Using Basic Authentication (htaccess) to restrict access to a specific URL - apache

I need to restrict access to a particular URL, e.g. http://mydomain.com/this/is/the/url on my webserver using Basic Authentication through Apache. Any other URL should be openly accessible. I have seen that you can add specific rules to files using:
<Files "mypage.html">
Require valid-user
</Files>
My problem is that all requests are routed to controllers using mod-rewrite and so I don't think that I can restrict access based on the file. Any ideas would be most helpful!

In .htacess file you should put :
AuthType Basic
AuthName "Need to login"
AuthUserFile .htpasswd file location ;
Require user USER
//AuthName is login prompt message
//AuthUserFile is physical .htpasswd file location i.e.
C:/xampp/htdocs/basic/.htpasswd
//Require user is for a specific user i.e. the username you want to
authenticate
To generate .htpasswd file you can use :
- http://www.htaccesstools.com/htpasswd-generator/

I'm not sure if this would work/help, but you could specify something in your application web.xml.
<security-constraint>
<display-name>Public access</display-name>
<web-resource-collection>
<web-resource-name>PublicPages</web-resource-name>
<description>Public</description>
<url-pattern>/servlet/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<display-name>Secured access</display-name>
<web-resource-collection>
<web-resource-name>SecuredPages</web-resource-name>
<description>Secured pages</description>
<url-pattern>/services/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>General Access</description>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SecurePages</realm-name>
</login-config>
<security-role>
<description>General Access</description>
<role-name>*</role-name>
</security-role>

Related

Setting up basic authentication Solr 5.3.1 for dummies

OK, so I'm not a server guru, but I need to figure out how to set up authentication for our solr server admin page. I'm trying to follow the steps outlined here:
https://lucidworks.com/2015/08/17/securing-solr-basic-auth-permission-rules/
I can't even complete the first step, upload the JSON file. I created the JSON file, but when I go to upload it, I get a "command not found" error when trying to run zkcli.sh. Do I need to set something up with Zookeeper first to get this to run? What should I check?
EDIT: I followed some tutorials online and did the following:
1) set jetty-http.xml to localhost (changing the host to 127.0.0.1) by adding the line:
<Set name="Host"><SystemProperty name="jetty.host" default="127.0.0.1"/></Set>
2) I also added the following to the apache config file (obv changing to correct path in the path to htpasswd):
<Location /solr >
AuthName "Secure Area"
AuthType Basic
AuthUserFile /path/to/htpasswd/.htpasswd require valid-user
</Location>
ProxyPass /solr http://localhost:8983/solr
ProxyPassReverse /solr http://localhost:8983/solr
3) I set up a password via htpasswd.
4) I restarted the server. I refreshed the solr page and nothing; it's a broken link.
What am I doing wrong?
(Unfortunately every time I do that the solr core also disappears and refuses to load. That's another issue though, which I thought was related to permissions but doesn't seem to be...)
You can follow these steps to get the basic authentication work in solr.
Assuming you have ubuntu OS and installled the server using the install script.
Step1. sudo vi /opt/solr/server/etc/jetty.xml
Add the following code towards the end of the file before the "" tag.
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Test Realm</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
Step2. sudo vi /opt/solr/server/etc/webdefault.xml
Add the following code towards the end of the file before the "" tag.
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>core1-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
Step3. Create the file "/opt/solr/server/etc/realm.properties" with the following contents:
USERNAME: PASSWORD,core1-role
The username and password is stored in the following file /opt/solr/server/etc/realm.properties

How to handle web.xml authorization to local js/css files when returning '403 Forbidden'?

I have a website which only people with authorization can enter. If someone does not have authorization, my web.xml redirects them to a 403 error page.
However, both my application and my error pages use some external js and css files (e.g. bootstrap). Logically, the 403 error page cannot access these js/css files, as permission is forbidden to everything except for the the error page html.
How should I solve this neatly? Should I expose my libraries folder publicly? If so, how can I override my security rules for a specific folder?
I looked through the documentation here but I do not see this scenario mentioned. I presume I have to add a security-constraint to "/libraries", and somehow override the necessary roles for the HTTP-method GET?
The potentially relevant parts of my web.xml:
<error-page>
<error-code>403</error-code>
<location>/errorPages/forbidden.jsp</location>
</error-page>
<security-role>
<role-name>myRole</role-name>
</security-role>
<security-constraint>
<display-name>MySecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>myRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
You could simple add an extra security-constraint with detailed path and without the auth-constraint
<security-constraint>
<display-name>NoSecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<url-pattern>/library/*</url-pattern>
<http-method>GET</http-method>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
I hope this solves your problem

Change the URL mapping in Javamelody

I have the same exact problem as in Change the URL mapping -Javamelody, but unfortunately I cannot comment on it due to lack of reputation.
The accepted answer there does not do it for me and I have a feeling it might be because I am inserting it in the wrong place. Where exactly do I need to put it?
I have fixed my problem as such:
The .jar files from Javamelody need to be in the lib folder of your webapp, not only in your tomcat\lib folder.
Then I added this code to the web.xml:
<filter>
<filter-name>monitoring</filter-name>
<filter-class>net.bull.javamelody.MonitoringFilter</filter-class>
<init-param>
<param-name>monitoring-path</param-name>
<param-value>/admin/monitoring</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>monitoring</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>W2MO</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JavaMelody Monitoring</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
The admin role needs to be defined in the file tomcat-users.xml:
<role rolename="admin"/>
<user username="admin" password="password" roles="admin"/>

How to make undertow NOT use authorization for open resource when authorization is included in request?

Using Wildfly 8.1.0.Final
I want to create a web app that requires basic authentication for access to /api/* but the rest of the application should be open. To accomplish this I have the following web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<security-constraint>
<web-resource-collection>
<web-resource-name>Api access</web-resource-name>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>api</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>api</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Authentication requires api access</realm-name>
</login-config>
</web-app>
Testing with a browser, this works as expected.
http://localhost:8080/myapp/api
...requires authentication.
http://localhost:8080/myapp
...does not require authentication.
Here comes the tricky part:
A third party accesses /myapp and includes an authorization header in the request:
Authorization: Basic ZGlsbDpkYWxs
This is not a user registered in wildfly, but that shouldnt matter because /myapp is open, and does not require authorization. However what happens is this:
401 Unauthorized
Why? I have not told undertow to use any security constraints for /myapp, yet it defaults to the security constraints I have registered for /myapp/api
This is new behaviour that was introduced with undertow, because with Jboss AS 7.1.1.Final this did not happen.
How can I tell undertow to not use authorization for an open resource when authorization is included in the request?
I can confirm the issue with WildFly 8.1.0.Final. GlassFish 4.0 does not respond with 401 in the same scenario.
I've submitted an issue:
https://issues.jboss.org/browse/WFLY-3590

GWT and SSL not working?

I have a GWT app, I'm using the MVP4G framework. I'm able to pull up my app just fine if I use HTTP. However, when I try to open it using HTTPS it does not work. My entire site works fine with the SSL certificate I have.
Is there a particular configuration that I need to enable when I compile GWT? Or is there something I need to do in my apache configuration? Any help would be greatly appreciated, thank you.
SSL should not affect your application, because SSL runs on an other Layer.
To configure HTTPS you must set the security constraints in web.xml and connect to "https://" afterwards not to "http://". If you connect to "http://" you receive a blank page.
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>