<security-constraint> <web-resource-collection> <web-resource-name>server-info</web-resource-name> <url-pattern>/info.jsp</url-pattern> <url-pattern>/info_browser.jsp</url-pattern> <url-pattern>/info_cache.jsp</url-pattern> <url-pattern>/info_threads.jsp</url-pattern> </web-resource-collection> <auth-constraint> <role-name>denyaccess</role-name> </auth-constraint> </security-constraint>
The list of YF "information" pages that are available to users without authenticating are:
The contents of info.jsp is available to authenticated admin users through the admin console via the System Information link. The other info pages do not have any corresponding pages within the application.
Clients might want to remove access to these pages to unauthenticated users. This can be accomplished by adding the following excerpt to the Yellowfin/appserver/webapps/ROOT/WEB-INF/web.xml file, just before the closing tag :
Restart Yellowfin and test!