I have been trying to restrict the access to the WSO2 Console access of my application to the public. Configuration to access should be a port based or IP based. I have tried different techniques to restrict the access of WSO2 Console to the public except in my work environment.
Example:
I have used "class":"org.apache.catalina.filters.RemoteAddrFilter" and added my IP address as a parameter to this class in order to enable the restriction and also used ||"/> in content.xml this but nothing works as per my expectation.
I have spent several hours on this issue to achieve the solution but it wasn't working as per the requirement.
Hopefully someone here has done something similar can help me out in solving this issue.
In my case I want to restrict access to the Mgt Console to just localhost, but you should be able to add your additional ip addresses to this 'localhost only' solution.
WSO2 Identity Server 6.0
Add to {WSO2IS_HOME}\repository\conf\tomcat\carbon\WEB-INF\web.xml
<filter>
<filter-name>Remote Address Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>localhost|127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Remote Address Filter</filter-name>
<url-pattern>/carbon/*</url-pattern>
</filter-mapping>
Bonus: Control adding the above by setting a deployment.toml property
Add deployment.toml property:
[server]
...
mgt_console_localhost_only=true
Copy {WSO2IS_HOME}\repository\conf\tomcat\carbon\WEB-INF\web.xml
to: {WSO2IS_HOME}\repository\resources\conf\templates\repository\conf\tomcat\carbon\WEB-INF\web.xml.j2
Add to web.xml.j2:
{% if server.mgt_console_localhost_only is sameas true %}
<filter>
<filter-name>Remote Address Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>localhost|127\.\d+\.\d+\.\d+|::1|0:0:0:0:0:0:0:1</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Remote Address Filter</filter-name>
<url-pattern>/carbon/*</url-pattern>
</filter-mapping>
{% endif %}
Related
I have a several servlets and in my case I need to implement ServletRequestListener. But, I don't want the listener to react on every request in any servlet. I would like to know if there any possibility to map a specific ServletRequestListener to a specific certain servlet. My web.xml looks like:
<servlet>
<servlet-name>CommonsServlet</servlet-name>
<servlet-class>
com.promptlink.dslib.gwt.common.server.rpc.CommonsServletImpl</servlet-class>
</servlet>
...
<listener>
<listener-class>
com.promptlink.dslib.gwt.common.server.httpListeners.ServletRequestListenerImpl
</listener-class>
</listener>
That's not possible with a ServletRequestListener. A servlet request listener listens on every servlet request. Just create a Filter instead which you can simply map directly to servlet name (no, not to its URL pattern, that's maintenance unfriendly).
<filter>
<filter-name>CommonFilter</filter-name>
<filter-class>com.example.CommonFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CommonFilter</filter-name>
<servlet-name>CommonsServlet</servlet-name>
</filter-mapping>
See also:
Our servlet filters wiki page
Why do we need a servlet name?
If you only want to react on the requests of a specific servlet then the servlet itself would be the ideal place to do this.
If you don't control the servlet code you can write a Filter and give it the same URL pattern as the servlet or directly refer to the servlet in the filter mapping.
I'm looking for a way to control access to a URI by IP addresses without using Spring Security. Should I use an filter or interceptor?
An idea?
Thanks!
Ok, I solved it pretty easy with a Tomcat RemoteAddrFilter.
<filter>
<filter-name>Remote Address Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>[my ip address regex]</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Remote Address Filter</filter-name>
<url-pattern>/config/*</url-pattern>
</filter-mapping>
I have a web application that performs ajax request to a web service on a different port (i.e. my application and the server are on different domains).I have not access to the server APIs, so I cannot use JSONP.I am resolving using the Smiley's HTTP Proxy Servlet, so my web.xml file contains this section:
<servlet>
<servlet-name>rs</servlet-name>
<servlet-class>org.mitre.dsmiley.httpproxy.ProxyServlet</servlet-class>
<init-param>
<param-name>targetUri</param-name>
<!-- my servlet is hosted at http://my_ip:my_port/webapp -->
<param-value>http://my_ip:other_port/rest-services/rs</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>rs</servlet-name>
<url-pattern>/rs/*</url-pattern>
</servlet-mapping>
Unfortunately I have to deploy the web application on different machines (development, test, production), that respond to different IP addresses.
