如何防止用户直接通过以下URL访问该应用: http://app.example.com:9080/app : http://app.example.com:9080/app : http://app.example.com:9080/app /app?
I want to know if I can use some sort of identification that tells me whether the request is coming from a WebSEAL server or directly to the app URL. 我想知道是否可以使用某种标识来告诉我请求是来自WebSEAL服务器还是直接来自应用程序URL。
I have tried to enable these options on the WebSEAL Junction: 我试图在WebSEAL交界处启用以下选项:
Under Client Identity Headers 在客户身份标题下
User Name (Short)
User Name (Full DN)
User Groups List
User Credential
General Options 常规选项
Insert client IP header
Insert WebSEAL cookies
Preserve names of cookies
Add cookie path to cookie names
These options do not add any HTTP headers unless the user is authenticated by TAM which is not an option for me. 这些选项不会添加任何HTTP标头,除非用户已通过TAM认证(这不是我的选项)。 If they could, I can create a WebFilter that can read this header in the Java app and prevent the request if the header was missing. 如果可以,我可以创建一个WebFilter,该WebFilter可以在Java应用程序中读取此标头,并在标头丢失时阻止请求。 But no luck with that. 但是,这没有运气。
Any suggestions? 有什么建议么?
1 个解决方案
解决方案1
1 2017-02-14 04:54:48
This question does not necessarily have to be respond from webseal scope. 这个问题不一定必须在网络密封范围内回答。
If you only want to deny connections from other servers, in your firewall You can allow requests only from the IP/DNS of your WebSeal server.
如果只想拒绝来自其他服务器的连接,则在防火墙中,您只能允许来自WebSeal服务器的IP / DNS的请求。 Or you can do from tomcat, see: 或者您可以从tomcat进行操作,请参阅: If you want verify in your application the origin of the request application you can find the
iv-credoriv-userHTTP header.如果要在应用程序中验证请求应用程序的来源,则可以找到iv-cred或iv-userHTTP标头。 This is not 100% effective, maybe some one can put the header artificially.这不是100%有效的,也许有人可以人为地放置标题。 One good idea is add some particular element in iv-credmixed with time-stamp, to verify in your application the origin and the time of the request.一个好主意是在带有时间戳的iv-cred添加一些特定元素,以在您的应用程序中验证请求的来源和时间。 See:看到: https://www.ibm.com/developerworks/tivoli/tutorials/tz-tamauthapi/
https://www.ibm.com/developerworks/tivoli/tutorials/tz-tamauthapi/
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.