Posted: 15 Mar 2019 9:20 EDT Last activity: 18 Mar 2019 11:21 EDT
Securing a custom JSP file in prweb.war
Our project would like to use a third-party JSP file in our PRPC application (https://github.com/Esri/resource-proxy). Because this JSP makes direct use of the HttpServletRequest and HttpServletResponse objects, we cannot adapt this code to a custom section rule or activity.
I've successfully added the JSP to our prweb.war and deployed it to our Tomcat container. I'm able to leverage the page, but I'd like to add security so that only authenticated PRPC users are able to access the JSP. We do not use container-managed authentication in our application; instead we have an OOTB SAML implementation for security.
Because we do not have container-managed authentication, I don't believe I can use the normal web.xml security constraint configuration. I'm open to modifying the JSP code, but I don't know if there's any way I can validate the session from a JSP outside the engine code. Any ideas are appreciated.
Can you elaborate? The normal use case will be for users that are already authenticated and click on a link that invokes the JSP from within their session. I am trying to setup the JSP so that it verifies that the incoming request is authenticated.