I have a website which only people with authorization can enter. If someone does not have authorization, my web.xml redirects them to a 403 error page.
However, both my application and my error pages use some external js and css files (e.g. bootstrap). Logically, the 403 error page cannot access these js/css files, as permission is forbidden to everything except for the the error page html.
How should I solve this neatly? Should I expose my libraries folder publicly? If so, how can I override my security rules for a specific folder?
I looked through the documentation here but I do not see this scenario mentioned. I presume I have to add a security-constraint to "/libraries", and somehow override the necessary roles for the HTTP-method GET?
The potentially relevant parts of my web.xml:
<error-page>
<error-code>403</error-code>
<location>/errorPages/forbidden.jsp</location>
</error-page>
<security-role>
<role-name>myRole</role-name>
</security-role>
<security-constraint>
<display-name>MySecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
You could simple add an extra security-constraint with detailed path and without the auth-constraint
<security-constraint>
<display-name>NoSecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<url-pattern>/library/*</url-pattern>
<http-method>GET</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
I hope this solves your problem
Related
I have a tomcat running an application with Groovy on Grails. I don't have source code of the application, only the .war.
Deployment details:
Tomcat 7.
Java 1.8.
Ubuntu 16.04.
I deployed it over nginx at first, but, after configuring SSL(https) it started to redirect to a wrong page after upload an image. Before SSL it uploads the image and stayed in same page, as I expect it to do.
As I didn't know what configuration was causing that behavior, changed to Apache. But, the same error occurred after SSL configuration.
In Apache, I generates a certificate with certbot (letsencrypt) and changed files as follows:
server.xml:
<Connector port="8443" protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keystoreFile="/etc/letsencrypt/live/mydomain/mydomain.jks"
keystorePass="password"
clientAuth="false"
sslProtocol="TLS"
sslVerifyClient="optional"
sslEnabledProtocols="TLSv1.2,TLSv1.1,SSLv2Hello"
/>
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>app_name</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The configuration of the form in which image is uploaded is this one:
<form action="/app_name/resource/save" method="post" name="myForm" on404="alert('not found!')" enctype="multipart/form-data" id="myForm">
This form is inside a modal window.
Without SSL, after upload the image, the modal windows close normally. But, with SSL, the page is redirected to "app_name/resource/save", which is in blank. This is the action of the form.
I will appreciate any help on this. I'd like to give more details, but, seriously, I almost don't know where to start.
I have the same exact problem as in Change the URL mapping -Javamelody, but unfortunately I cannot comment on it due to lack of reputation.
The accepted answer there does not do it for me and I have a feeling it might be because I am inserting it in the wrong place. Where exactly do I need to put it?
I have fixed my problem as such:
The .jar files from Javamelody need to be in the lib folder of your webapp, not only in your tomcat\lib folder.
Then I added this code to the web.xml:
<filter>
<filter-name>monitoring</filter-name>
<filter-class>net.bull.javamelody.MonitoringFilter</filter-class>
<init-param>
<param-name>monitoring-path</param-name>
<param-value>/admin/monitoring</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>monitoring</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>W2MO</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JavaMelody Monitoring</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
The admin role needs to be defined in the file tomcat-users.xml:
<role rolename="admin"/>
<user username="admin" password="password" roles="admin"/>
Using Wildfly 8.1.0.Final
I want to create a web app that requires basic authentication for access to /api/* but the rest of the application should be open. To accomplish this I have the following web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Api access</web-resource-name>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>api</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>api</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Authentication requires api access</realm-name>
</login-config>
</web-app>
Testing with a browser, this works as expected.
http://localhost:8080/myapp/api
...requires authentication.
http://localhost:8080/myapp
...does not require authentication.
Here comes the tricky part:
A third party accesses /myapp and includes an authorization header in the request:
Authorization: Basic ZGlsbDpkYWxs
This is not a user registered in wildfly, but that shouldnt matter because /myapp is open, and does not require authorization. However what happens is this:
401 Unauthorized
Why? I have not told undertow to use any security constraints for /myapp, yet it defaults to the security constraints I have registered for /myapp/api
This is new behaviour that was introduced with undertow, because with Jboss AS 7.1.1.Final this did not happen.
How can I tell undertow to not use authorization for an open resource when authorization is included in the request?
I can confirm the issue with WildFly 8.1.0.Final. GlassFish 4.0 does not respond with 401 in the same scenario.
I've submitted an issue:
https://issues.jboss.org/browse/WFLY-3590
I have a GWT app, I'm using the MVP4G framework. I'm able to pull up my app just fine if I use HTTP. However, when I try to open it using HTTPS it does not work. My entire site works fine with the SSL certificate I have.
Is there a particular configuration that I need to enable when I compile GWT? Or is there something I need to do in my apache configuration? Any help would be greatly appreciated, thank you.
SSL should not affect your application, because SSL runs on an other Layer.
To configure HTTPS you must set the security constraints in web.xml and connect to "https://" afterwards not to "http://". If you connect to "http://" you receive a blank page.
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I need to restrict access to a particular URL, e.g. http://mydomain.com/this/is/the/url on my webserver using Basic Authentication through Apache. Any other URL should be openly accessible. I have seen that you can add specific rules to files using:
<Files "mypage.html">
Require valid-user
</Files>
My problem is that all requests are routed to controllers using mod-rewrite and so I don't think that I can restrict access based on the file. Any ideas would be most helpful!
In .htacess file you should put :
AuthType Basic
AuthName "Need to login"
AuthUserFile .htpasswd file location ;
Require user USER
//AuthName is login prompt message
//AuthUserFile is physical .htpasswd file location i.e.
C:/xampp/htdocs/basic/.htpasswd
//Require user is for a specific user i.e. the username you want to
authenticate
To generate .htpasswd file you can use :
- http://www.htaccesstools.com/htpasswd-generator/
I'm not sure if this would work/help, but you could specify something in your application web.xml.
<security-constraint>
<display-name>Public access</display-name>
<web-resource-collection>
<web-resource-name>PublicPages</web-resource-name>
<description>Public</description>
<url-pattern>/servlet/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>Secured access</display-name>
<web-resource-collection>
<web-resource-name>SecuredPages</web-resource-name>
<description>Secured pages</description>
<url-pattern>/services/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>General Access</description>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SecurePages</realm-name>
</login-config>
<security-role>
<description>General Access</description>
<role-name>*</role-name>
</security-role>