I have configured a JAAS login for my web application. The login is configured in web.xml as shown below.
<security-constraint>
<web-resource-collection>
<web-resource-name>application</web-resource-name>
<url-pattern>/application/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ROLE</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>ROLE</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/WEB-INF/login.xhtml</form-login-page>
<form-error-page>/WEB-INF/login.xhtml?failed=true</form-error-page>
</form-login-config>
</login-config>
For users in ROLE everything works as expected. But when I try to access a restricted resource with a user not in the necessary ROLE, the login is performed nontheless, an errorpage with code 403 is shown and the user cannot perform a logout (other than deleting cookies or restarting the browser).
Of course I could configure to use a different error page in web.xml, which allows logout.
<error-page>
<error-code>403</error-code>
<location>/WEB-INF/error.xhtml</location>
</error-page>
But my desired behaviour is, that users who do not have ROLE assigned can't login at all and are redirected to the login-page with an appropriate error message. How can I achieve this?
I don't know whether the information is necessary, but the frontend framework I use is JSF 2.1.
Related
Only users with certain permissions should be able to deploy to kie server others should not.
How to implement an interceptor on the kie server ie the kieserver should throw an error if the user does not have certain permissions
To achieve this you have to define permissions of certain REST API in web.xml file of kie-server.war file. with below configuration user with 'deployer' role can only perform 'PUT/POST' operation on '/services/rest/server/containers/' REST endpoint.
<security-constraint>
<web-resource-collection>
<web-resource-name>REST web resources</web-resource-name>
<url-pattern>/services/rest/server/containers/*</url-pattern>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>deployer</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>deployer</role-name>
</security-role>
I want to secure my web app such that only the "admin" user can access all of the pages, but a special "test" user can access the status page.
Here is what I've tried:
In web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything else</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Status page</web-resource-name>
<url-pattern>/status/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>test</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method> <!-- Use http basic authentication -->
<realm-name>MyApp Realm</realm-name> <!-- users are defined in this realm -->
</login-config>
Unfortunately, when I tried to access the status page (https://localhost:444/app-0.0.1-SNAPSHOT/hbr/status) with the test user I get the following:
Problem accessing /app-0.0.1-SNAPSHOT/hbr/status. Reason:
!role
Any idea how I can fix this?
It turns out that the "status" page is not at the root of the app, but part of a subservice called "hbr" ("hbr" the only subservice, which is why I didn't notice). The following change to the second security-constraint causes the app to work as expected:
<security-constraint>
<web-resource-collection>
<web-resource-name>Status page</web-resource-name>
<url-pattern>hbr/status/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>test</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
We are trying to configure picketlink on jboss 7 to have SAML based web SSO on spring mvc application (as IDP).
We have custom login module which extends DatabaseServerLogin module and our application needs just user authentication and no need of authorization. We have a custom authorization logic built in house which will be called after user is authenticated. So the roles for <auth-constraint> & <security-role> is marked *.
configuration done in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Manager command</web-resource-name>
<url-pattern>/home</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>PicketLink IDP Application</realm-name>
<form-login-config>
<form-login-page>/WEB-INF/jsp/loginUser.jsp</form-login-page>
<form-error-page>/WEB-INF/jsp/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
Spring dispatcher servlet url pattern is
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>>
<url-pattern>/</url-pattern>>
</servlet-mapping>
http:myHostName:8080/myapp/home is taking to login page as configured.
After login/authentication is successful, then call is redirected to a controller url mapping /home and that controller is returning home.jsp as expected but on the browser I am getting 404 error.
But when we debugged, we came to know that at some point of method stack trace before returning to browser, there status of response object is changed to 404 and error is true.
Am i missing any configuration? Any help would be appreciated
I have GWT application deploy on AppEngine. I would like to limit access to the application to administrators only.
I would like to use the built-in security-constraint settings in web.xml but I can't figure how to make my app respond in /myapp/admin url instead of /myapp
I am using RequestFactory to communicate with the server, I would like the /gwtRequest to be under the same constraint.
Thank you,
Ido.
I don't know if I understand your question correcty.
If you want only access with admin, you can configure you Application like following:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/loginpage</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
Now you have only Admin-Access to every Page, but you still need to have public access to the login-page. (you must replace "loginpage" with the url to your login page)
If you only want to make you gwtRequest under admin-access make it like this:
<security-constraint>
<web-resource-collection>
<url-pattern>/gwtRequest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
I'm sorry I'm not sure if its /gwtRequest/ or /gwtRequest
I have a web application which i deploy in Tomcat. I want to secure all pages under the url path administration/*.
I have set up container-managed security entering the next snippet in the web.xml file:
<security-role>
<role-name>administrator</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>AdministrationPanel</web-resource-name>
<url-pattern>/administration/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
<role-name>member</role-name>
</auth-constraint>
</security-constraint>
and in $CATALINA_HOME/conf/tomcat-users.xml i have
<user username="userA" password="userA" roles="administrator"/>
Everything is working fine. I get a login box and i can authenticate myself as userA.
However, i would like to be able to store new users directly by using the web application, change user passwords etc.
Is it possible to tell tomcat to get the users, passwords and roles any other way? For example a class which retrieves them from the database.
Yes, it is possible.
Or for the current Release Tomcat 6 Realm Howto