I was wondering if the following configuration would be safe:
Webpages accessible at locations /ManageXXXX.do, /ManageYYYY.do, ... should only be able to be accessed by admin role, every other page is available to anyone.
I have configured the web.xml file as such:
<security-constraint>
<web-resource-collection>
<url-pattern>/Manage*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
Now I was wondering how reliable this was to people trying to get past the security. Is this guaranteed to block my Manage* pages from unauthorized users? I'd just like to know how safe this kind of pattern matching is.
From Servlet API Specification:
http://www.jcp.org/aboutJava/communityprocess/mrel/jsr154/
SRV.11.2 Specification of Mappings
In the Web application deployment descriptor, the following syntax is used to define
mappings:
• A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.
• A string beginning with a ‘*.’ prefix is used as an extension mapping.
• A string containing only the ’/’ character indicates the "default" servlet of
the application. In this case the servlet path is the request URI minus the con-
text path and the path info is null.
• All other strings are used for exact matches only.
According to Servlet API Specification the pattern /Manage* is “exact matches only” and it is not what you want.
Please move all resources for role admin to /Manage/ and configure pattern <url-pattern>/Manage/*</url-pattern>
Related
For a debugging purpose, I want to print a specific cookie value in my access.log or request.log.
One way to do is, from the dispatcherServlet, add a logger for SlingHttpRequest.getCookies(). But this debugging is needed in Production and I cant make java code changes and deploy.
I read the documentation and tried to change the org.apache.sling.commons.log.pattern property in org.apache.sling.commons.log.LogManager.factory.config in the configManager for access.log like this:
{0,date,dd.MM.yyyy HH:mm:ss.SSS} *{4}* [{2}] {3} {5} "%cookie{login-token}"
This didnt help. Able to see date timestamp changed, {2} {3} etc are printing. But as desired, the cookie value is not printing.
How to print the cookie values in http headers in AEM log files?
I don't think the entire documentation that you are referring to is supported OOB. The pattern format in AEM specifically points to the Pattern Layout section of the documentation. As part of that, there is no support for request cookies.
The request cookies section is specifically present under the pattern layout of the Logback access section which states the below
PatternLayout in logback-access can be configured in much the same way
as its classic counterpart. However it features additional conversion
specifiers suited for logging particular bits of information available
only in HTTP servlet requests and HTTP servlet responses.
That being said, the sling logging documentation mentions using a Sling extension for slf4j MDC support which can be used to expose some of the request variables including cookies. Extract from the doco below
The filter allows configuration to extract data from request cookie,
header and parameters. Look for configuration with name 'Apache Sling
Logging MDC Inserting Filter' for details on specifying header,
cookie, param names.
Once the MDC bundle is downloaded and added to your instance, you can use the log back patterns instead of the classic pattern for the log format. Example from the doco shown below.
%d{dd.MM.yyyy HH:mm:ss.SSS} *%p* [%X{req.remoteHost}] [%t] %c %msg%n
Hope this helps.
I searched fıor a solution on internet and could not find anything.
My Issue is about using j_security_check on my login.jsp to filter and forward it to postloginfilter.java.
To do so I have wrote these lines in web.xml
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp</form-error-page>
</form-login-config>
</login-config>
<filter-mapping>
<filter-name>PostLoginFilter</filter-name>
<url-pattern>/j_security_check</url-pattern>
</filter-mapping>
But even though when I call a forward like this :
final String requestStr = "/j_security_check?j_username=" + reqUserId
+ "&j_password="+ reqPassword;
req.getRequestDispatcher(requestStr).forward(req, resp);
It is not coming into postloginfilter.java at all. and showing me an empty blank page.
What I want is going to postloginfilter doing the job and following the chain as listed on web.xml.
I also do not see if this filter works too.
<filter-mapping>
<filter-name>PostLoginFilter</filter-name>
<url-pattern>/CreateConnectionAndGetEntityNames.do</url-pattern>
</filter-mapping>
CreateConnectionAndGetEntityNames is actually the one which shows the form. But when I go there breakpoints are not taking effect in postloginfilter.
What might be the reason and how can I solve this issue?
thanks in advance.
As far as I know, the FormAuthenticator is implemented as a JBossWeb valve. As a result, it would be expected for JBoss j_security_check requests not to invoke any application servlet filter. You could implement such filters as valves instead.
I am trying to prevent unauthorized access to all files within some of my media libraries in Kentico v9.0. I intend to only provide access to certain libraries via Kentico Role membership and global admins only.
I have followed the guide published here: Securing media libraries and it seems to work fine: Direct URL path access results in a 401.2 - Unauthorized message, regardless of user authentication state and role membership. And I have a media gallery web part set up correctly to provide the permanent URLs, which also work as I expect them to.
However, I have another requirement; which is to serve up a ~/googlesitemap.xml file. I followed the guide published here: Google Sitemaps, which instructs me to provide an attribute to the system.webServer/modules node in the web.config:
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
However, when I add the above, then any authenticated user can gain access to my media library files if they enter in the full URL. This violates my attempts at media library access based on role membership; since I dont want users in other roles to be able to get at the files.
I have tried to exclude all media library files from the re-writing engine by adding my media folder root as an Excluded URL in Settings > URLs and SEO > URL Format > Excluded URLs... but this doesn't appear to help.
Any suggestions would be highly welcome!
As far as I know runAllManagedModulesForAllRequests attribute is mandatory only for different extensions (different from .aspx). If you are using IIS 7 or above you can omit this attribute in your web.config (see source).
