I have the same exact problem as in Change the URL mapping -Javamelody, but unfortunately I cannot comment on it due to lack of reputation.
The accepted answer there does not do it for me and I have a feeling it might be because I am inserting it in the wrong place. Where exactly do I need to put it?
I have fixed my problem as such:
The .jar files from Javamelody need to be in the lib folder of your webapp, not only in your tomcat\lib folder.
Then I added this code to the web.xml:
<filter>
<filter-name>monitoring</filter-name>
<filter-class>net.bull.javamelody.MonitoringFilter</filter-class>
<init-param>
<param-name>monitoring-path</param-name>
<param-value>/admin/monitoring</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>monitoring</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>W2MO</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JavaMelody Monitoring</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
The admin role needs to be defined in the file tomcat-users.xml:
<role rolename="admin"/>
<user username="admin" password="password" roles="admin"/>
Related
I have a website which only people with authorization can enter. If someone does not have authorization, my web.xml redirects them to a 403 error page.
However, both my application and my error pages use some external js and css files (e.g. bootstrap). Logically, the 403 error page cannot access these js/css files, as permission is forbidden to everything except for the the error page html.
How should I solve this neatly? Should I expose my libraries folder publicly? If so, how can I override my security rules for a specific folder?
I looked through the documentation here but I do not see this scenario mentioned. I presume I have to add a security-constraint to "/libraries", and somehow override the necessary roles for the HTTP-method GET?
The potentially relevant parts of my web.xml:
<error-page>
<error-code>403</error-code>
<location>/errorPages/forbidden.jsp</location>
</error-page>
<security-role>
<role-name>myRole</role-name>
</security-role>
<security-constraint>
<display-name>MySecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
You could simple add an extra security-constraint with detailed path and without the auth-constraint
<security-constraint>
<display-name>NoSecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<url-pattern>/library/*</url-pattern>
<http-method>GET</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
I hope this solves your problem
I'm using WebLogic 11g server, OIM (Oracle identity Manager), and I created a new web application on Wicket 6 as a module. When I execute my application in WebLogic server http://192.168.112.31:7001/WicketReport I receive a 403 Error.
My web.xml file is:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<display-name>Wicket Web Application</display-name>
<filter>
<filter-name>Application</filter-name>
<filter-class>org.apache.wicket.protocol.http.WicketFilter</filter-class>
<init-param>
<param-name>applicationClassName</param-name>
<param-value>kz.ecc.wicketreport.pages.Application</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Application</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<session-config>
<session-timeout>30</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file/>
</welcome-file-list>
</web-app>
I couldn't find any tutorial or instructions that describe how to do this. Please show me what I need to do or some steps to achieve it.
UPDATE
I tried to add:
<login-config>
<auth-method>CLIENT-CERT,BASIC</auth-method>
<realm-name>myRealm</realm-name>
</login-config>
after </welcome-file-list> in my web.xml but I still receive the 403 Error.
Using Wildfly 8.1.0.Final
I want to create a web app that requires basic authentication for access to /api/* but the rest of the application should be open. To accomplish this I have the following web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Api access</web-resource-name>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>api</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>api</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Authentication requires api access</realm-name>
</login-config>
</web-app>
Testing with a browser, this works as expected.
http://localhost:8080/myapp/api
...requires authentication.
http://localhost:8080/myapp
...does not require authentication.
Here comes the tricky part:
A third party accesses /myapp and includes an authorization header in the request:
Authorization: Basic ZGlsbDpkYWxs
This is not a user registered in wildfly, but that shouldnt matter because /myapp is open, and does not require authorization. However what happens is this:
401 Unauthorized
Why? I have not told undertow to use any security constraints for /myapp, yet it defaults to the security constraints I have registered for /myapp/api
This is new behaviour that was introduced with undertow, because with Jboss AS 7.1.1.Final this did not happen.
How can I tell undertow to not use authorization for an open resource when authorization is included in the request?
I can confirm the issue with WildFly 8.1.0.Final. GlassFish 4.0 does not respond with 401 in the same scenario.
I've submitted an issue:
https://issues.jboss.org/browse/WFLY-3590
I'm trying to add CAS as an authentication provider for OBIEE 11g.
up until now I've added the cas-client-core-3.2.1.jar jar to
$MW_HOME/wlserver_10.3/server/lib/consoleapp/webapp/WEB-INF/lib/
and configure
$MW_HOME/wlserver_10.3/server/lib/consoleapp/webapp/WEB-INF/web.xml
with the the flowing elements:
<filter>
<filter-name>CAS Authentication Filter</filter-name>
<filter-class>org.jasig.cas.client.authentication.AuthenticationFilter</filter-class>
<init-param>
<param-name>casServerLoginUrl</param-name>
<param-value>http://192.168.0.117:8000/cas/login</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://192.168.0.170</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS Validation Filter</filter-name>
<filter-class>org.jasig.cas.client.validation.Cas10TicketValidationFilter</filter-class>
<init-param>
<param-name>casServerUrlPrefix</param-name>
<param-value>http://192.168.0.117:8000/cas</param-value>
</init-param>
<init-param>
<param-name>serverName</param-name>
<param-value>https://192.168.0.170</param-value>
</init-param>
</filter>
<filter>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<filter-class>org.jasig.cas.client.util.HttpServletRequestWrapperFilter</filter-class>
</filter>
<filter>
<filter-name>CAS Assertion Thread Local Filter</filter-name>
<filter-class>org.jasig.cas.client.util.AssertionThreadLocalFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CAS Authentication Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS Validation Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CAS HttpServletRequest Wrapper Filter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
this only applies to the WL console and not OBIEE application.
I'm redirected to the cas login however afterwords i'm still required to enter a console password, and the effective user will be the one from CAS.
any idea how to deploy CAS for the OBIEE application?
Thanks,
Shay
OK solved it,
had to unpack the analytics.ear file and from in it unpack the analytics.war
add the cas core jar to WEB-INF/lib
and add the XML from above to WEB-INF/web.xml
repack analytics.war, repack analytics.ear
restart weblogic.
in the EM->coreapplication->security enable SSO select generic SSO and set the login and logout urls
Note: we had an initialization block,that would fail if the user/password wouldn't authenticate, that had to be altered.
I need to restrict access to a particular URL, e.g. http://mydomain.com/this/is/the/url on my webserver using Basic Authentication through Apache. Any other URL should be openly accessible. I have seen that you can add specific rules to files using:
<Files "mypage.html">
Require valid-user
</Files>
My problem is that all requests are routed to controllers using mod-rewrite and so I don't think that I can restrict access based on the file. Any ideas would be most helpful!
In .htacess file you should put :
AuthType Basic
AuthName "Need to login"
AuthUserFile .htpasswd file location ;
Require user USER
//AuthName is login prompt message
//AuthUserFile is physical .htpasswd file location i.e.
C:/xampp/htdocs/basic/.htpasswd
//Require user is for a specific user i.e. the username you want to
authenticate
To generate .htpasswd file you can use :
- http://www.htaccesstools.com/htpasswd-generator/
I'm not sure if this would work/help, but you could specify something in your application web.xml.
<security-constraint>
<display-name>Public access</display-name>
<web-resource-collection>
<web-resource-name>PublicPages</web-resource-name>
<description>Public</description>
<url-pattern>/servlet/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>Secured access</display-name>
<web-resource-collection>
<web-resource-name>SecuredPages</web-resource-name>
<description>Secured pages</description>
<url-pattern>/services/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>General Access</description>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SecurePages</realm-name>
</login-config>
<security-role>
<description>General Access</description>
<role-name>*</role-name>
</security-role>