How apply auth restriction in JSPUI? - user-experience

How apply auth restriction in JSPUI? I was wanting in JSPUI apply when the user tries to access the feedback form, the dspace require authentication, but I could not understand how the pages that require authentication as in 'mydspace' works in JSPUI.
It is possible for jsp pages? or need change java class?

The authentication requirement is set up in web.xml (link to 5.x version). It may be enough to add another filter-mapping clause for the feedback URL, eg
<filter-mapping>
<filter-name>registered-only</filter-name>
<url-pattern>/feedback</url-pattern>
</filter-mapping>
But I haven't tried it! This may not work.

Related

Hybris Tenant Activation

How do I activate a particular tenant in hybris ? As one of my applications operations is throwing "java.lang.IllegalStateException: no tenant active. if you do not want to use tenants, call Registry.activateMasterTenant() to assure the Master tenant is active"
If you are running custom Threads, try putting this in the "run" method:
if (!Registry.hasCurrentTenant())
{
Registry.activateMasterTenant();
}
If you are using custom thread use : TenantAwareThreadFactory. That will create your thread "safety"
If you know what your tenant ID would be then you can use setCurrentTenantByID(String id) on Registry to activate the tenant.
That said, this is probably a bad idea. Usually if hybris is throwing this error it means that something has gone wrong.
Ensure you've got the SessionFilter enabled (this intercepts incoming requests and will set the tenant). Also take a look at what you're doing and make sure you're not spinning off new threads etc which are running outside the scope of the current tenant.
Most of the time there is an other exception in the call stack. The "java.lang.IllegalStateException: no tenant active." message is just the last one printed.
If this is not the case, see the answers above.
Probably you need to add some JVM options to your classes.
Something like that:
-ea -Xmx4g -XX:MaxPermSize=1024m -Dspring.profiles.active=XXX
That works for me to run integration tests.
change in the local.properties file.
just the master tenant
installed.tenants=
just the master tenant along with other tenant
installed.tenants="yourparticulartenant"
Check if this helps
I think HybrisInitFilter has not been invoked before DispatcherServlet is delegating the request to your controllers. Therefore no tenant has been activated and in turn, most of Hybris platform logic will fail with the error you are seeing.
Please check your web.xml
<filter>
<filter-name>InitFilter</filter-name>
<filter-class>de.hybris.platform.util.HybrisInitFilter</filter-class>
<!-- GZIP compression of response (default = true) -->
<init-param>
<param-name>enable.compression</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>tenantIDPattern</param-name>
<param-value>;\s*tenantID\s*=\s*(\w+)</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>InitFilter</filter-name>
<url-pattern>*.jsp</url-pattern>
</filter-mapping>
There are two possible reasons for this error,
If your system is not initialised.
If your application server has lost the DB connection and tenant is deactivated and threads are not able to recover it and set the active tenant .
Solution :
Simply restart the application server, all the threads and session will restore the right value and start working.

What is the actual order of execution for servlet filters defined in WEB-INF/web.xml and conf/web.xml

