We are using Websphere 8.5.5 Traditional
I have added an extended document root to Websphere's ibm-web-ext.xml file and set file sharing to true.
<fileServingAttribute name="extendedDocumentRoot" value="C:/extdocroot"/>
<enable-file-serving value="true"/>
inside the extended document root folder (C:/extdocroot) is a folder called pdfs. I would like to restrict the pdfs folder to only users who have logged in and have a particular role of 'school'.
the URL to serve up the pdf's is https://domain-name:9080/context-path/pdf/pdf-name.pdf I added a security constraint in the web.xml file
<security-constraint>
<display-name>school PDFs</display-name>
<web-resource-collection>
<web-resource-name>School PDFs</web-resource-name>
<url-pattern>/pdf/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>school</role-name>
</auth-constraint>
</security-constraint>
No matter what role a user is logged in as the PDF's will get served by the the server. Websphere is ignoring the security constraint for the URL that serves up PDF's from the extended document root. Is it possible to constrain these PDF's by the roles a logged in user has.
Note: My company has asked me to try and put these files outside of the ear file and also have Websphere secure the files using user's role. I was also instructed not to use the Apache HTTP Server to host these files since it is in the DMZ.
I have found that this was a bug in Websphere 8.5.5.11. After upgrading to 8.5.5.12 I was able to add security constraints in the web.xml for folders that were in the extended document root.
I have also tested this in Websphere 9.0.0.5 and everything worked as it should.