I have a GWT app, I'm using the MVP4G framework. I'm able to pull up my app just fine if I use HTTP. However, when I try to open it using HTTPS it does not work. My entire site works fine with the SSL certificate I have.
Is there a particular configuration that I need to enable when I compile GWT? Or is there something I need to do in my apache configuration? Any help would be greatly appreciated, thank you.
SSL should not affect your application, because SSL runs on an other Layer.
To configure HTTPS you must set the security constraints in web.xml and connect to "https://" afterwards not to "http://". If you connect to "http://" you receive a blank page.
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Related
I have a tomcat running an application with Groovy on Grails. I don't have source code of the application, only the .war.
Deployment details:
Tomcat 7.
Java 1.8.
Ubuntu 16.04.
I deployed it over nginx at first, but, after configuring SSL(https) it started to redirect to a wrong page after upload an image. Before SSL it uploads the image and stayed in same page, as I expect it to do.
As I didn't know what configuration was causing that behavior, changed to Apache. But, the same error occurred after SSL configuration.
In Apache, I generates a certificate with certbot (letsencrypt) and changed files as follows:
server.xml:
<Connector port="8443" protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keystoreFile="/etc/letsencrypt/live/mydomain/mydomain.jks"
keystorePass="password"
clientAuth="false"
sslProtocol="TLS"
sslVerifyClient="optional"
sslEnabledProtocols="TLSv1.2,TLSv1.1,SSLv2Hello"
/>
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>app_name</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
The configuration of the form in which image is uploaded is this one:
<form action="/app_name/resource/save" method="post" name="myForm" on404="alert('not found!')" enctype="multipart/form-data" id="myForm">
This form is inside a modal window.
Without SSL, after upload the image, the modal windows close normally. But, with SSL, the page is redirected to "app_name/resource/save", which is in blank. This is the action of the form.
I will appreciate any help on this. I'd like to give more details, but, seriously, I almost don't know where to start.
I have a website which only people with authorization can enter. If someone does not have authorization, my web.xml redirects them to a 403 error page.
However, both my application and my error pages use some external js and css files (e.g. bootstrap). Logically, the 403 error page cannot access these js/css files, as permission is forbidden to everything except for the the error page html.
How should I solve this neatly? Should I expose my libraries folder publicly? If so, how can I override my security rules for a specific folder?
I looked through the documentation here but I do not see this scenario mentioned. I presume I have to add a security-constraint to "/libraries", and somehow override the necessary roles for the HTTP-method GET?
The potentially relevant parts of my web.xml:
<error-page>
<error-code>403</error-code>
<location>/errorPages/forbidden.jsp</location>
</error-page>
<security-role>
<role-name>myRole</role-name>
</security-role>
<security-constraint>
<display-name>MySecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
You could simple add an extra security-constraint with detailed path and without the auth-constraint
<security-constraint>
<display-name>NoSecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<url-pattern>/library/*</url-pattern>
<http-method>GET</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
I hope this solves your problem
Using Wildfly 8.1.0.Final
I want to create a web app that requires basic authentication for access to /api/* but the rest of the application should be open. To accomplish this I have the following web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Api access</web-resource-name>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>api</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>api</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Authentication requires api access</realm-name>
</login-config>
</web-app>
Testing with a browser, this works as expected.
http://localhost:8080/myapp/api
...requires authentication.
http://localhost:8080/myapp
...does not require authentication.
Here comes the tricky part:
A third party accesses /myapp and includes an authorization header in the request:
Authorization: Basic ZGlsbDpkYWxs
This is not a user registered in wildfly, but that shouldnt matter because /myapp is open, and does not require authorization. However what happens is this:
401 Unauthorized
Why? I have not told undertow to use any security constraints for /myapp, yet it defaults to the security constraints I have registered for /myapp/api
This is new behaviour that was introduced with undertow, because with Jboss AS 7.1.1.Final this did not happen.
How can I tell undertow to not use authorization for an open resource when authorization is included in the request?
I can confirm the issue with WildFly 8.1.0.Final. GlassFish 4.0 does not respond with 401 in the same scenario.
I've submitted an issue:
https://issues.jboss.org/browse/WFLY-3590
How can I configure tomcat7 & SSL to only require authentication on selected subfolders of my web site?
For example, I have a folder that I want to be publicly accessible:
/nonSecure/
While I have another folder that requires authentication:
/secureStuff/
What do I need to do? I have a feeling the answer lies in the conf/web.xml or the conf/server.xml files but so far have had no luck.
You have to provide appropriate <security-constraint> entries in your web.xml, that specify <transport-guarantee>CONFIDENTIAL</transport-guarantee> for the URLs you want to secure with HTTPS.
Assuming you are using Container Managed Authentication. If you aren't, you should be.
Our application is running on WebLogic.
At some point the WebLogic is redirecting to Apache to allow the user to access PDF files.
This happens via:
final String encodedURL = resp.encodeRedirectURL(redirectURL);
resp.sendRedirect(encodedURL); //ok here because redirection to other server and not to itself
The problem is that WebLogic appends a JSESSIONIDto the URL and the apache fails to serve the PDF Document.
How can I prevent WebLogic from adding the JSESSIONID to the URL?
The whole point en encodeRedirectURL is to include the session ID in the URL if necessary. f you think it's not necessary to include it, don't encode the URL:
resp.sendRedirect(redirectURL);
the problem was, that in our weblogic.xml cookies were disabled:
<weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
<session-descriptor>
<cookies-enabled>false</cookies-enabled>
</session-descriptor>
whe solved the issue by setting them to true. in this special application, this was not a problem:
<weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
<session-descriptor>
<cookies-enabled>true</cookies-enabled>
</session-descriptor>
Adding this to my Facelets based application's web.xml avoids JSESSIONID:
<session-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>