I Have a Project Structure like this :-Project Structure
I want only the home.xhtml to be accesible when user hits the url and the healthCheck and error should not be (test is temporary will be deleted).
I tried Placing the two xhtml files in detailed info folder but the css wont work
my css linking style -<link rel="stylesheet" href="../css/normalize.css"></link>
and also if we put he css apart the page loads but when i referesh the page
eg - localhost:9080/Dashboarddetails/detailedinfo/healthcheck.xhtml
it gives http 403 error as access in denied it only loads the first time.
I have used security constraint but it not working please help
<security-constraint>
<display-name>Restrict raw XHTML Documents</display-name>
<web-resource-collection>
<web-resource-name>XHTML</web-resource-name>
<url-pattern>/detailedinfo/*</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<url-pattern>/detailedinfo/*.xhtml</url-pattern> did not work so used the above one
Related
I'm using OmniFaces CDNResourceHandler to point my resources to a CDN, instead of local files.
I added this line in my XHTML file: <h:outputStylesheet library="twitter-bootstrap" name="bootstrap.min.css" />
And my faces-config.xml have this line:
<context-param>
<param-name>org.omnifaces.CDN_RESOURCE_HANDLER_URLS</param-name>
<param-value>
twitter-bootstrap:bootstrap.min.css=https://somehost/twitter-bootstrap/3.3.7/bootstrap.min.css
</param-value>
</context-param>
And I'm getting this error when access the page:
Unable to find resource twitter-bootstrap, bootstrap.min.css
Note: When I access the file at https://somehost/twitter-bootstrap/bootstrap.min.css I can download the file properly.
I'm using Mojarra under Wildfly configured to Development stage.
The resource handler is properly configured at faces-config.xml file.
<application>
<resource-handler>org.omnifaces.resourcehandler.CDNResourceHandler</resource-handler>
</application>
I did some tests, and I notice that the error doesn't occurs if I create an empty file bootstrap.min.css under WEBAPP_FOLDER/resources/twitter-bootstrap. If I delete the file, the errors occurs again.
Even I use CDN, do I need to keep resources locally?
The CDNResourceHandler is primarily intented to move auto-included JSF resources to a CDN, such as jsf.js file from <f:ajax>, or primefaces.js and jquery.js from PrimeFaces, or to automatically switch to a CDN when installed in production.
You don't need it in your case with a permanent CDN resource. Just use plain <link>.
<link rel="stylesheet" src="https://somehost/twitter-bootstrap/bootstrap.min.css" />
This is also explicitly mentioned in the CDNResourceHandler documentation.
For non-JSF resources, you can just keep using plain HTML <script> and <link> elements referring the external URL
Update: as you're not the first one who wondered about this, I've as per issue 122 bypassed this technical restriction for OmniFaces 2.6. In other words, you do not necessarily need a local resource anymore.
I use Web Flow and JSF, so they works well actually. But I am trying to find out alternative way for set default page different from redirecting on index.html.
The main problem is web analytics scripts don't work properly. I can't track user source fore home page.
The application run on Tomcat 8
Web.xml
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
index.html
<html>
<head>
<meta http-equiv="Refresh" content="0; URL=web/home-page">
</head>
</html>
UPDATE :
I replace index.html with index.jsp and I set response status as 301. At least it works for google analytics, so I'll check it out for other analytics tools.
But this solution still did not satisfy me.
Web.xml
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
index.jsp
<%
response.setStatus(301);
String path=(String)request.getAttribute("javax.servlet.forward.request_uri");
if(path==null){
path="web/home-page";
}
response.setHeader( "Location", path);
response.setHeader( "Connection", "close" );
%>
I would use spring security project instead of welcome files because JSF (or any view framework) is not aware how to resolve a view in welcome-file that is why your logic is not executing.
