Blocking unwanted HttpMethods in web.xml - http

I am running two different applications(war files) in single tomcat. those two may contact each other.
Now I want to block some of the HTTP methods for application2. So I have added the following into my web.xml in tomcat config folder,
<security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern>/app2/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
After adding this also I am not getting 403 response for OPTIONS request. it's giving response as 200. but
<security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
without mentioning app2 in URL pattern it's giving 403 response for OPTIONS request.
Now my question is how can I block some HTTP methods for my application2 alone?
Ihanks in advance.

Related

Blocking some HTTP methods in web.xml

I am running two war files in single tomcat. example app1 and app2. Now I want to block some of the HTTP methods for app2 alone without touching the tomcat own web.xml. So I have created a web.xml for app2 and place it under WEB_INF.
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
</web-app>
when I hit URL as host:port/app2/ it will give response as 403.
but when I hit host:port/app2 getting response as 200.
Now I have to block host:port/app2 this URL also. How can I change the url-pattern to achieve this.

SEVERE - For security constraints with URL pattern [/*] the HTTP methods [POST GET] are uncovered

I am getting this error when I start Tomcat:
SEVERE - For security constraints with URL pattern [/*] the HTTP
methods [POST GET] are uncovered.
What is the reason of this?
I think this is a different problem from this.
My web.xml looks like:
<security-constraint>
<display-name>Restrict resources</display-name>
<web-resource-collection>
<web-resource-name>/resources dir</web-resource-name>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Whitelist</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method-omission>GET</http-method-omission>
<http-method-omission>POST</http-method-omission>
</web-resource-collection>
<auth-constraint />
</security-constraint>
So I try to forbid all methods except GET and POST (see ). However, some methods (PUT, DELETE, OPTIONS...) seem to return a "302 Found" instead of an automatic 403, not sure why (missing request parameters?).
To me it looks like you actually also forbid GET and POST. Instead of an empty <auth-constraint /> in the second <security-constraint> section, try the following:
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
Furthermore, you may need to add another "deny" section for the uncovered methods for <url-pattern>/*</url-pattern>. However, if you are using Servlet 3.1+ (e.g. Tomcat 8.5.x), you can simply use this tag instead of another <security-constraint> section:
<deny-uncovered-http-methods />
Make sure then, that your web.xml actually does define Servlet 3.1, e.g.:
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1"
metadata-complete="true">

how to set https for java servlet application

I have created a java servlet web application. It's working properly with "http". Now I want to set "https" secured connection to the server. For that, I have configured the things properly in the tomcatserver/conf/server.xml as follows.
Connector port="8443" protocol="HTTP/1.1"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="conf\localhost.jks" keystorePass="xxxx"
clientAuth="false" sslProtocol="TLS" />
then I have configured the things on web.xml file also as follows.
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPSOnly</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
when I send a request through postman, I am given following error.
here I have attached the request header also.
how can I solve this?

IBM Mobile First V 7.0

I have an issue working in IBM Mobile First v7.0 Analytics console.
In analytics console the data was not loaded from mobile first server.but all data are stored in Worklight database...
The following configuration i did for my application and deployed in production server...
Worklight.proerties file enable JNDI proerties
wl.analytics.url=http://192.168.1.3:9080/analytics-service/data
wl.analytics.console.url=http://192.168.1.3:9080/analytics/console
Keep the analytics.ear file in my application foler...
C:\IBM\WebSphere\Liberty\usr\servers\testserver\apps
Server.xml
<feature>jndi-1.0</feature>
</featureManager>
<application location="analytics.ear"
name="analytics-ear"
type="ear">
<application-bnd>
<security-role name="worklightadmin">
<user name="admin"/>
</security-role>
<security-role name="worklightdeployer">
<user name="deployer"/>
</security-role>
<security-role name="worklightmonitor">
<user name="monitor"/>
</security-role>
<security-role name="worklightoperator">
<user name="operator"/>
</security-role>
</application-bnd>
</application>
If I did any mistake, kindly anyone help me
Since you are using security roles on your analytics console you need to send data with a username and password. Inside your server.xml for your Operations Console, you can set these username and password with the following JNDI properties:
<jndiEntry jndiName="AppName/wl.analytics.username" value="admin"/>
<jndiEntry jndiName="AppName/wl.analytics.password" value="admin"/>
Also, make sure that your security roles an constraints match your server.xml to the WEB.xml in your analytics-service.war. Default is the security configuration below:
<security-constraint>
<security-role>
<role-name>worklightadmin</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>allAccess</web-resource-name>
<url-pattern>/data/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>worklightadmin</role-name>
<role-name>worklightdeployer</role-name>
<role-name>worklightmonitor</role-name>
<role-name>worklightoperator</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
The role-names will need to match the names that you use in your basic registry.

How to configure url mapping in web.xml to restrict access?

I have few pages in following structure.
--Project
|---WebContect
|----Admin/ *
|----Author/ *
|----Readonly/ *
|----Index.jsp
I want to restrict the user from accessing Pages under Admin,Author and Readonly. I don't want anybody to access these pages. And if somebody tries to do so, should be redirected to index.jsp.
The easiest solution that come in my mind is using a Filter, but I am trying to find if its possible to do using web.xml.
If you want that nobody is able to access those pages directly, just put them in /WEB-INF folder.
Project
`-- WebContect
|-- WEB-INF
| |-- Admin
| |-- Author
| `-- Readonly
`-- Index.jsp
This way the pages are not publicly accessible, but only by a servlet which performs a forward. When the enduser attempts to access it directly, all he will get is a HTTP 404 error.
An alternative is configuring a role-less <security-constraint>.
<security-constraint>
<display-name>Restrict direct access to certain folders</display-name>
<web-resource-collection>
<web-resource-name>Restricted folders</web-resource-name>
<url-pattern>/Admin/*</url-pattern>
<url-pattern>/Author/*</url-pattern>
<url-pattern>/Readonly/*</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
When the enduser attempts to access them, all he will get is a HTTP 403 error.
Either way, it isn't possible to redirect the enduser to index.jsp this way. Only a Filter can do that. You could configure the index.jsp as error page location for 404 or 403
<error-page>
<error-code>404</error-code>
<location>/index.jsp</location>
</error-page>
But this would cover all 404's (or 403's), not sure if that is what you want.
you have try this ? (sample for url mapping)
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<--! These are the groups in AD -->
<role-name>Engineering</role-name>
<role-name>Migration Expert</role-name>
<role-name>Developers</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/update/*</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Services Portal</realm-name>
</login-config>
if you want to grand access to pages/folders by role permission you have to have a security-constraint in your web-xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>DESC_OF_FOLDER</web-resource-name>
<url-pattern>/users/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>REGISTERED_USER_ROLE</role-name>
</auth-constraint>
</security-constraint>
The role can be acquired by this code if you are using standard Jaas authentication
if ((request.getUserPrincipal().getName()) != null) {
String userName = request.getUserPrincipal().getName().trim();
.....
if (request.isUserInRole("REGISTERED_USER_ROLE")) {
.....
}
}
Hope this helps
UPDATE
And for the redirection to the login page you should have also something like this in the web.xml
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>

Resources