0

I have a Java/JEE Web App running on Apache Tomcat 7.x. Let's say it's running on this URL:

http://app.example.com:9080/app

I wish to control access to this app via a WebSEAL server (TAM for eBusiness 6.0). So, I created a transparent-path junction /app to access the application.

So, now I can access it via the WebSEAL URL, like so:

https://secure.example.com/app

I also created an ACL that acts as a pass-through and allows anyone to access the app using the above WebSEAL URL. Authentication is controlled directly by the app. So, I do not need TAM to authenticate the user.

My question is, how do I prevent a user from accessing the app through this URL directly: http://app.example.com:9080/app?

I want to know if I can use some sort of identification that tells me whether the request is coming from a WebSEAL server or directly to the app URL.

I have tried to enable these options on the WebSEAL Junction:

Under Client Identity Headers

User Name (Short)
User Name (Full DN)
User Groups List
User Credential

General Options

Insert client IP header
Insert WebSEAL cookies
Preserve names of cookies
Add cookie path to cookie names

These options do not add any HTTP headers unless the user is authenticated by TAM which is not an option for me. If they could, I can create a WebFilter that can read this header in the Java app and prevent the request if the header was missing. But no luck with that.

Any suggestions?

anacron
  • 6,443
  • 2
  • 26
  • 31

1 Answers1

1

This question does not necessarily have to be respond from webseal scope.

  1. If you only want to deny connections from other servers, in your firewall You can allow requests only from the IP/DNS of your WebSeal server. Or you can do from tomcat, see:

    Tomcat Restrict access by IP address

  2. If you want verify in your application the origin of the request application you can find the iv-cred or iv-user HTTP header. This is not 100% effective, maybe some one can put the header artificially. One good idea is add some particular element in iv-cred mixed with time-stamp, to verify in your application the origin and the time of the request. See:

    https://www.ibm.com/developerworks/tivoli/tutorials/tz-tamauthapi/

Community
  • 1
  • 1
Mauro
  • 93
  • 8
  • thanks for taking time and providing an answer. I was able to get it to work few days back. I have been meaning to post an answer here about what I did; but did not get a chance to do so. I will do it soon as possible. Thank you. – anacron Feb 14 '17 at 06:23