6.2 Protecting Web Resources

Because you can define multiple protected resources for each Web application, you can protect some URLs with one policy and other URLs with a different policy.For example, you might have some pages in the application that you want all employees to access, and some pages that you want only managers to access. For this application, you would create two protected resources, one for all employees and one for managers. You would then assign a policy to each protected resource. The following sections explain this process:

6.2.1 Creating a Protected Resource for a Web Application

  1. In the Administration Console, click Devices > J2EE Agents > Edit > Manage authorization policies.

  2. Click New and supply the following information:

    Module File Name: The filename of the application. Specify the name of the file you are protecting, including the file extension (.war for a Web application).

    Type: The type of the application. Select Web Module for a Web application.

  3. Click OK.

  4. To add a protected resource to the list, click New, specify a display name for the resource, then click OK.

    If possible, this name should indicate the URLs that you are going to configure for this resource.

    Configuring a protected Web resource
  5. Fill in the following fields:

    Description: (Optional). A text box where you can specify a description of the protected resource. You can also use the field to briefly describe the purpose of protecting this resource.

    SSL Required: If this option is selected, the J2EE Agent sets up an SSL connection between the client and the application.

    IMPORTANT:If the Web pages that you are now protecting with SSL have been publicly available over HTTP, they remain publicly available over HTTP until you either restart the Web server or reinstall the application. If this is a new application, reinstalling the application might be less disruptive to your network environment than restarting the Web server.

    For the JBoss Agent, selecting the SSL Required option is only part of the process. On JBoss, you must also either disable the HTTP port and enable the SSL port or configure SSL in the web.xml file.

  6. In the URL Path List, configure the paths that this resource protects. To add a path, click New, specify the path, then click OK.

    For example, to allow access to all the pages in the public directory on the Web server, specify the following path:

    /public/*
    

    To allow access to everything on the Web server, specify the following path:

    /*
    

    To use this protected resource to protect a single page, specify the path and the filename. For example, to protect the login.html page in the /login directory, specify the following:

    /login/login.html
    
  7. Click Configuration Panel > OK.

  8. On the Configuration page, click OK, then click Update > OK.

  9. Continue with Section 6.2.2, Assigning a Web Authorization Policy to the Resource.

    Until you have assigned an Authorization policy to the resource, which restricts access to this resource, all authenticated users have access to the resource.

6.2.2 Assigning a Web Authorization Policy to the Resource

The following instructions assume that you have already created your Authorization policy for the Web resource. For general information about Authorization policies, and for information about creating a Web Authorization policy, .

To assign an Authorization policy:

  1. In the Administration Console, click Devices > J2EE Agents > Edit > Manage authorization policies > [Name of Web Module] > [Name of Protected Resource] > Authorization Policy.

  2. To enable a policy, select a policy in the list, then click Enable.

    If no policies appear in the list, you haven’t created any. Click Manage Policies. For configuration information, .

  3. Click Configuration Panel > OK

  4. On the Configuration page, click OK, then click Update > OK.