Using Wildfly 8.1.0.Final
I want to create a web app that requires basic authentication for access to /api/* but the rest of the application should be open. To accomplish this I have the following web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Api access</web-resource-name>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>api</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>api</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Authentication requires api access</realm-name>
</login-config>
</web-app>
Testing with a browser, this works as expected.
http://localhost:8080/myapp/api
...requires authentication.
http://localhost:8080/myapp
...does not require authentication.
Here comes the tricky part:
A third party accesses /myapp and includes an authorization header in the request:
Authorization: Basic ZGlsbDpkYWxs
This is not a user registered in wildfly, but that shouldnt matter because /myapp is open, and does not require authorization. However what happens is this:
401 Unauthorized
Why? I have not told undertow to use any security constraints for /myapp, yet it defaults to the security constraints I have registered for /myapp/api
This is new behaviour that was introduced with undertow, because with Jboss AS 7.1.1.Final this did not happen.
How can I tell undertow to not use authorization for an open resource when authorization is included in the request?
I can confirm the issue with WildFly 8.1.0.Final. GlassFish 4.0 does not respond with 401 in the same scenario.
I've submitted an issue:
https://issues.jboss.org/browse/WFLY-3590
Related
I have a website which only people with authorization can enter. If someone does not have authorization, my web.xml redirects them to a 403 error page.
However, both my application and my error pages use some external js and css files (e.g. bootstrap). Logically, the 403 error page cannot access these js/css files, as permission is forbidden to everything except for the the error page html.
How should I solve this neatly? Should I expose my libraries folder publicly? If so, how can I override my security rules for a specific folder?
I looked through the documentation here but I do not see this scenario mentioned. I presume I have to add a security-constraint to "/libraries", and somehow override the necessary roles for the HTTP-method GET?
The potentially relevant parts of my web.xml:
<error-page>
<error-code>403</error-code>
<location>/errorPages/forbidden.jsp</location>
</error-page>
<security-role>
<role-name>myRole</role-name>
</security-role>
<security-constraint>
<display-name>MySecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
You could simple add an extra security-constraint with detailed path and without the auth-constraint
<security-constraint>
<display-name>NoSecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<url-pattern>/library/*</url-pattern>
<http-method>GET</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
I hope this solves your problem
I'm running Tomcat 8.0.21 with java 1.8.0_40
I'm trying to create a costum error page, which should be displayed when I redeploy my application and the servlet is not reachable.
The obvious solution adding:
<error-page>
<error-code>404</error-code>
<location>/ErrorHandler/404.html</location>
</error-page>
to the <tomcatDir>/conf/web.xml won't work here since tomcat always seems to look for the error page in the same servlet. (so e.g. if calling <url>/idonotexist he uses the 404.html located in ROOT/ErrorHandler/404.html and not in ErrorHandler/404.html as I would have expected) If the webapp is down (stopped via the manager app, or due to maintenance) the error page is blank.
If I remove the lines from the <tomcatDir>/conf/web.xml the default tomcat 404 error message is shown though. Is there any possibility to change the default error handling of tomcat?
edit:
ErrorHandler is a deployed webapp with the following web.xml:
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<display-name>Error Application</display-name>
<description>
A webapp for error handling
</description>
<!-- servlet definition -->
<servlet>
<servlet-name>ErrorHandler</servlet-name>
<servlet-class>ErrorHandler</servlet-class>
</servlet>
<!-- servlet mappings -->
<servlet-mapping>
<servlet-name>ErrorHandler</servlet-name>
<url-pattern>/ErrorHandler</url-pattern>
</servlet-mapping>
</web-app>
If I call <tomcatUrl>/ErrorHandler/404.html in my browser I can view the error page just fine.
