Here is how our Tomcat webserver is currently setup. We are using jsp for the webpages.
/webserverpath/main (all public pages and the login page)
/webserverpath/secure1 (private pages)
/webserverpath/secure2 (private pages)
/webserverpath/secure3 (private pages)
I recently discovered that the authentication is very minimal. For instance once a user is logged in they can bookmark any private page, close the browser, open the browser back up and go to the bookmark and is never asked to sign in again (which turns out to be bad since we recently started disabling users). All of this was setup before I arrived. I'm wondering what can I do to add the proper security? Should I have all the folders under one main folder (ie /webserverpath/main/secure1, etc.) or just leave it alone?
Let me add that I'm newish to the whole website authentication stuff, having multiple websites in different folders like this and JSP itself.
You might start here: Declarative Web Application Security with Servlets and JSP
Generally, you probably want some session-based authentication that kicks people out of the private parts of the site if they aren't authenticated.
Related
What is the best way to password-protect a folder on IIS with a single set of credentials to be shared by a group of users?
Our hosting service offers Plesk, which in turn offers a "password-protected directory" function, but some of our clients have HTTP authorization disabled, so they get an automatic 401.4 error with no prompt for credentials.
I've looked into Forms authentication but this seems cumbersome to set up for the numerous separate domains at issue.
The protected content is not super sensitive, we just don't want it easily accessible to the public. Many of our users do not use the site frequently and we don't want to implement individual credentialing for everyone (we do have that in place for more sensitive sections) just so they can view current project reports or meeting minutes.
On sites I don't control, but am just a user, that do the same things as mine, it is a big pain to have to look up a username and password twice per year just to view a meeting agenda (yes, browser could remember but they also have a 4-month expiration and lots of us are on different devices all the time).
Is Forms authentication the way to go? Took a several hours for me to get it set up and working, with all sorts of settings not well documented in a single place.
(I had previously asked about how to disable Basic Auth on the client side, was told more than once it's not possible - but it is, via client/browser registry keys)
Thanks.
It's perfectly fine to use forms authentication. All you need to do is navigate to the folder or file you want to protect, then go to Authorization Rules. Add a deny rule for anonymous users, when users who are not logged in try to click on any file in that folder, they will be redirected to your login page. You can find a lot of guides on forms authentication in Google, you can refer to the following:
https://learn.microsoft.com/zh-CN/troubleshoot/developer/webapps/aspnet/development/forms-based-authentication
https://learn.microsoft.com/en-us/iis/application-frameworks/building-and-running-aspnet-applications/how-to-take-advantage-of-the-iis-integrated-pipeline
I have a secondary application that drops new folders into my Laravel application on a daily basis. The contents of the folder need to be publicly accessible because they're flash files with a number of assets placed in each day's folder, alongside static .html pages, .jpgs, and .swfs. These links are part of the secondary application's vendor-coded framework.
Moving the files from a non-web accessible folder using php doesn't seem like a good option. I've tried using readfile() and considered .htaccess, but I don't want a secondary login for my users.
Only users who have logins with my Laravel application should have access to these files. Is there some way I can protect access to any request inside this folder with Laravel's Auth system, not basic auth? With the understanding that the page requests inside that folder vary?
From extensive searching, I've found that Laravel cannot handle the protection of public folders with static assets. This is a web server configuration issue.
One solution would be to set a cookie that gets read by the web server and bounces the user if the cookie value does not match a predetermined value. But Laravel encrypts cookies and disposes of cookies not encrypted on each load. So that solution would only work if you use App::filter to process the cookie using php setcookie().
Whan any user is hitting url
http://abc.xyz.com/web/12345/home Liferay Welcome page is coming up where user can see options like calender, language, dictionary etc. I am using Liferay 5.2.3. Can anyone suggest me how to disable this URL?
Can the URL be blocked from Apache?
You're probably referring to a user's personal page - this is a public page and you can configure Liferay so that users don't have personal (public) pages. As long as the users have personal and public pages, they are, well, public: If you navigate to them, you'll get to see them. You can make them private pages (thus the URL will change to /group/12345/home) and - at least - require a login. But as long as you have a public page in your portal, it will be shown.
(You can also change permissions on every single page, but that's probably what you also don't want)
Can you block on apache level? Yes. But why change at the entry point when you can also get rid of the root cause - e.g. properly configure the pages and access levels.
Also, Liferay 5.2.3 is quite ancient now. You should really consider to upgrade
I'm working on a web application that uses the google earth plugin. Recently, a new requirement to have non-public users logon was added, which meant that some users were now using the site over https. Among the things that broke in testing were the custom placemark icons (They were working using http).
The icons are hosted on the same server which servers the page.
Here are the urls for each of the protocols.
http - http://localhost/Images/yellow.png
https - https://localhost/Images/yellow.png
I can follow that link and the image will appear as you would expect.
The images hrefs are declared as icon styles in dynamically generated kml.
I want to avoid loading the images over http because I think that will cause internet explorer to present the user with a mixed content warning.
How do I get the images to load properly while using https?
I have been wrestling with this myself -- the short answer is that this won't work. If the content is served off of an HTTPS site that generates any kind of error/prompt (authentication, invalid certificate, etc.) the plugin will simply not load the content.
Interestingly, the desktop client works fine and prompts the user for credentials if necessary. However, neither client will allow content to be served off of site with an untrusted certificate.
The only workaround that I have found is:
Use a trusted HTTPS certificate on the server hosting the content (either trust the certificate on the client systems or just use a real certificate.)
Do not use HTTPS basic auth as that will always generate 401/Challenge responses which the web browser client will simply ignore
If authentication is a requirement, use NTLM authentication and common (e.g., domain) logins. If you load the plugin in Interent Explorer (or in a .NET WebBrowserControl) the authentication will be handled properly and the images will show up.
I was at a Google Earth administrator's training last week and the trainer confirmed this "bug". It is supposed to be fixed in the next version of the plugin (it may actually be fixed already -- what version of the plugin are you using?)
I am using the Drupal Secure Pages module to secure sensitive pages (such as login and admin pages). I am running into two issues with this:
I am able to login securely on the login page using https. However when I traverse to a non-secure page such as the home page, the browser completely forgets that I am logged in (instead of my username, the login link shows up). (The problem goes away as soon as I disable the Secure Pages module.)
Since the secure pages are getting their images using non-secure URLs, the browsers are showing warning messages. For example, "The site uses SSL, but Google Chrome has detected insecure content on the page."
Is there any clean solution to these issues?
The recommendation here was to make the entire site secure, which seems like an overkill for my site (essentially an open source community). Having said that, how much of a performance hit does something like this incur, roughly?
Thanks.
I was able to solve the issue with non-secure pages not remembering the login state. The solution was to add this line to sites/default/settings.php: $conf['https'] = TRUE; You can see the details here.
As far as I can tell, issue #2 was a browser caching issue. I cleared all the caches and cookies and the problem seems to have gone away!