As per my understanding, the order of filter execution is the order they are defined in the web.xml for the same url-mapping. But I could not find any reference how this behaves, if we have multiple filters defined for same url-mapping across the container's web.xml and individual application's web.xml
My assumption was, since an application is deployed as part of a container, say tomcat, which has web.xml of its own, any requests targeted for each such deployed app, will have to go through the filter chain defined in tomcat/conf/web.xml before going through application filters. But my understanding is wrong
I have a simple web app with two filters defined in web.xml as follows
<filter>
<filter-name>AppFilterOne</filter-name>
<filter-class>com.test.filters.AppFilterOne</filter-class>
</filter>
<filter>
<filter-name>AppFilterTwo</filter-name>
<filter-class>com.test.filters.AppFilterTwo</filter-class>
</filter>
<filter-mapping>
<filter-name>AppFilterOne</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>AppFilterTwo</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Without any further change, if I hit my web url http://localhost:8080/myapp, I see AppFilterOne and AppFilterTwo being hit in that order.
Now, I added two more filters in my tomcat/conf/web.xml (My tomcat version is 7.0.27 and supporting servlet 3.0)
<filter>
<filter-name>TomWebFilterOne</filter-name>
<filter-class>com.test.filter.TomWebFilterOne</filter-class>
</filter>
<filter>
<filter-name>TomWebFilterTwo</filter-name>
<filter-class>com.test.filter.TomWebFilterTwo</filter-class>
</filter>
<filter-mapping>
<filter-name>TomWebFilterOne</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>TomWebFilterTwo</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Now, if I access http://localhost:8080/myapp, the filters executed in the below order
AppFilterOne
AppFilterTwo
TomWebFilterOne
TomWebFilterTwo
My initial assumtion was, the TomWebFilters will intercept first and then the application specific filters.
If the results I see are actually correct and that is how the filters work, is there a way I can influence the execution order of the filter. I heard about but not sure, if that is the correct approach here.
A little back ground my actual problem:
We have a bunch of web applications deployed in different vm's in tomcat 7X instance. Each of these web application has an audit filter that audits and logs each incoming requests. However, in tomcat /conf/web.xml a filter is defined to support NTLM authentication (JCIFS flavor). Because of this setup, every requests coming in are actually logged (as part of audit filter) and then filtered for NTLM. We want the NTLM to happen first and then anything else.
There are couple of approaches, I'm thinking here
A) Instead of defining in tomcat/conf/web.xml, we may need to define that filter as the first filter in each application.
B) Have NTLM filter set an attribute in request, stating the status of the NTLM process and our audit filter will check for this for two times (i.e for two 401 HTTP status codes), and return back.
I'm not particularly happy with both approaches and hence wondering what can be done
Thanks
To fix my original problem of doing audit logs, instead of using a filter in application web.xml, I used AOP for that purpose. It seems to be working fine. But I'm still curious to know, if there is a standard way to influence the filter sequence declared between WEB-INF/web.xml and conf/web.xml

Define a <security-constraint> outside of web.xml (e.g. server-wide)

I would like to apply security constraints for all webapps deployed on a Tomcat7 server. To do this I have set up a Realm and Valve. My understanding is that the contents of context.xml get included for all apps deployed to a server - that part seems to work as I can add all manner of configuration and I see the effects as it gets included in the various deployed app contexts. It works wonderfully for enforcing consistency across web apps.
What doesn't seem to work is trying to define a security-constraint like the one below outside of web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>myServletWAR</web-resource-name>
<url-pattern>*.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>my_role</role-name>
</auth-constraint>
</security-constraint>
I'm doing it in context.xml between the Context tags. No complaints from Tomcat, but no security constraint is applied, e.g I can hit the app without a password. With the constraint above in context.xml I see:
Aug 14, 2013 3:03:32 PM org.apache.catalina.authenticator.AuthenticatorBase invoke
FINE: Not subject to any constraint
...in the logs, and can get to the "protected" resource with no auth.
Moving the same constraint to a webapps's web.xml, of course, yields the expected constraint behaviour, but I need to ensure the constraint is applied consistently across all deployed apps on a given server.
Does security-constraint need to be inside of a web-app? If it does how can I define a security-constraint across several (as yet deployed) web-apps if not in context.xml?
This is exactly what I am trying to set up, but I want to enforce the constraint outside (above) web.xml. Again, so that it will be consistent for the entire server.
I did see another similar question, but I'm trying to find a way to do this in Tomcat configuration without having to use the Servlet API from the code base (that is already written).
Thanks!
The second after I posted my question I realized that:
$CATALINA_BASE/conf/web.xml was the answer I was looking for.
It's root element, as one would expect, is web-app, and the contents get added to each deployed web app (like context.xml for each context) adding the security-constraint worked.
I did have to re-start Tomcat (it doesn't auto deploy for changes in that file apparently), but that is not an issue as this shouldn't change in production.