I am a stackoverflow fan. This website has solved most of technical questions without even asking them but by only reading previous similar questions. Indeed I have searched the web and stackoverflow but I could not find any answer and I could not solve this problem by myself. My only resort is to ask for your help. I have worked on a small JSF 2.0 application and everything is working fine on my local tomcat 6.0.35. I have all the JSF lib on my WEB-INF. I am using mojarra version 2.1.14. The url is accessed like this
on my local
http://localhost/application/page.jsf
and this application is deployed to an external hosted tomcat which has apache and Tomcat 6.0.36. The application is deployed under /home/username/public_html. the same url should be accessed by typing
http://website.com/application/page.jsf
but I am getting the error:
Not Found
The requested URL /application/page.jsf was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
Additionally, html and JSP pages are working fine. I have a test application which has jsp page and it is loading just fine. xhtml pages on the other hand are not working on this apache box. For the JSP pages to work I added JSP and servlet support
/usr/local/cpanel/scripts/addservlets2 --domain=domain.com
This is the web.xml file.
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
version="2.5">
<servlet>
<servlet-name>FacesServlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>FacesServlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
<context-param>
<param-name>com.sun.faces.expressionFactory</param-name>
<param-value>com.sun.el.ExpressionFactoryImpl</param-value>
</context-param>
</web-app>
I strongly believe this web.xml has nothing to do with jsf not working and furthermore these settings are working well on my local. The tomcat log file is showing no error of page not found on the external host.
Here is the faces config file
<?xml version="1.0"?>
<faces-config xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd"
version="2.0">
</faces-config>
What is happening? Please help me. I am getting desperate. Why JSF request are returning not found on this apache server?
additional the el-impl-2.2.jar and el-api-2.2.jar are in the tomcat libs.
and javax.faces-2.1.14.jar, jstl-api-2.1.jar, jstl-impl-2.1.jar and all the required commons jars are all in the WEB-INF.
I have just fixed this problem. I have spent 6 days doing investigations how to fix this. What a waste of time. Today at work, I talked to my colleague and he suggested I direct my investigations toward apache connector to tomcat since I was claiming that everything is working fine on my local tomcat server. I made some research and I discovered that I needed to edit cp_jkmount.conf connector. JkMount is used to map a context path to a Tomcat worker. I added the following
<IfModule mod_jk.c>
JkMount /*.xhtml ajp13
JkMount /*.jsf ajp13
</IfModule>
at the end of these connectors
/usr/local/apache/conf/userdata/std/2/username/website.com/cp_jkmount.conf
/usr/local/apache/conf/userdata/ssl/2/username/website.com/cp_jkmount.conf
I hope this will help someone else.
I have a GWT app, I'm using the MVP4G framework. I'm able to pull up my app just fine if I use HTTP. However, when I try to open it using HTTPS it does not work. My entire site works fine with the SSL certificate I have.
Is there a particular configuration that I need to enable when I compile GWT? Or is there something I need to do in my apache configuration? Any help would be greatly appreciated, thank you.
SSL should not affect your application, because SSL runs on an other Layer.
To configure HTTPS you must set the security constraints in web.xml and connect to "https://" afterwards not to "http://". If you connect to "http://" you receive a blank page.
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I need to restrict access to a particular URL, e.g. http://mydomain.com/this/is/the/url on my webserver using Basic Authentication through Apache. Any other URL should be openly accessible. I have seen that you can add specific rules to files using:
<Files "mypage.html">
Require valid-user
</Files>
My problem is that all requests are routed to controllers using mod-rewrite and so I don't think that I can restrict access based on the file. Any ideas would be most helpful!
In .htacess file you should put :
AuthType Basic
AuthName "Need to login"
AuthUserFile .htpasswd file location ;
Require user USER
//AuthName is login prompt message
//AuthUserFile is physical .htpasswd file location i.e.
C:/xampp/htdocs/basic/.htpasswd
//Require user is for a specific user i.e. the username you want to
authenticate
To generate .htpasswd file you can use :
- http://www.htaccesstools.com/htpasswd-generator/
I'm not sure if this would work/help, but you could specify something in your application web.xml.
<security-constraint>
<display-name>Public access</display-name>
<web-resource-collection>
<web-resource-name>PublicPages</web-resource-name>
<description>Public</description>
<url-pattern>/servlet/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>Secured access</display-name>
<web-resource-collection>
<web-resource-name>SecuredPages</web-resource-name>
<description>Secured pages</description>
<url-pattern>/services/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>General Access</description>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SecurePages</realm-name>
</login-config>
<security-role>
<description>General Access</description>
<role-name>*</role-name>
</security-role>