At the moment we use ldap to secure our services but our business requirements have us looking for a more robust alternativeSuch as both ldap and container managed security? Or..?
I have tomcat on a redhat server that is currently running the web adaptor
Such as both ldap and container managed security? Or..?
May I ask whether you have just looked into applying security constraints in Tomcat to the URLs you want to secure? The security constraint would look up users/passwords in whichever realm you configure.
I would also suggest that if are going to use container managed security or any security that requires a user to login, enable SSL in your container. It's easy to do with a self signed certificate, or you can buy one. I don't know your intended setup though.. is this internal only?
Where are you going to deploy arcgis.war?
How does Spring Security restrict access to:
http://yourserver/arcgis/rest/services
?
I know you said you were using maven overlay, but won't that only apply to your SpringSecurityProjectName web app?
Step #6 of that link you posted says follow your Java application server to deploy the arcgis.war. When you do that, the /arcgis path is open to everyone. Right?
<intercept-url pattern="/arcgis/**" access="hasRole('ROLE_ADMIN')"/>
I see.
I haven't used Spring for anything yet. It looks like it gives you a custom springSecurityFilterChain Filter to secure the URLs.
What happens to http://yourserver/arcgis if your SpringSecurityProjectName web app crashes?
It seems like all this does is move the security configuration from the web container to the Spring Framework?