Isolating Administrator Access

In some environments it may be desirable to restrict admin activities to a particular HTTP endpoint. It is possible to configure multiple endpoints, and nominate one of them for admin access. Admin users are still able to log in via other endpoints, but any Roles they have that imply admin rights are temporarily stripped for that session.

To configure this, edit [INSTALL_HOME]/tomcat/conf/server.xml, and uncomment the additional Connector element.

server.xml
<Connector port="${http.port}" address="${http.address}" protocol="HTTP/1.1"
           scheme="${http.scheme}" secure="${http.secure}" sslProtocol="TLS"
           SSLEnabled="${http.ssl}"
           sslEnabledProtocols "TLSv1+TLSv1.1+TLSv1.2"
           compression="on"
           compressionMinSize="1024"
           compressibleMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,text/csv,image/svg+xml,application/x-amf"
           keystoreFile="${keystore.file}" keystorePass="${keystore.pass}"
           keystoreType="${keystore.type}"
           clientAuth="${clientauth}"
           ciphers="${ciphers.list}"
           useServerCipherSuitesOrder="${ciphers.honororder}"
           connectionTimeout="20000"
           asyncTimeout="60000"
/>
<!--
<Connector port="${http.admin.port}" address="${http.admin.address}" protocol="HTTP/1.1"
           scheme="${http.scheme}" secure="${http.secure}" sslProtocol="TLS"
           SSLEnabled="${http.ssl}"
           sslEnabledProtocols = "TLSv1+TLSv1.1+TLSv1.2"
           compression="on"
           compressionMinSize="1024"
           compressibleMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,text/csv,image/svg+xml,application/x-amf"
           keystoreFile="${keystore.file}" keystorePass="${keystore.pass}"
           keystoreType="${keystore.type}"
           clientAuth="${clientauth}"
           ciphers="${ciphers.list}"
           useServerCipherSuitesOrder="${ciphers.honororder}"
           connectionTimeout="20000"
           asyncTimeout="60000"
/>
-->

The Connector configuration is heavily customizable. Other than the port and address attributes, all others use the same values as the default Connector. It may be desired to change the other attributes to increase security on the admin endpoint only.

For the above configuration to work, a couple of lines need to be added to either custom.properties or local.properties, located in [INSTALL_HOME]/conf/.  The default custom properties has examples for these, commented out. Uncomment these and adjust the values as appropriate to your environment.

custom.properties
# to restrict admin access to a special endpoint, uncomment the additional connector in tomcat/conf/server.xml,
# along with the following two settings
#http.admin.address=127.0.0.1
#http.admin.port=8081

After restarting the server, all HTTP requests are subject to checking against this configuration. Only requests made to the configured endpoint will be considered for admin operations. This includes normal access via the web browser client, but also REST and CLI access.