A possible solution is if you are using the spring security project. Add the following to your security config
<security:http auto-config="true" use-expressions="true">
<!--- config omitted for brevity -->
<security:session-management invalid-session-url="/index.jsp"/>
</security:http>
Again this is just a sample. You can also use other means to define rules. It is quite modular
<security:intercept-url pattern="/**" ....
Moreover, you will need to define a classless controller with the following defintion: (assuming you also are using Spring MVC with Webflow)
<mvc:view-controller path="/index.jsp" />
I think it's less cryptic to define intercept,forward,routing, etc... rules all in Spring Security config that way it is clear that any such rules are stored in one place.
Note: you might be able to keep your current setup and use that spring <mvc:view-controller path="/index.jsp" /> definition only to trigger the JSF to execute.
I use the following web.xml setting to direct unlogged-in user to /faces/loginPage.xhtml.
In /faces/loginPage.xhtml I will authenticate the user and redirect the user to the home page.
Now I want to redirect the user to the page she initially requested, instead of the home page. How do I do that? Specifically, how to get the url of the initially requested page?
<security-constraint>
<display-name>MyConstraint</display-name>
<web-resource-collection>
<web-resource-name>wrcoll</web-resource-name>
<description />
<url-pattern>/faces/secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description />
<role-name>myUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>my_ldap_domain</realm-name>
<form-login-config>
<form-login-page>/faces/loginPage.xhtml</form-login-page>
<form-error-page>/error.xhtml</form-error-page>
</form-login-config>
</login-config>
You seem to be performing the login through a JSF managed bean instead of through j_security_check. Because if you were using the latter, this is already automatically taken into account.
The FORM based authentication login page is been displayed by a RequestDispatcher#forward() the usual Servlet API way. So the request URI of the initially requested page is available as a request attribute with the name as specified by RequestDispatcher.FORWARD_REQUEST_URI, which has a value of "javax.servlet.forward.request_uri".
So, in EL context it's available as
#{requestScope['javax.servlet.forward.request_uri']}
And in JSF context it's available as
String originalURL = (String) FacesContext.getCurrentInstance().getExternalContext().getRequestMap().get("javax.servlet.forward.request_uri");
This needs to be collected on the initial request, not on the form submit. Easiest would be to grab it in the constructor of a #ViewScoped managed bean which is attached to the page. An alternative with a #RequestScoped bean is to enclose a plain HTML <input type="hidden"> in with that value in the login form and set it as #ManagedProperty.
My JSF form login was working with Constraint 1 however when I added Constraint 2 to my web.xml doing a submit on the form now takes me to a jsf javascript page. Can someone tell me what I am doing wrong? I'm hoping this is a quick configuration mistake.
I would like only administrators to be able to access the /admin/* pages and only registered users to access the entire site included admin files. BTW after I see the java script page I can still navigate to the intended page in the browser, I just don't want the user to see the intermediate js page or need to know the target page URL.
Constraint 1
<security-constraint>
<display-name>Admin</display-name>
<web-resource-collection>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ADMIN</role-name>
</auth-constraint>
</security-constraint>
Constraint 2
<security-constraint>
<display-name>Users</display-name>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>USER</role-name>
</auth-constraint>
</security-constraint>
Here is the undesired url I am being redirected to:
javax.faces.resource/jsf.js.xhtml?ln=javax.faces&stage=Development
Here is the start of the jsf.js.xhtml... which is displayed on Firefox
/**
#project JSF JavaScript Library
#version 2.0
#description This is the standard implementation of the JSF JavaScript Library.
*/
/**
* Register with OpenAjax
*/
if (typeof OpenAjax !== "undefined" &&
typeof OpenAjax.hub.registerLibrary !== "undefined") {
OpenAjax.hub.registerLibrary("jsf", "www.sun.com", "2.0", null);
}
// Detect if this is already loaded, and if loaded, if it's a higher version
if (!((jsf && jsf.specversion && jsf.specversion >= 20000 ) &&
(jsf.implversion && jsf.implversion >= 3))) {
...