Struts2 Authorization

I am about to graduate from university with a web application that needs be implemented at school, everything is working perfect and this needs to be ready before november but I'm having a real trouble taking care of the security. The application must be able to have different users with one or more different roles, ( user1: roles: student; user 2: admin, user 3: professor, boss ).
When a user logs in it should be redirected to a different view depending on the roles it has and then if he tries to access to resources not allowed for his role, an error page should be shown.
This is what I've tried so far:
Method 1:
Authentication Method: Specified in web.xml as
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
</form-login-config>
</login-config>
Then using the names j_username and j_password along with j_security_check on a custom jsp.
Authorization Method: Used Container Security (Tomcat) via DataSourceRealm, wich allow us to connect to a database and get the user and the roles associated with him from 2 Tables that need to be mapped in the server.xml:
<Resource auth="Container" driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver" maxActive="100" maxIdle="30" maxWait="1000" name="jdbc/sstt" password="pass" type="javax.sql.DataSource" url="jdbc:sqlserver://localhost;databaseName=BDTT" username="sa"/>
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Students Only</web-resource-name>
<url-pattern>/student/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>student</role-name>
</auth-constraint>
</security-constraint>
// Same mapping for professor, admin, and boss (/professor/* maps to professor role)
Results: Whenever I tried to access a restricted area, for example, /members/ (configured in the web.xml inside a security constraint) it would work just perfect, so authorization goal was achieved.
The problem:
When I submit the login form it fires the j_security_check so I'm not able to fire a Struts2 Action that could help me to redirect depending on the user roles this is the main problem. Everything was perfect but I can't find a way to redirect after logging in with the Container security.
Method 2:
Authentication Method: A LoginAction class that queries the database and checks if the password is correct. It also checks on the user roles and here we should be able to return a String like "admin", or "student" and redirect to the appropriate index.jsp resource, but that would work only if users were allowed to have only one role, but they can have many, so how should the view be constructed depending on the total user roles? What String would we return?
Authorization Method: I wrote a custom Interceptor wich retrieves the User object from the session (this User object should be in the session only if the user authenticated successfully) and then perform the authorization logic here.
The problem:
Unable to find a way to construct a view depending on several roles, and the problem about the Interceptor is that it only protects my actions, so the authorization goal was achieved but only on actions, that means I could write /students/ and the URL would change to /students/index.jsp without even trying to authorize.
Other plans
I was thinking that maybe I could use filters to achieve the authorization ( that way I could protect both the dynamic and static resources ) but I don't know if that would be a good practice since we have configured the Struts2 filter which maps to /*
I was also looking that I could use JAAS or Spring Security but I don't know if I could achieve this, authenticate, redirect based on roles and authorizate. I wouldn't want to spend more several hours to find out that I can't do what I need, and I have just a very short time to finish this.
Other questions
Is it really a good practice to put jsp under WEB-INF? if so I should rewrite all the access to my jsp's in the struts.xml to WEB-INF/jsp/students/index.jsp? ( for example ). Or should I stick to a security constraint defined in web.xml to avoid direct access to the /jsp/* url pattern?
Thank You very much in advance for all your time and help.
For problem in method 1: You can write Struts2 interceptor to achieve what you want.
For Spring Security examples see my answer to this question https://stackoverflow.com/questions/12615354/how-to-implement-role-based-login/12629731#12629731
And YES it is a good practice to put jsp under WEB-INF folder. See Why put JSP in WEB-INF?

JSF 1.1: Having /login/foo and /login/bar be served by the same code

We have a generic JSF 1.1 (myfaces 1.1.4, tomahawk 1.1.9, uses "*.jsf" to map to jsp files) where we need a more flexible way to handle user logins. The basic issue is that the application as such does not know which backend the user needs to connect to, and that has until now been added as a parameter to the URL to the generic login page.
This has proven to be error prone, so I am investigating if we in addition to
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
can make a path mapping from "/login/*" so that we can have "/login/foo" and "/login/bar" as plain, robust URLs.
For this to work, I need to have them all map to the same underlying JSP file, which then must be able to identify if "foo" or "bar" was used so we can present backbone specific CSS attributes in the login page branding it accordingly. The environment specific information is located in a property file available to the login page.
I have read through the JSF 1.2 specification but it is a pretty big haystack and I didn't see the needle.
Can this be done in a standard way? (i.e. implementation independent) Can it be done if I upgrade to Mojarra with Tomahawk?
Am I missing something obvious?
This lies outside the responsibility of JSF. To the point, you'll need a Filter which listens on an url-pattern of /login/*, extracts the path part from it and forwards the request to for example "/login.jsf?path=" + path.
You can either homegrow one or reuse one.

Resources