From: Tom.Dunstan_at_epa.sa.gov.au
To: users_at_glassfish.java.net
Date: Mon, 21 Oct 2013 10:45:49 +1030
Subject: RE: Is it possible to bind a web-app inside an EAR to a specific http port or virtualserver?
Hi Martin! Thanks for your reply. Please see responses below:
From: Martin Gainty [mailto:mgainty_at_hotmail.com]
> if virtual-server is the way you want to apporach
> we will need to have at least one Listener we have one IP:port for each Listener
> (or At least one Listener with a default virtual-server)
>
> with virtual-server we would need to add
> 1)
> allowRemoteAddress for the SOAPServer
Accoring to
https://glassfish.java.net/docs/4.0/reference-manual.pdf, allowRemoteAddress controls allowed IP addresses for connecting clients. I don't understand how that is related to this situation. Could you please explain?
MG>when i worked at the bank the entire system was secure meaning that deny=all except for specific IPs gated by Proxy approved by allowRemoteAcces
MG>i read somewhere in your email that your clients are trying to access a 'secure service'
MG>i also read somewhere in your email that the mainApp and SoapApp *could be* hosted on different servers
MG>allowRemoteAddress "opens the gates" for any/all client to contact that secure service
MG>if this is NOT the case then you wont have to specify allowRemoteAddress
> 2)a Redirect property
> http://docs.oracle.com/cd/E19776-01/820-4507/abhfg/index.html
That link times out for me, but I don't understand what redirects have to do with my situation. Are you saying that I'll have have both apps accessible on both ports
MG>yes
and then manually issue redirects if someone tries to access the UI webapp on the "wrong" port?
MG>Negative
MG>you are accessing a service on a different port
MG>you have 2 options to make the request to a different port
MG>continue the session and forward what you have to the new IP:port
MG>create a new session send the request back down to the Browser and have your client create a new session to the different port with redirect
MG>
> 3)possible custom authRealm defined in web.xml
> authRealm..i dont know these params for your particular SOAPServer config
I have a custom authRealm config - once again not sure what this has to do with restricting the web-app to only be accessible on one port.
MG>you need to apprise your container what your security requirements are
MG>if you dont then your request will be 401'ed
> Here is the doc for
> "redirect to a Different Host"
> (snip)
What do redirects have to do with this? We have a web app accessible on the internal private network for staff, and it is currently available on port 8080 (with an apache reverse proxy in front). We are adding a new web-app which contains some SOAP services which will be accessed by another system which lives in a DMZ.
MG>since there are probablly a myriad of servers you have between the service you are accessing and your client you are better off getting the network MG>admin handle this port blocking issue so that he can setup the Port forwarding
We would like to open up a specific port for that client system to make the soap calls on, but only allow it to access the web services but not the main application.
MG>you can do this with redirect because redirect sends the request down to the Browser where the Browser client
MG>issues a new HTTP request to the new IP:PORT (without a-priori knowledge of past request(s)
Internal browser-based web clients will continue to connect to the main web app on the default http listener port. The SOAP client will be configured to connect to the specific port that we give it. Where does the redirect come in?
MG>2 different webapps..mainApp and SoapAPP..there are 2 different scenarios for accessing each webapp
MG>I am providing you a way for the request sent to the main-app (once the main-app is satisfied) to then redirect to SOAPApp
> Does this answer your question?
No :). I still don't know how to make sure that our main web-app is not accessible on the second port. At this stage I'm wondering if we should just proxy the SOAP requests through apache as well and implement the logic there. I'm just surprised that this doesn't seem to be possible in Glassfish - I would have thought that making a particular web-app available on a particular port would be a bit of a no-brainer - is this scenario really that uncommon?
MG>thats a possibilty
MG>but then you would have to route ALL HTTP requests to the proxy to do port-forwarding to either mainApp or SoapApp
Thanks
Tom