Note: In ASP.NET websites, the value of runAllManagedModulesForAllRequests previously had to be set to true to support routing. However, once IIS 7 has been updated with a Service Pack, the value of runAllManagedModulesForAllRequests can be set to false or omitted when working with ASP.NET routing. For more information, see ASP.NET Routing on the MSDN website.
So quick fix: Do not add this attribute to web.config and your media gallery (permissions) should work as you wish.
EDIT: So I think I have got solution for you. It seems that runAllmanagedModulesForAllRequests attribute kills Anonymous Authentication setting so Kentico serves data after successful authentication. I`ve found workaround so you can forbid access to media library. Try to add something like:
<location path="MySite/media/MyMediaLibrary">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
into your web.config inside configuration section.
I'm using the JDBCRealm with tomcat 7. I want to build a simple login page.
This is my login form:
Login Form
and my web.xml content is:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/user/login.jsp</form-login-page>
<form-error-page>/user/login-failed.html</form-error-page>
</form-login-config>
</login-config>
I want to redirect the user to some a.jsp page once he was authenticated.
How can I do that?
Thing I understood that you want to redirect your user depends upon the role.Suppose if user is admin then he/she should be redirected to admin.jsp (for example) and if user is on manger role and he/she should be redirected to manager.jsp.
Let us suppose you have two roles admin and manager defined in your JDBCRealm
You can do this by Creating a servlet in project for example LoginServlet.java
So things you have to set are:
Create your login.jsp and login-failed.html as you mentioned.
Create to two jsp pages admin.jsp and manager.jsp under any folder in WebContent of dynamic web project
say :
WebContent/htmlPages/admin.jsp put
<h4>Welcome Admin</h4>text in body tag.
WebContent/htmlPages/manager.jsp put
<h4>Welcome Admin</h4>text in body tag.
In LoginServlet.jsp in doGet MEthod
put this simple code:
if(request.isUserInRole("admin"))
{
response.sendRedirect("htmlPages/admin.jsp");
}
if(request.isUserInRole("manager")){
response.sendRedirect("htmlPages/manager.jsp");
}
After that you have to set welcome-files as the login servletin web.xml
e.g.
Suppose IN web.xml your servlet entry is
<servlet>
<description></description>
<display-name>LoginServlet</display-name>
<servlet-name>LoginServlet</servlet-name>
<servlet-class>Fully classified name of LoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>LoginServlet</servlet-name>
<url-pattern>/loginServlet</url-pattern>
</servlet-mapping>
Then get url pattern from Servlet Mapping and put it in welcome file list without any slash:
like
<welcome-file-list>
<welcome-file>loginServlet</welcome-file>
</welcome-file-list>
Be sure that no slash has been included. Welcome file attribute should be without slash as i put in code loginServlet.
Run this code.:-) You would get redirected to appropriate jsp page.
You don't. That isn't how FORM authentication works. The user requests a page. If it requires authentication then they receive the login page rather than the page they requested. They then enter their credentials and if valid get presented with the page they originally requests.
If you insist on misusing the FORM authentication process you can set the landingPage attribute of the org.apache.catalina.authenticator.FormAuthenticator. See the docs (http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Form_Authenticator_Valve) for full details.
This is driving me nuts.
I'm using Tomcat 6, declaritive authentication, form based. No framework involved.
Everything works ok - some pages authenticated, some not, some use https, some http. Everything as I want it. EXCEPT...
I want the login page to always use https.
The login page comes up nicely as https if:
a) I go to it directly in the browser.
b) I click on a page in the application that is configured for https (and requires authentication).
BUT the login page comes up as http if:
a) I click on a page in the application that is configured for http (and requires authentication).
I've a feeling I'm up against some sort of accepted default here and that an answer might be "why would you want an https login to get to a non-https page?".
Its like this:
a) I want passwords to be encrypted.
b) I want users to login to show which role (group) they belong to in order to enable/disable parts of the web site.
c) I dont want a drop in performance due to https except where absolutely necessary.
I guess if the login page is forced to be https (like I want it to be) then there has to be a mechanism to put it back to http.
If anyone has some pointers/ideas around this whole area I'd be very very greatful.
web.xml fragments:
<security-constraint>
<display-name>Security Constraint A0S1</display-name>
<web-resource-collection>
<web-resource-name>A0S1</web-resource-name>
<url-pattern>/login/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login/form_login.jsp</form-login-page>
<form-error-page>/login/error.jsp</form-error-page>
</form-login-config>
</login-config>
This was about ensuring login page is https even when the page requiring authentication is not set as CONFIDENTIAL in web.xml.
I've ended up writing a little servlet that allows me to switch to https (or http) rather than rely on web.xml CONFIDENTIAL config settings. The CONFIDENTIAL settings dont seem to work when you arrive at a jsp page through the login or through another servlet.
So now the config for the FORM authentication in web.xml points to a servlet (SSLSwitch) which takes a couple of arguments (url + desired protocol http/https) and redirects to the actual login page with https:
/SSLSwitch?the_url=/login/form_login.jsp&the_target=https;
/login/error.jsp
SSLSwitch Servlet active code fragment:
String contextPath = request.getContextPath();
String encodedUrl = response.encodeURL(contextPath + url);
String fullUrl = target_domain + encodedUrl;
response.sendRedirect(fullUrl);
The jsp login page itself follows the usual FORM login rules (action="j_security_check") and you end up on the requested page after login ok.
I now need to look at what I can do to improve session security after switching from https to http. Maybe a filter to check user's IP doesnt change during a session.
Steven.