Is there a way to make the IP address change dinamically in the web.xml file, or to retrieve the current domain somehow? Or do I have to manually change the IP address every time before compiling?
Ok, I found the solution by myself.
I just had to replace the IP with localhost:
<param-value>http://localhost:other_port/rest-services/rs</param-value>
(it seems like a stupid answer for a stupid question, but I was sure I already tried that on the past and failed. Now it seems to work.)
I cannot connect to the auto generated spring security log-in page. According to the documentation, including the following lines in your security-context.xml will have Spring generate an html log-in form and redirect the user to it when trying to connect to the specific URL:
<http auto-config="true" >
<intercept-url pattern="/management-console" access="ROLE_ADMIN"/>
</http>
<authentication-manager ... />
Here is the rest of my configuration. Web.xml:
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>
classpath:/context/applicationContext.xml <!-- I am importing my security-context.xml in here -->
<param-value>
</context-param>
<!-- Security Configuration -->
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/management-console</url-pattern>
</filter-mapping>
I have tried importing the security-context.xml directly in the web.xml, but I still see the error.
After deploying my application, I can connect to each my specified urls without issue. However, when I try to go to localhost:{port}/{appName}/management-console, the filter chain redirects me to /spring_security_login (as expected). However, I see an "HTTP Status 405 - Request method 'GET' not supported" error once I am forwarded and the following comes up on the console (spring-mvc is the name I gave to my servlet):
org.springframework.web.servlet.PageNotFound | No mapping found for HTTP request with URI [/InternalManagementViewer/spring_security_login] in DispatcherServlet with name 'spring-mvc' |
I have seen this error before when I miss declaring a POST/GET mapping in the controller. According to the documentation, I should not have to include such a method in my controller to handle the /spring_security_login mapping. From what I have read, spring is supposed to know to return the auto-generated log-in html page.
Just to see what happens, I declared a method in my controller to handle the /spring_security_login mapping. Since the function returns void (because I do not know the local view name of the generated html log-in page), it looks for the resource named "spring_security_login.jsp", which is not explicitly created in my project, and thus I get an "HTTP resource not found" error.
I'm stumped on this one and could really use a hand. Thanks a lot for taking a look.
Apply springSecurityFilterChain filter to all URLs:
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
springSecurityFilterChain is an entry point for all Spring Security features. So if this filter is not applied to some URL then you will not be able use Spring Security there (in this case handle /spring_security_login URL).
I need to disable PUT, DELETE & TRACE HTTP requests on my Application Server, Apache Tomcat 6.0.
All other sources, i have searched till now, have directed me towards the limit parameter in httpd.conf, Hence I'd put it before-hand that I am not using Apache Web Server, and requests are directly being handled by Tomcat, and so there is no httpd.conf in picture.
Please suggest how should I do it on Tomcat?
Inside your WEBINF, add you can add a security constraint:
<security-constraint>
<web-resource-collection>
<web-resource-name>Forbidden</web-resource-name>
<url-pattern>/blah/*</url-pattern>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>empty_role</role-name>
</auth-constraint>
</security-constraint>
Alternatively, you can do these two things:
In server.xml, edit the <connector> element, add an attribute: allowTrace="false". Then edit the DefaultServlet: $CATALINA_HOME/conf/web.xml
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>
org.apache.catalina.servlets.DefaultServlet
</servlet-class>
<!-- blah blah blah -->
<init-param>
<param-name>readonly</param-name>
<param-value>true</param-value>
</init-param>
</servlet>
The answer lies in the servlet specification. In looking at the API for the servlet: http://java.sun.com/products/servlet/2.5/docs/servlet-2_5-mr2/javax/servlet/http/HttpServlet.html you'll see that different methods handle different kind of HTTP requests. Also, there is a great feature called filters that can be used to wrap some code around servlets and filters.
So the solutions are:
Modify the servlet to only support do and get; or
Create a filter to clear those other kind of requests.