[jboss-user] [JBoss Seam] - Re: Multiple Domain Quesiton

[fhh]

anonymous wrote : 
  | I generally agree with what you're saying, this is a touch pendantic, but... Technically if you support multiple apps on multiple hostnames, that's exactly what you're doing. You're using the security in the appserver as opposed to rolling your own, but its otherwise exactly the same. After all, your JBoss server is serving both pages, and acting differently based entirely on the URL.
  | 

That depends on your setup. If you used name-based virtual hosts you are right. If you use address based virtual hosting then you are not. If you want to use the virtual hosting as a security feature you would obviously use the later and add appropriate firewalls rules.

anonymous wrote : 
  | I would not recommend, as the previous poster mentioned, sending a 404 error to someone using the correct administrative URL who was not logged in (or not logged in as an admin). That does break consistency, doesn't follow the definition of a 404, and eliminates the opportunity to ask them to re-authenticate themselves. In my case, no-one will ever be able to access the page through the stated URL.
  | 

If everything is configured correctly, he will not be able to. But you will make a mistake more easily: While testing you get a 404 instead of a page that is completly unsecure so it looks safe to you while it is not. When it comes to security my philosophy is that simpler is safer.

Regards

Felix

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4035683#4035683

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4035683