I just want something that seems simple but does not work for me :
I'm working with tomcat 7 on linux.
I have /.../apache-tomcat-7.0.68/webapps/ROOT/admin/*.jsp
I just want to protect all files in that folder with basic http auth. I already tried to edit /.../apache-tomcat-7.0.68/webapps/ROOT/WEB-INF/web.xml with :
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN"
"http://java.sun.com/j2ee/dtds/web-app_2.2.dtd">
<web-app>
<security-constraint>
<!-- web resources that are protected -->
<web-resource-collection>
<web-resource-name>A Protected Page</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<!-- role-name indicates roles that are allowed
to access the web resource specified above -->
<role-name>tomcat</role-name>
<role-name>role1</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Basic Authentication Example</realm-name>
</login-config>
</web-app>
Does not work...Do you have any idea ?
Related
I am running two different applications(war files) in single tomcat. those two may contact each other.
Now I want to block some of the HTTP methods for application2. So I have added the following into my web.xml in tomcat config folder,
<security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern>/app2/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
After adding this also I am not getting 403 response for OPTIONS request. it's giving response as 200. but
<security-constraint>
<web-resource-collection>
<web-resource-name><strong>restricted methods</strong></web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint />
</security-constraint>
without mentioning app2 in URL pattern it's giving 403 response for OPTIONS request.
Now my question is how can I block some HTTP methods for my application2 alone?
Ihanks in advance.
I am running two war files in single tomcat. example app1 and app2. Now I want to block some of the HTTP methods for app2 alone without touching the tomcat own web.xml. So I have created a web.xml for app2 and place it under WEB_INF.
<web-app>
<security-constraint>
<web-resource-collection>
<web-resource-name>restricted methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
</web-app>
when I hit URL as host:port/app2/ it will give response as 403.
but when I hit host:port/app2 getting response as 200.
Now I have to block host:port/app2 this URL also. How can I change the url-pattern to achieve this.
I have few pages in following structure.
--Project
|---WebContect
|----Admin/ *
|----Author/ *
|----Readonly/ *
|----Index.jsp
I want to restrict the user from accessing Pages under Admin,Author and Readonly. I don't want anybody to access these pages. And if somebody tries to do so, should be redirected to index.jsp.
The easiest solution that come in my mind is using a Filter, but I am trying to find if its possible to do using web.xml.
If you want that nobody is able to access those pages directly, just put them in /WEB-INF folder.
Project
`-- WebContect
|-- WEB-INF
| |-- Admin
| |-- Author
| `-- Readonly
`-- Index.jsp
This way the pages are not publicly accessible, but only by a servlet which performs a forward. When the enduser attempts to access it directly, all he will get is a HTTP 404 error.
An alternative is configuring a role-less <security-constraint>.
<security-constraint>
<display-name>Restrict direct access to certain folders</display-name>
<web-resource-collection>
<web-resource-name>Restricted folders</web-resource-name>
<url-pattern>/Admin/*</url-pattern>
<url-pattern>/Author/*</url-pattern>
<url-pattern>/Readonly/*</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
When the enduser attempts to access them, all he will get is a HTTP 403 error.
Either way, it isn't possible to redirect the enduser to index.jsp this way. Only a Filter can do that. You could configure the index.jsp as error page location for 404 or 403
<error-page>
<error-code>404</error-code>
<location>/index.jsp</location>
</error-page>
But this would cover all 404's (or 403's), not sure if that is what you want.
you have try this ? (sample for url mapping)
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<--! These are the groups in AD -->
<role-name>Engineering</role-name>
<role-name>Migration Expert</role-name>
<role-name>Developers</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/update/*</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Services Portal</realm-name>
</login-config>
if you want to grand access to pages/folders by role permission you have to have a security-constraint in your web-xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>DESC_OF_FOLDER</web-resource-name>
<url-pattern>/users/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>REGISTERED_USER_ROLE</role-name>
</auth-constraint>
</security-constraint>
The role can be acquired by this code if you are using standard Jaas authentication
if ((request.getUserPrincipal().getName()) != null) {
String userName = request.getUserPrincipal().getName().trim();
.....
if (request.isUserInRole("REGISTERED_USER_ROLE")) {
.....
}
}
Hope this helps
UPDATE
And for the redirection to the login page you should have also something like this in the web.xml
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
I have created a login page using a nice guide that I found about Java EE6 and GlassFish3 using netbeans.
After deploying the project when I try to reach the login page I get 'HTTP Status 403 - Access to the requested resource has been denied' from GlassFish3 server.
The url I am using is : http://localhost:9999/simplewebapp/admin/admin.jsp
The guide says that I should automatically be redirected to the login page I have created.
Instead I am receiving the above error.
Looking at the glassfish3 log I am getting these two lines when I am entering the above url.
