FWD » Core Development » Runtime Infrastructure

Support for static web content was added in #4405. This support is just for GET and is currently unsecured (all resources are available to any requester with no authentication or access control).

The purpose of this task is to add security:

• We will use the built-in security model of FWD, which is based on the SecurityManager.
• We will add a web-content security plugin to define the resource and provide access control.
• The authentication will be assumed to be handled separately, with any valid FWD authentication method.
• We need to provide a mechanism to obtain an authentication token from a valid (authenticated and active) FWD session. This token would be written as a cookie and provided with any request for web content.
• As part of the web content processing, we would read the authentication cookie (if present), use it to define the security context for the request. Then we would ask the web content security plugin to decide if the requested access is allowed. If not, reject the request with the appropriate status code. If allowed, return the resource.
• We should plan for a range of access rights, based on REST:
• GET (read)
• POST (create)
• PUT (write or replace the entire resource)
• DELETE (delete)
• PATCH (a partial write)

I would want this to support securing both the static web content of #4405 as well as any REST or other web resources.

I'm not sure what needs to be done to secure SOAP or other arbitrary servlet access, but I would like to provide a generic mechanism to secure any access to Jetty.