How to configure your jetty webapp to grant access for dedicated IP-Addresses only

After searching for a simple solution to secure the access to a webapplication application deployed in the jetty webserver, so that only dedicated IP-Addresses (e.g. localhost) can access the controllers, I want to show you the whole solution, tested with a Grails-1.2.1 webapp under jetty-6.1.24. The problem is, that the jetty APIs have changed from former jetty versions to jetty6.

I am using:

• jetty-6.1.24′s HTAccessHandler
• it’s configuration file .htaccess

1. Configuration of the webapp

File .htaccess in the root-directory of the webapp contains the access rules. If you have a grails webapp, place the file in the ./web-app directory of the source base directory.

Example: allow access for localhost and the ip-address 192.168.152.1 only

<Limit>
satisfy all
order deny,allow
deny from all
allow from 127.0.0.1
allow from 192.168.152.1
</Limit>

Caution: only a small subset of the htaccess commands are currently supported by HTAccessHandler.

2. Configure org.mortbay.jetty.deployer.ContextDeployer in jetty.xml

Activate org.mortbay.jetty.deployer.WebAppDeployer in file $jetty_home/etc/jetty.xml. see comment in jetty.xml “Normally only one type of deployer need be used. “)

We need to activate the context deployer, because HTAccessHandler requires it:

<Call name="addLifeCycle">
      <Arg>
        <New class="org.mortbay.jetty.deployer.ContextDeployer">
          <Set name="contexts"><Ref id="Contexts"/></Set>
          <Set name="configurationDir"><SystemProperty name="jetty.home" default="."/>/contexts</Set>
          <Set name="scanInterval">5</Set>
        </New>
      </Arg>
    </Call>

    <!--<Call name="addLifeCycle">
      <Arg>
        <New class="org.mortbay.jetty.deployer.WebAppDeployer">
          <Set name="contexts"><Ref id="Contexts"/></Set>
          <Set name="webAppDir"><SystemProperty name="jetty.home" default="."/>/webapps</Set>
	  <Set name="parentLoaderPriority">false</Set>
	  <Set name="extract">true</Set>
	  <Set name="allowDuplicates">false</Set>
          <Set name="defaultsDescriptor"><SystemProperty name="jetty.home" default="."/>/etc/webdefault.xml</Set>
        </New>
      </Arg>
    </Call>-->

3. Configuration org.mortbay.jetty.security.HTAccessHandler in context directory of jetty

You deploy your webapp under jetty_home/webapps. Additionally you need a context configuration:

The jetty context configuration contains the URL, paths and the security handler. The file (in $jetty_home/contexts) corresponds to the name of your webapp,

e.g. mywebapp.war -> mywebapp.xml

<Configure id="mywebapp" class="org.mortbay.jetty.webapp.WebAppContext">
	<Set name="resourceBase"><SystemProperty name="jetty.home" default="."/>/webapps/mywebapp/</Set>
	<Set name="contextPath">/mywebapp</Set>
	<Call name="setSecurityHandler">
		<Arg>
			<New class="org.mortbay.jetty.security.HTAccessHandler">
				<Set name="protegee">
					<Ref id="mywebapp"/>
				</Set>
			</New>
		</Arg>
	</Call>
</Configure>

This way, access to mywebapp is protected by HTAccessHandler, that uses the .htaccess policy file.

Links

• jetty docu about htaccess authentication – http://docs.codehaus.org/display/JETTY/Jetty+and+PHP
• htaccess commands – http://www.hp-profi.info/htaccess.php (German)