Develop Reference

Blocking unwanted HttpMethods in web.xml

I am running two different applications(war files) in single tomcat. those two may contact each other.
Now I want to block some of the HTTP methods for application2. So I have added the following into my web.xml in tomcat config folder,
<security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern>/app2/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
After adding this also I am not getting 403 response for OPTIONS request. it's giving response as 200. but
<security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
without mentioning app2 in URL pattern it's giving 403 response for OPTIONS request.
Now my question is how can I block some HTTP methods for my application2 alone?
Ihanks in advance.

Blocking some HTTP methods in web.xml

I am running two war files in single tomcat. example app1 and app2. Now I want to block some of the HTTP methods for app2 alone without touching the tomcat own web.xml. So I have created a web.xml for app2 and place it under WEB_INF.
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
</web-app>
when I hit URL as host:port/app2/ it will give response as 403.
but when I hit host:port/app2 getting response as 200.
Now I have to block host:port/app2 this URL also. How can I change the url-pattern to achieve this.

Servlet mapping using annotation not working

I'm trying to do servlet mapping using annotation and it isn't working. In the past I've managed to get servlet mapping to work using some trial and error but I really don't want to do that, not anymore.
Here is the servlet placed.
|
|src
|abc.cde.fgh
|SearchDatabase.java
Here is the annotation I have added in SearchDatabase.java
#WebServlet("/pages/SearchDatabase")
I get the 404 (Not Found) when calling the servlet by GET on
http://localhost:8080/MyProject/pages/SearchDatabase?term=1
Here is the web.xml which I was not using initially because I didn't require that. I read that to use #WebServlet annotation, I need to have a web.xml.
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<display-name>MyProject</display-name>
</web-app>
Please explain what is it that I am doing wrong.

How to configure url mapping in web.xml to restrict access?

I have few pages in following structure.
--Project
|---WebContect
|----Admin/ *
|----Author/ *
|----Readonly/ *
|----Index.jsp
I want to restrict the user from accessing Pages under Admin,Author and Readonly. I don't want anybody to access these pages. And if somebody tries to do so, should be redirected to index.jsp.
The easiest solution that come in my mind is using a Filter, but I am trying to find if its possible to do using web.xml.

If you want that nobody is able to access those pages directly, just put them in /WEB-INF folder.
Project
`-- WebContect
|-- WEB-INF
| |-- Admin
| |-- Author
| `-- Readonly
`-- Index.jsp
This way the pages are not publicly accessible, but only by a servlet which performs a forward. When the enduser attempts to access it directly, all he will get is a HTTP 404 error.
An alternative is configuring a role-less <security-constraint>.
<security-constraint>
<display-name>Restrict direct access to certain folders</display-name>
<web-resource-collection>
<web-resource-name>Restricted folders</web-resource-name>
<url-pattern>/Admin/*</url-pattern>
<url-pattern>/Author/*</url-pattern>
<url-pattern>/Readonly/*</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
When the enduser attempts to access them, all he will get is a HTTP 403 error.
Either way, it isn't possible to redirect the enduser to index.jsp this way. Only a Filter can do that. You could configure the index.jsp as error page location for 404 or 403
<error-page>
<error-code>404</error-code>
<location>/index.jsp</location>
</error-page>
But this would cover all 404's (or 403's), not sure if that is what you want.

you have try this ? (sample for url mapping)
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<--! These are the groups in AD -->
<role-name>Engineering</role-name>
<role-name>Migration Expert</role-name>
<role-name>Developers</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/update/*</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Services Portal</realm-name>
</login-config>

if you want to grand access to pages/folders by role permission you have to have a security-constraint in your web-xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>DESC_OF_FOLDER</web-resource-name>
<url-pattern>/users/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>REGISTERED_USER_ROLE</role-name>
</auth-constraint>
</security-constraint>
The role can be acquired by this code if you are using standard Jaas authentication
if ((request.getUserPrincipal().getName()) != null) {
String userName = request.getUserPrincipal().getName().trim();
.....
if (request.isUserInRole("REGISTERED_USER_ROLE")) {
.....
}
}
Hope this helps
UPDATE
And for the redirection to the login page you should have also something like this in the web.xml
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>

HTTP Status 403 error from glassfish 3 when trying to reach an implemented login page

I have created a login page using a nice guide that I found about Java EE6 and GlassFish3 using netbeans.
After deploying the project when I try to reach the login page I get 'HTTP Status 403 - Access to the requested resource has been denied' from GlassFish3 server.
The url I am using is : http://localhost:9999/simplewebapp/admin/admin.jsp
The guide says that I should automatically be redirected to the login page I have created.
Instead I am receiving the above error.
Looking at the glassfish3 log I am getting these two lines when I am entering the above url.
INFO: JACC Policy Provider:Failed Permission Check: context (" simplewebapp/simplewebapp ") , permission (" (javax.security.jacc.WebUserDataPermission /admin/login.jsp GET) ")
INFO: JACC Policy Provider:Failed Permission Check: context (" simplewebapp/simplewebapp ") , permission (" (javax.security.jacc.WebUserDataPermission /admin/login.jsp GET:CONFIDENTIAL) ")
Some more details :
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<security-constraint>
<display-name>Admin Pages</display-name>
<web-resource-collection>
<web-resource-name>Administrative Pages</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>admin</description>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Administrators</description>
<role-name>admin</role-name>
</security-role>
<security-role>
<description>Users</description>
<role-name>user</role-name>
</security-role>
</web-app>
glassfish-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
<security-role-mapping>
<role-name>admin</role-name>
<group-name>appadmin</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</glassfish-web-app>
What am I doing wrong here?
Thank you.

Problem solved.I had to add principal names in glassfish-web.xml and a role-name in web.xml.
Correct files :
web-xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<security-constraint>
<display-name>Admin Pages</display-name>
<web-resource-collection>
<web-resource-name>Administrative Pages</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>admin</description>
<role-name>AdminRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Administrators</description>
<role-name>AdminRole</role-name>
</security-role>
<security-role>
<description>Users</description>
<role-name>UserRole</role-name>
</security-role>
</web-app>
glassfish-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
<security-role-mapping>
<role-name>AdminRole</role-name>
<principal-name>admin</principal-name>
<group-name>appadmin</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>UserRole</role-name>
<principal-name>user</principal-name>
<group-name>appuser</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</glassfish-web-app>

Using glassfish Admin Console this worked for me:
Select ‘server-config’ listed under Configurations and access the Security page. On that page
you need to enable the ‘Default Principal to Role Mapping’ option. The benefit of enabling this option is that it enables us to use roles defined for users shortly automatically without
requiring us to make formal XML declarations in a glassfish configuration file for our project.

For keeping it "standard" I think this is the better option, because if you're using just a web container (eg. tomcat), you're not gonna have to configure nothing else that just a realm. In my case, I was using Eclipse and had to undeploy the project and redeploy it.
Thank you very much.