UPDATE 2:
What seems to be the root of the problem is that I can only succesfully secure the root of the application (e.g. the "/"). When I try to secure any other url, it gives me a 403. Unsecured urls work without problem.
ORIGINAL QUESTION:
I made this basic application where I want to be able have one secured page and one unsecured page. I currently get a 403 whenever I try to access my secured page (after giving the correct login data). Below I've posted my web.xml I have been trying to work with. I can access the unsecured page with no problem.
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_10" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>Login test</display-name>
<!-- Servlet config -->
<servlet>
<servlet-name>AfterLoginServlet</servlet-name>
<servlet-class>test.AfterLoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AfterLoginServlet</servlet-name>
<url-pattern>/secured</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>UnsecuredServlet</servlet-name>
<servlet-class>test.UnsecuredServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>UnsecuredServlet</servlet-name>
<url-pattern>/unsecured</url-pattern>
</servlet-mapping>
<!-- Login and security config -->
<servlet>
<servlet-name>Login</servlet-name>
<servlet-class>test.Login</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Login</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping>
<security-role>
<role-name>demorole</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured pages</web-resource-name>
<url-pattern>/secured</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>demorole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRealm</realm-name>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/error</form-error-page>
</form-login-config>
</login-config>
<session-config>
<session-timeout>20</session-timeout>
</session-config>
</web-app>
I've tried a few other options to make sure my application was working.
Turned security off completely: this worked without a hitch.
Set security to everything: I adapted the security-constraint to have the url-pattern be /*. This made me able to access only / (if I changed my servlet mapping).
So I succeed at securing either all pages or none of my pages, but I don't manage to secure only a portion of them. I don't really know what I could be doing wrong (though I'm sure it's something stupid).
UPDATE 1:
I have 2 working options now (for my simple test case):
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
Login test
<!-- Servlet config -->
<servlet>
<servlet-name>AfterLoginServlet</servlet-name>
<servlet-class>test.AfterLoginServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AfterLoginServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>UnsecuredServlet</servlet-name>
<servlet-class>test.UnsecuredServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>UnsecuredServlet</servlet-name>
<url-pattern>/unsecured</url-pattern>
</servlet-mapping>
<!-- Login and security config -->
<servlet>
<servlet-name>Login</servlet-name>
<servlet-class>test.Login</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Login</servlet-name>
<url-pattern>/login</url-pattern>
</servlet-mapping>
<security-role>
<role-name>demorole</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>unsecured</web-resource-name>
<url-pattern>/unsecured</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured pages</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>demorole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRealm</realm-name>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/error</form-error-page>
</form-login-config>
</login-config>
<session-config>
<session-timeout>20</session-timeout>
</session-config>
</web-app>
I can also change the servlet mapping for AfterLoginServlet to /*. This still works on the / url, but not anything else...
UPDATE 3: Roles
So I actually have several applications that all suffer that same problem with security having to be /*.
I've used to possible configurations for roles that work:
The one you see here with demorole (defined role in web.xml and defined security-role assigment in weblogic.xml)
For this one, when I look in Security Realms -> [realm name] -> Roles and Policies -> Realm Roles, I see for every application that uses that role URL Pattern:/ Role:demorole in -> Web module -> Url Patterns and Role
One where I do not define a role and I just use All in the security constraint (no extra definitions in web.xml or weblogic.xml):
.
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>All</role-name>
</auth-constraint>
</security-constraint>
Try putting this in the weblogic.xml file:
<security-role-assignment>
<role-name>demorole</role-name>
<externally-defined/>
</security-role-assignment>
Related
I read that it is a problem of expired session, but in my case it's impossible because the session was just opened when the exception is thrown: I get to login page, fill up form and submit. After that I get ViewExpiredException. What can I do to resolve the problem?
