Introduction

This document explains simple LivCos setups, providing all-or-nothing access for the users.

Access Control

Access control is handled by the Web server. So certain URLs can be blocked to public access, others can be opened.

Access to the LivCos Web application should be blocked or opened completely. Since a user can modify the data within the Cosmos via various URLs, it is difficult to limit access only to certain objects (URLs). Also AJAX calls cannot handle "access denied" responses yet, so most of the edit actions will not function properly.

Communication

To secure the authentification data and the protected content from the Cosmos, we need to have a secure communication channel between the client and the LivCos server.

Currently the only way needed for the client to access the LivCos system is over the Web server. So the communication can be secured with the HTTPS protocol.

Tomcat Setup

This setup uses the Apache Tomcat server to directly serv the LivCos Web user interface.

HTTPS Connector

See the SSL Configuration Guide and learn how to generate an SSL Certificate and setup the HTTPS connector for Tomcat 6.

Consult the J2EE Tutorial to force a secure connection for certain URLs.

User Realm and Security Roles

Let the Tomcat server know all the valid users and their roles. The server wants to access your user "database" with a user realm implementation (see the MemoryRealm as an example).

You also need to specify the security roles in the Web Application deployment descriptor (web.xml).

The specified security roles should match the user roles, provided by the realm.

Securing the Web Application

With the deployment descriptor file (web.xml) you can set security constraints on certain URLs (see "Specifying Security Constraints" in the J2EE Tutorial).

Choose the way the user needs to authenticate himself (login) to the server (see "Specifying an Authentication Mechanism" in the J2EE Tutorial).

Apache Web Server

In this setup the Apache Web Server acts as a facade to the client. The Web application runtime for LivCos Web (Tomcat, Jetty,...) is not accessible directly.

SSL Module

Enable the mod_ssl module for the Apache httpd server. You also need to create and configure an SSL Certificate.

Authenticate

Setup users and authentication for the URLs to access LivCos.

AJP Connector

Configure the AJP (Apache JServ Protocol) Connector in the Tomcat server, running LivCos.

For security reasons configure the AJP connector to accept only connections from the Apache server. For example use <Connector port="8009" protocol="AJP/1.3" tomcatAuthentication="false" address="127.0.0.1" />, if the Apache server runs on the same host.

Proxy Module

Handle Apache Web Server requests with the LivCos Web instance, running on the Tomcat server. We used the mod_proxy and the mod_proxy_ajp module for the Apache Web Server.