Only users with certain permissions should be able to deploy to kie server others should not.
How to implement an interceptor on the kie server ie the kieserver should throw an error if the user does not have certain permissions
To achieve this you have to define permissions of certain REST API in web.xml file of kie-server.war file. with below configuration user with 'deployer' role can only perform 'PUT/POST' operation on '/services/rest/server/containers/' REST endpoint.
<security-constraint>
<web-resource-collection>
<web-resource-name>REST web resources</web-resource-name>
<url-pattern>/services/rest/server/containers/*</url-pattern>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>deployer</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>deployer</role-name>
</security-role>
Related
I have configured a JAAS login for my web application. The login is configured in web.xml as shown below.
<security-constraint>
<web-resource-collection>
<web-resource-name>application</web-resource-name>
<url-pattern>/application/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>ROLE</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/WEB-INF/login.xhtml</form-login-page>
<form-error-page>/WEB-INF/login.xhtml?failed=true</form-error-page>
</form-login-config>
</login-config>
For users in ROLE everything works as expected. But when I try to access a restricted resource with a user not in the necessary ROLE, the login is performed nontheless, an errorpage with code 403 is shown and the user cannot perform a logout (other than deleting cookies or restarting the browser).
Of course I could configure to use a different error page in web.xml, which allows logout.
<error-page>
<error-code>403</error-code>
<location>/WEB-INF/error.xhtml</location>
</error-page>
But my desired behaviour is, that users who do not have ROLE assigned can't login at all and are redirected to the login-page with an appropriate error message. How can I achieve this?
I don't know whether the information is necessary, but the frontend framework I use is JSF 2.1.
I want to secure my web app such that only the "admin" user can access all of the pages, but a special "test" user can access the status page.
Here is what I've tried:
In web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything else</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Status page</web-resource-name>
<url-pattern>/status/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>test</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method> <!-- Use http basic authentication -->
<realm-name>MyApp Realm</realm-name> <!-- users are defined in this realm -->
</login-config>
Unfortunately, when I tried to access the status page (https://localhost:444/app-0.0.1-SNAPSHOT/hbr/status) with the test user I get the following:
Problem accessing /app-0.0.1-SNAPSHOT/hbr/status. Reason:
!role
Any idea how I can fix this?
It turns out that the "status" page is not at the root of the app, but part of a subservice called "hbr" ("hbr" the only subservice, which is why I didn't notice). The following change to the second security-constraint causes the app to work as expected:
<security-constraint>
<web-resource-collection>
<web-resource-name>Status page</web-resource-name>
<url-pattern>hbr/status/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>test</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
I have GWT application deploy on AppEngine. I would like to limit access to the application to administrators only.
I would like to use the built-in security-constraint settings in web.xml but I can't figure how to make my app respond in /myapp/admin url instead of /myapp
I am using RequestFactory to communicate with the server, I would like the /gwtRequest to be under the same constraint.
Thank you,
Ido.
I don't know if I understand your question correcty.
If you want only access with admin, you can configure you Application like following:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/loginpage</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
Now you have only Admin-Access to every Page, but you still need to have public access to the login-page. (you must replace "loginpage" with the url to your login page)
If you only want to make you gwtRequest under admin-access make it like this:
<security-constraint>
<web-resource-collection>
<url-pattern>/gwtRequest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
I'm sorry I'm not sure if its /gwtRequest/ or /gwtRequest
I have two Web Services (MyService and MyProtectedService). I want both going under the same port HTTPS but only the protected one to have client authentication (clientAuth=true).
All the security is working fine, but the problem is that the client auth is ON for both services, not only for the protected one. What I would like is remove the client auth for one of them, or apply the client auth to the other only.
Does anyone have any hint? Thanks
In the web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>protected element</web-resource-name>
<description/>
<url-pattern>/MyProtectedService</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
UPDATE:
I tried to divide the service in two constrains:
<security-constraint>
<web-resource-collection>
<web-resource-name>OpenService</web-resource-name>
<description/>
<url-pattern>/OpenService</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>protected</web-resource-name>
<description/>
<url-pattern>/MyProtectedService</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<login-config>
<auth-metod>CLIENT-CERT</auth-metod>
</login-config>
</security-constraint>
And have ClientAuth=false in server.xml.
But then I can access this without any client authentication:
https://MACHINE/MyProtectedService/MyProtectedService?wsdl
The approach is to have two separate security constraints even though the one for the public service has no constraint at all (neither a auth-constraint nor a user-data-constraint). It assumes that the two service have different URLs which is most likely the case:
<security-role>
<role-name>ProtectedServiceRole</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public Service</web-resource-name>
<url-pattern>/PublicService/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Service</web-resource-name>
<url-pattern>/ProtectedService/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>ProtectedServiceRole</role-name>
</auth-constraint>
</security-constraint>
The role name specified in the auth-constraint will trigger an authentication.
Update:
I'm afraid I haven't properly read your question and overlooked the certificate authentication part. Though I have used it in the past, I never had the mixed setup you require so I can only give some options what you could try next:
Currently you require the authentication on the transport level. That's to low-level and too early. Have you tried setting clientAuth to false and instead add the following lines to your web.xml:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
Another approach would be to use two differnt ports for the two services. For that, you define two different connectors in the server.xml.
I have a web application which i deploy in Tomcat. I want to secure all pages under the url path administration/*.
I have set up container-managed security entering the next snippet in the web.xml file:
<security-role>
<role-name>administrator</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>AdministrationPanel</web-resource-name>
<url-pattern>/administration/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
<role-name>member</role-name>
</auth-constraint>
</security-constraint>
and in $CATALINA_HOME/conf/tomcat-users.xml i have
<user username="userA" password="userA" roles="administrator"/>
Everything is working fine. I get a login box and i can authenticate myself as userA.
However, i would like to be able to store new users directly by using the web application, change user passwords etc.
Is it possible to tell tomcat to get the users, passwords and roles any other way? For example a class which retrieves them from the database.
Yes, it is possible.
Or for the current Release Tomcat 6 Realm Howto