This is my web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
<param-name>org.apache.myfaces.SERIALIZE_STATE_IN_SESSION</param-name>
<param-value>false</param-value>
<param-name>com.sun.faces.numberOfLogicalViews</param-name>
<param-value>100</param-value>
</context-param>
<listener>
<listener-class>org.apache.myfaces.webapp.StartupServletContextListener</listener-class>
</listener>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>pages/login.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Admin</display-name>
<web-resource-collection>
<web-resource-name>Admin</web-resource-name>
<url-pattern>/pages/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>User</display-name>
<web-resource-collection>
<web-resource-name>User</web-resource-name>
<url-pattern>/pages/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<description/>
<role-name>user</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/pages/login.xhtml</form-login-page>
<form-error-page>/pages/errorLogin.xhtml?faces-redirect=true</form-error-page>
</form-login-config>
</login-config>
<error-page>
<error-code>403</error-code>
<location>/pages/errorLogin.xhtml</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/pages/sessionExpired.xhtml</location>
</error-page>
<error-page>
<exception-type>javax.faces.application.ViewExpiredException</exception-type>
<location>/pages/sessionExpired.xhtml</location>
</error-page>
Try to use the STATE_SAVING_METHOD to client in your web.xml.
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
If you want to stick with the server mode try to increase your views:
<context-param>
<param-name>org.apache.myfaces.NUMBER_OF_VIEWS_IN_SESSION</param-name>
<param-value>40</param-value>
<description>Only applicable if state saving method is "server" (= default).
Defines the amount (default = 20) of the latest views are stored in session.
</description>
</context-param>
I have implemented a JAAS form based security for my site, and it is suppose to protect all the .xhtml files inside a folder named "secured" but it does not until that page is refreshed.
On first visit the url does not name the file either and just shows"faces/catalog.xhtml" that was the previous unprotected page then if i hit refresh it works then.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.FACELETS_LIBRARIES</param-name>
<param-value>/WEB-INF/bookstore.taglib.xml</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>faces/catalog.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>customer</web-resource-name>
<description/>
<url-pattern>/faces/secured/checkout.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>customer</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myjdbc</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login_error.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>customer</role-name>
</security-role>
oh also calling the secured page like this:
public String buy() {
if (getNumberOfItems() < 1) {
message(null, "CartEmpty");
return (null);
} else {
return ("/secured/checkout");
}
}
Trying to figure this out for some time now, thanks for the help.
The weirdest thing happening in my web application. Here is the <security-constraint> section of web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Non-secure resources</web-resource-name>
<url-pattern>/js/*</url-pattern>
<url-pattern>/theme/*</url-pattern>
<url-pattern>/login.jsp</url-pattern>
<url-pattern>/logout.faces</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure resources</web-resource-name>
<url-pattern>/faces/*</url-pattern>
<url-pattern>/fragments/*</url-pattern>
<url-pattern>/pages/*</url-pattern>
<url-pattern>*.faces</url-pattern>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>AllAuthenticated</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>map</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>AllAuthenticated</role-name>
</security-role>
When the user accesses the the application through http://<host-name>/<context-path>/, then the user is forwarded to login page and after successful login everything is fine. But if the user accesses the application through http://<host-name>/<context-path>/login.jsp, after successful log in, user gets a 404 error message and the URL in the browser is http://<host-name>/<context-path>/j_security_check.
Anybody knows why this is happening and how I can prevent it?
You have to add these lines to your web.xml :
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
You should add this element in the web.xml.
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/j_security_check</url-pattern>
</servlet-mapping>
I have a created a project, i wish to make sure the user is logged in and authenticated with my ldap server, how would i go about this,
|-- META-INF
|-- WEB-INF
|-- resources
| |-- css
| | `-- style.css
|
|-- upload
| |-- uploadText.xhtml
|
|-- index.xhtml
|-- SubmittedText.xhtml
|-- etc.xhtml
i want to protect everything apart from the resources folder
this is my current web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<filter>
<filter-name>Upload Filter</filter-name>
<filter-class>richard.fileupload.UploadFilter</filter-class>
<init-param>
<param-name>sizeThreshold</param-name>
<param-value>1024</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Upload Filter</filter-name>
<url-pattern>/upload/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<context-param>
<param-name>facelets.LIBRARIES</param-name>
<param-value>/WEB-INF/corejsf.taglib.xml</param-value>
</context-param>
<context-param>
<param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>
<param-value>true</param-value>
</context-param>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>LDAP</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login-failed.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restircted resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Allowed resources</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
<!-- <http-method>GETLIB</http-method>
<http-method>COPY</http-method>
<http-method>MOVE</http-method>
<http-method>DELETE</http-method>
<http-method>PROPFIND</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>MKCOL</http-method>
<http-method>PROPPATCH</http-method>
<http-method>LOCK</http-method>
<http-method>UNLOCK</http-method>
<http-method>VERSION-CONTROL</http-method>
<http-method>CHECKIN</http-method>
<http-method>CHECKOUT</http-method>
<http-method>UNCHECKOUT</http-method>
<http-method>REPORT</http-method>
<http-method>UPDATE</http-method>
<http-method>CANCELUPLOAD</http-method>-->
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>
</web-app>
Your <security-constraint> is missing the <auth-constraint>. A security constraint without an authentication constraint is basically a public resource. As an example, if you'd like to restrict all roles, then you should put the following authentication constraint within the security constraint.
