Secure the “Export” Endpoint of the Web Container

This section explains how to secure the endpoint https://<host name of the Denodo server>:9090/export.

With Virtual DataPort you can publish data services (SOAP and REST web services). Usually, they are deployed on the web container of Denodo. However, they can also be exported to a “war” file and deployed on any Java web container (IBM WebSphere, Oracle WebLogic, …). When you export a web service to a war file, it is available to download in the URL https://<host name of the Denodo server>:9090/export.

By default, this endpoint does not require authentication. We recommend enabling authentication to restrict access to it. To enable authentication on this endpoint, follow this steps:

  1. Edit the file <DENODO_HOME>/resources/apache-tomcat/conf/tomcat-users.xml and add the following:

    <role rolename="tomcat"/>
    <user username="export_endpoint" password="PASSWORD_FOR_EXPORT_ENDPOINT" roles="tomcat" />
    

    The file should end up looking like

    <tomcat-users>
        <role rolename="tomcat"/>
        <user username="export_endpoint" password="PASSWORD_FOR_EXPORT_ENDPOINT" roles="tomcat" />
    </tomcat-users>
    

    In the attributes username and password you can put the user name and password you want. These are the credentials the users will have to provide for this endpoint.

    You can add as many entries “<user>” as needed. In all of them, the value of the attribute “roles” has to be “tomcat”.

  2. Edit the file <DENODO_HOME>/resources/apache-tomcat/webapps/export/WEB-INF/web.xml. Search for this block of XML.

    <servlet-mapping>
        <servlet-name>listing</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>
    

    Add the following, below </servlet-mapping>:

    <security-constraint>
        <web-resource-collection>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>tomcat</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>DIGEST</auth-method>
    </login-config>
    
  3. If the Virtual DataPort server is started and/or other web tools are started, stop all of them and then, start them again to apply the changes.

After this, the users that want to connect to this endpoint will have to provide the user and password you entered in tomcat-users.xml.


If instead of enabling authentication, you want to disable this endpoint, follow these steps:

  1. Edit the file <DENODO_HOME>/resources/apache-tomcat/webapps/export/WEB-INF/web.xml. Search for this block of XML.

    <servlet-mapping>
        <servlet-name>listing</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>
    

    Add the following, below </servlet-mapping>:

    <filter>
        <filter-name>Remote IP Filter</filter-name>
        <filter-class>org.apache.catalina.filters.RemoteHostFilter</filter-class>
        <init-param>
            <param-name>deny</param-name>
            <param-value>.*</param-value>
        </init-param>
    </filter>
    
    <filter-mapping>
        <filter-name>Remote IP Filter</filter-name>
        <url-pattern>*</url-pattern>
    </filter-mapping>
    
  2. If the Virtual DataPort server is started and/or other web tools are started, stop all of them and then, start them again to apply the changes.

After this, the access to https://<host name of the Denodo server>:9090/export will be forbidden. The files on this path will still be available on the path <DENODO_HOME>/resources/apache-tomcat/webapps/export, in the path where the Denodo server runs.