On Internet Explorer 8.0.7 I get this popup
Notes
I'm using Firefox 10.0.4, IE 8.03, Glassfish 3.1 w JSF2.0 lib, j_security_check, and my login realm setup is similar to this
Try to add
<intercept-url pattern="/javax.faces.resource/**" access="hasRole('ROLE_ANONYMOUS')"/>
to your security.xml.
See comments below accepted answer JSF with Spring security - Redirect to specified page after login
I have already created a user database file using Apache's htpasswd command. This file is now used by several other application like apache and subversion.
Users in are created like this:
htpasswd /path/to/users.htpasswd peter
This user file is global, not per directory.
How I can make Tomcat 6 use this same file as a security realm?
Most similar to the htpasswd may be the MemoryRealm.
I had problems myself to find a simple example how to use it, so I'll post an easy example code here:
Set up a role, username and password in tomcat-users.xml
Your web.xml should contain something like:
<security-constraint>
<web-resource-collection>
<web-resource-name>
My Protected WebSite
</web-resource-name>
<url-pattern> /* </url-pattern>
<http-method> GET </http-method>
<http-method> POST </http-method>
</web-resource-collection>
<auth-constraint>
<!-- the same like in your tomcat-users.conf file -->
<role-name> test </role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method> BASIC </auth-method>
<realm-name> Basic Authentication </realm-name>
</login-config>
<security-role>
<description> Test role </description>
<role-name> test </role-name>
</security-role>
Add this to your server.xml file:
<Realm className="org.apache.catalina.realm.MemoryRealm"></Realm>
To secure access to your Tomcat webapp, you can implement your simple security constraint (e.g. in /var/lib/tomcat7/webapps/*/WEB-INF/web.xml) as below (just add it before </web-app> ending):
<!-- This security constraint protects your webapp interface. -->
<login-config>
<!-- Define the Login Configuration -->
<auth-method>BASIC</auth-method>
<realm-name>Webapp</realm-name>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<!-- Specifying a Secure Connection -->
<user-data-constraint>
<!-- transport-guarantee can be CONFIDENTIAL (forced SSL), INTEGRAL, or NONE -->
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Authorization, see: tomcat-users.xml -->
<security-role>
<role-name>*</role-name>
</security-role>
The login-config element contains the auth-method element, which specifies the authentication method that we use, which is BASIC. The security-constraint element contains 3 elements: web-resource-collection, auth-constraint, and user-data-constraint. The web-resource-collection specifies the parts of our application that require authentication. The /* indicates that the whole application requires authentication. The auth-constraint specifies the role that a user needs to have in order to access the protected resources. The user-data-constraint's transport-guarantee can be NONE, CONFIDENTIAL or INTEGRAL. We set it to NONE, which means that redirecting to SSL is not required when you try to hit the protected resource.
Also make sure that you've line:
<Realm className="org.apache.catalina.realm.MemoryRealm" />
inside your conf/server.xml (Engine section).
If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation (locate tomcat-users.xml). That file must contain the credentials to let you use Tomcat webapp.
For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above:
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
Then you can access your webapps manager from /manager/html (e.g. reloading after config changes).
Read more: Manager App HOW-TO.
Then restart your Tomcat and when accessing your webapp, it should ask you for the right credentials.
See also:
HTTP Basic Authentication in Java at Oracle site
Specifying an Authentication Mechanism in Java at Oracle site
Realm Configuration HOW-TO at Apache Tomcat site
Setting up role based security in tomcat
How do I use Basic authentication with Tomcat?
There are two options:
Use Apache as a front end to the tomcat (using either mod_jk or mod_proxy_ajp) and the Apache do the authentication. You can find details on how to do so here
If you want the tomcat to do the authentication, then you need ot use something else than the htpasswd file. There are 4 ways to save the users' credentials - using database, JNDI/LDAP, an XML file or a JAAS provider. You can read about all the options in the Realm Configuration HOW-TO.