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
All with all, if you want to restrict everything /* expect of /javax.faces.resource/*, then you should have the following security constraints, exactly in this order in web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Restircted resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Allowed resources</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>
Your list of HTTP method restrictions is somewhat ridiculous, just omit it. It by default already applies on every single HTTP method.
I have been trying to secure my project. I have a log in page that authenticates with an LDAP server and if not right it pulls up an error page etc. I have now just added
<auth-constraint> <!-- Currently causing a 403, looks like stoping .css files -->
<role-name>*</role-name>
</auth-constraint>
to my web.xml, to make sure the users are authenticated before they can view any page, however it seems to be blocking my .css file, Ithink as now the log in page does not display any css at all, and is just white basic, and when I press submit I get:
http://localhost:8080/fileuploadWithPreview/javax.faces.resource/theme.css.xhtml?ln=primefaces-aristo
with this error:
HTTP Status 403 - Access to the requested resource has been denied
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
GlassFish Server Open Source Edition 3.1.2.2
This is my web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
<filter>
<filter-name>Upload Filter</filter-name>
<filter-class>richard.fileupload.UploadFilter</filter-class>
<init-param>
<param-name>sizeThreshold</param-name>
<param-value>1024</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Upload Filter</filter-name>
<url-pattern>/upload/*</url-pattern>
</filter-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.xhtml</welcome-file>
</welcome-file-list>
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<context-param>
<param-name>facelets.LIBRARIES</param-name>
<param-value>/WEB-INF/corejsf.taglib.xml</param-value>
</context-param>
<context-param>
<param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>
<param-value>true</param-value>
</context-param>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>LDAP</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login-failed.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Allowed resources</web-resource-name>
<url-pattern>/javax.faces.resources/*</url-pattern>
</web-resource-collection>
<!-- web resources that are protected -->
<web-resource-collection>
<web-resource-name>All Resources</web-resource-name>
<url-pattern>/*</url-pattern>
<!-- this is currently causing a 404 -->
<http-method>GETLIB</http-method>
<http-method>COPY</http-method>
<http-method>MOVE</http-method>
<http-method>DELETE</http-method>
<http-method>PROPFIND</http-method>
<http-method>GET</http-method>
<http-method>HEAD</http-method>
<http-method>PUT</http-method>
<http-method>MKCOL</http-method>
<http-method>PROPPATCH</http-method>
<http-method>LOCK</http-method>
<http-method>UNLOCK</http-method>
<http-method>VERSION-CONTROL</http-method>
<http-method>CHECKIN</http-method>
<http-method>CHECKOUT</http-method>
<http-method>UNCHECKOUT</http-method>
<http-method>REPORT</http-method>
<http-method>UPDATE</http-method>
<http-method>CANCELUPLOAD</http-method>
</web-resource-collection>
<auth-constraint> <!-- Currently causing a 403, looks like stoping .css files -->
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
</web-app>
Basically, what is stopping my css file and how can I allow it?
Your security constraint is also blocking requests on CSS files (basically, it is blocking everything which matches the specified URL pattern of /* expect of the specified login page). You need to add another security constraint which should allow requests on JSF resources. The key is to omit the auth constraint to make those resources accessible by everyone.
<security-constraint>
<web-resource-collection>
<web-resource-name>Allowed resources</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
</web-resource-collection>
<!-- No Auth Contraint! -->
</security-constraint>