INFO: JACC Policy Provider:Failed Permission Check: context (" simplewebapp/simplewebapp ") , permission (" (javax.security.jacc.WebUserDataPermission /admin/login.jsp GET) ")
INFO: JACC Policy Provider:Failed Permission Check: context (" simplewebapp/simplewebapp ") , permission (" (javax.security.jacc.WebUserDataPermission /admin/login.jsp GET:CONFIDENTIAL) ")
Some more details :
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<security-constraint>
<display-name>Admin Pages</display-name>
<web-resource-collection>
<web-resource-name>Administrative Pages</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>admin</description>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Administrators</description>
<role-name>admin</role-name>
</security-role>
<security-role>
<description>Users</description>
<role-name>user</role-name>
</security-role>
</web-app>
glassfish-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
<security-role-mapping>
<role-name>admin</role-name>
<group-name>appadmin</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</glassfish-web-app>
What am I doing wrong here?
Thank you.
Problem solved.I had to add principal names in glassfish-web.xml and a role-name in web.xml.
Correct files :
web-xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<security-constraint>
<display-name>Admin Pages</display-name>
<web-resource-collection>
<web-resource-name>Administrative Pages</web-resource-name>
<description/>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>admin</description>
<role-name>AdminRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>file</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>Administrators</description>
<role-name>AdminRole</role-name>
</security-role>
<security-role>
<description>Users</description>
<role-name>UserRole</role-name>
</security-role>
</web-app>
glassfish-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glassfish-web-app PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 Servlet 3.0//EN" "http://glassfish.org/dtds/glassfish-web-app_3_0-1.dtd">
<glassfish-web-app error-url="">
<security-role-mapping>
<role-name>AdminRole</role-name>
<principal-name>admin</principal-name>
<group-name>appadmin</group-name>
</security-role-mapping>
<security-role-mapping>
<role-name>UserRole</role-name>
<principal-name>user</principal-name>
<group-name>appuser</group-name>
</security-role-mapping>
<class-loader delegate="true"/>
<jsp-config>
<property name="keepgenerated" value="true">
<description>Keep a copy of the generated servlet class' java code.</description>
</property>
</jsp-config>
</glassfish-web-app>
Using glassfish Admin Console this worked for me:
Select ‘server-config’ listed under Configurations and access the Security page. On that page
you need to enable the ‘Default Principal to Role Mapping’ option. The benefit of enabling this option is that it enables us to use roles defined for users shortly automatically without
requiring us to make formal XML declarations in a glassfish configuration file for our project.
For keeping it "standard" I think this is the better option, because if you're using just a web container (eg. tomcat), you're not gonna have to configure nothing else that just a realm. In my case, I was using Eclipse and had to undeploy the project and redeploy it.
Thank you very much.
I'm trying to load images (and other static content) from a server outside of my web application which is deployed to Glassfish v3. I have the following configs in the web.xml but it does not work on Glassfish (but it works on Tomcat):
<servlet>
<servlet-name>ExternalImagesServlet</servlet-name>
<servlet-class>com.example.servlet.HttpProxyServlet</servlet-class>
<init-param>
<param-name>RemoteURI</param-name>
<param-value>http://ip.of.second.server/website-files</param-value>
</init-param>
<init-param>
<param-name>AllowedContentTypes</param-name>
<param-value>image/gif,image/jpeg,image/png</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>ExternalImagesServlet</servlet-name>
<url-pattern>/images/*</url-pattern>
</servlet-mapping>
Where ip.of.second.server is an actual IP address of the server. I have the file called website-files.xml defined as follow:
<?xml version="1.0" encoding="UTF-8"?>
<Context docBase="d:/internet/website/images" />
And website-files.xml is saved to glassfish\domains\domain1\config directory. But Glassfish does not pick up this config file.
I have looked at Oracle Glassfish configuration doco but there's no mention on how you can reference images from a different server.
Please help.
I have solved it based on an old thread relating to Glassfish version 2 that I found on Google after two days of search.
In case anyone is interested in the solution, here it is:
1) Create a file called sun-web.xml directly under Webcontent\WEB-INF directory and add the following configuration to this file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD GlassFish Application Server 3.0 Servlet 3.0//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_3_0-0.dtd">
<sun-web-app>
<property name="alternatedocroot_1" value="from=/images/* dir=d:/internet/website" />
<property name="alternatedocroot_2" value="from=/files/* dir=d:/internet/website" />
</sun-web-app>
2) Remove the servlet and servlet-mapping configurations from web.xml file (like I did above). Note: The above would work if you were to use Tomcat.
3) Delete the website-files.xml from glassfish\domains\domain1\config directory as this file is not needed by Glassfish: Note: This file is needed by Tomcat.