Secure the “Export” Endpoint of the Web Container

This section explains how to secure the endpoint https://<host name of the Denodo server>:9090/export.

With Virtual DataPort you can publish data services (SOAP and REST web services). Usually, you deploy them on the web container embedded in Denodo. However, you can export a web service to a “war” file and deploy it on any Java web container (IBM WebSphere, Oracle WebLogic, …). When you export a web service to a war file, it is available to download in the URL https://<host name of the Denodo server>:9090/export.

By default, this endpoint does not require authentication. We recommend enabling authentication to restrict access to it. To enable authentication on this endpoint, follow these steps:

  1. Edit the file <DENODO_HOME>/resources/apache-tomcat/conf/tomcat-users.xml and add the following:

    <role rolename="tomcat"/>
    <user username="export_endpoint" password="PASSWORD_FOR_EXPORT_ENDPOINT" roles="tomcat" />
    

    The file should end up looking like

    <tomcat-users>
        <role rolename="tomcat"/>
        <user username="export_endpoint" password="PASSWORD_FOR_EXPORT_ENDPOINT" roles="tomcat" />
    </tomcat-users>
    

    In the attributes username and password you can put the user name and password you want. These are the credentials the users will have to provide for this endpoint.

    You can add as many entries “<user>” as needed. In all of them, the value of the attribute “roles” has to be “tomcat”.

  2. Edit the file <DENODO_HOME>/resources/apache-tomcat/webapps/export/WEB-INF/web.xml. Search for this block of XML.

    <servlet-mapping>
        <servlet-name>listing</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>
    

    Add the following block below </servlet-mapping>:

    <security-constraint>
        <web-resource-collection>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>tomcat</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>DIGEST</auth-method>
    </login-config>
    
  3. Stop the Virtual DataPort server and other web tools and then, start them again to apply the changes.

After this, the users that want to connect to this endpoint will have to provide the user and password you entered in tomcat-users.xml.


If instead of enabling authentication, you want to disable this endpoint, follow these steps:

  1. Edit the file <DENODO_HOME>/resources/apache-tomcat/webapps/export/WEB-INF/web.xml. Search for this block of XML.

    <servlet-mapping>
        <servlet-name>listing</servlet-name>
        <url-pattern>/*</url-pattern>
    </servlet-mapping>
    

    Add the following block below </servlet-mapping>:

    <filter>
        <filter-name>Remote IP Filter</filter-name>
        <filter-class>org.apache.catalina.filters.RemoteHostFilter</filter-class>
        <init-param>
            <param-name>deny</param-name>
            <param-value>.*</param-value>
        </init-param>
    </filter>
    
    <filter-mapping>
        <filter-name>Remote IP Filter</filter-name>
        <url-pattern>*</url-pattern>
    </filter-mapping>
    
  2. Stop the Virtual DataPort server and other web tools and then, start them again to apply the changes.

After this, the access to https://<host name of the Denodo server>:9090/export will be forbidden. When you export a data service to a war file, you will have to copy the file from the host where the Virtual DataPort server runs, from the path <DENODO_HOME>/resources/apache-tomcat/webapps/export.