I have following web.xml file I kept welcome page into security check so that it would redirect to login page but the welcome page is displayed without user loggin in. Is this the correct way?
<welcome-file-list>
<welcome-file>/GISPages/welcome.xhtml</welcome-file>
</welcome-file-list>
<resource-ref>
<res-ref-name>jdbc/Gis_WebApp</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Pages</web-resource-name>
<url-pattern>/GISPages/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>registereduser</role-name>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Live</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/noauth.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>registereduser</role-name>
</security-role>
<security-role>
<role-name>admin</role-name>
</security-role>
Security constraints protects a URL pattern, but in this case due to welcome-file setting your default URL will change to something like http://:port/webcontext/ and welcome.xhtml will be displayed. Whereas as per the URL pattern defined a protected URL should have URL like http://:port/webcontext/GISPages/welcome.xhtml
Since the URL pattern did not match the application server render the page content.
Only solution which worked for me is to check UserPrincipal in prerender event
<f:event type="preRenderComponent"
listener="#{bean.forwardToLoginIfNotLoggedIn}" />
and redirect to login.xhtml if UserPrincipal returns null.
Apologies for opening an old thread. I recently faced similar issue hence thought that this might be useful to some.
Related
I use the following web.xml setting to direct unlogged-in user to /faces/loginPage.xhtml.
In /faces/loginPage.xhtml I will authenticate the user and redirect the user to the home page.
Now I want to redirect the user to the page she initially requested, instead of the home page. How do I do that? Specifically, how to get the url of the initially requested page?
<security-constraint>
<display-name>MyConstraint</display-name>
<web-resource-collection>
<web-resource-name>wrcoll</web-resource-name>
<description />
<url-pattern>/faces/secured/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description />
<role-name>myUser</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>my_ldap_domain</realm-name>
<form-login-config>
<form-login-page>/faces/loginPage.xhtml</form-login-page>
<form-error-page>/error.xhtml</form-error-page>
</form-login-config>
</login-config>
You seem to be performing the login through a JSF managed bean instead of through j_security_check. Because if you were using the latter, this is already automatically taken into account.
The FORM based authentication login page is been displayed by a RequestDispatcher#forward() the usual Servlet API way. So the request URI of the initially requested page is available as a request attribute with the name as specified by RequestDispatcher.FORWARD_REQUEST_URI, which has a value of "javax.servlet.forward.request_uri".
So, in EL context it's available as
#{requestScope['javax.servlet.forward.request_uri']}
And in JSF context it's available as
String originalURL = (String) FacesContext.getCurrentInstance().getExternalContext().getRequestMap().get("javax.servlet.forward.request_uri");
This needs to be collected on the initial request, not on the form submit. Easiest would be to grab it in the constructor of a #ViewScoped managed bean which is attached to the page. An alternative with a #RequestScoped bean is to enclose a plain HTML <input type="hidden"> in with that value in the login form and set it as #ManagedProperty.
Running Tomcat 7, I am trying to configure the /conf/web.xml on the Tomcat server to secure some URLs with basic authentication and to provide some other URLs for public access.
The tomcat-users.xml contains following role and user:
<role rolename="test-ui"/>
<user username="paul" password="password" roles="test-ui"/>
I have added the following section to Tomcats /conf/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Public access</web-resource-name>
<url-pattern>/docs/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected access</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>test-ui</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>Protected access</description>
<role-name>test-ui</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
So there are two 'security-constraint' elements, the public one does not contain the 'auth-constraint', which actually should mean, there is no authentication necessary.
When I open the URL
http://localhost:8080
Tomcat asks for authentication.
This is fine, however when I open the URL
http://localhost:8080/docs/
Tomcat also asks for authentication and for my understanding this is configured as a "non secure" URL - so public acccess, but it does not behave like this.
What did I wrong in the configuration or is this scenario not supposed to work like this?
Thanks.
Paul
You need the <auth-constraint> node in the <security-constraint>, even it is empty e.g. <auth-constraint/>
If an security-constraint does not exists, the Container MUST allow unauthenticated access for these URL. security-constraint is optional.
I have a Java EE app server (jboss-eap-4.3) and several .wars that make up a larger web application. The idea is that a .war can be run separately or linked from another .war. As they are all part of the same app concepually, we don't want to present several logins.
I want to configure the .wars so that they all share the same security-constraints and security roles. Basically this part of web.xml:
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
<security-constraint>
<security-role>
<role-name>Admin</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>WebApp</realm-name>
</login-config>
Our roles have been changing often lately and we're adding new .wars periodically as well. Additionally we change the auth-method depending on the deployment environment, which adds another reason to tweak. Ideally I'd like a way to break off the security portion of the web.xml so it can be "inherited" by the others. I thought realms might be a good place to look for this, but I didn't turn up anything promising.
Note that there are still other web apps in this container with a completely different security-domain, so a global setting for tomcat may not be appropriate.
Not a great answer, but I ended up automating the dirty work with ant macrodefs like the one below.
<!--
| Take a "plain" web.xml and add security settings to it.
| This will add BASIC authentication with Admin, Operator, and Guest role access
|
-->
<taskdef resource="net/sf/antcontrib/antlib.xml" />
<macrodef name="addSecurityToWeb.xml">
<attribute name="file"/>
<sequential>
<if>
<not>
<isfileselected file="#{file}">
<contains text="login-config" ignorewhitespace="true"/>
</isfileselected>
</not>
<then>
<replace file="#{file}">
<replacetoken><![CDATA[</web-app>]]></replacetoken>
<replacevalue>
<![CDATA[
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
<transport-guarantee>NONE</transport-guarantee>
</security-constraint>
<!-- Security roles referenced by this web application -->
<security-role>
<role-name>Admin</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>WebApp</realm-name>
</login-config>
</web-app>
]]>
</replacevalue>
</replace>
</then>
</if>
</sequential>
</macrodef>
Like this fellow here, I'm trying to port a Tomcat application to WebLogic.
I have a few resources protected by security rules in web.xml. Instead of BASIC, I'm using FORM authentication, but that should be irrelevant.
In Tomcat, it's very easy to set up a simple security realm, by editing conf/tomcat-users.xml.
How do I set up a simple security realm in Weblogic ? All I want is to have the user to input his username and password and have it authenticated by the container.
<security-constraint>
<web-resource-collection>
<web-resource-name>basic-auth security</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>HELLO_USER</role-name>
</auth-constraint>
<user-data-constraint>NONE</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>somerealm</realm-name>
<form-login-config>
<form-login-page>login.jsp</form-login-page>
<form-error-page>error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>HELLO_USER</role-name>
</security-role>
there is a default weblogic realm called "myrealm". Create the user(s) there using the weblogic web console. Also create a group (i.e. HELLO_GROUP) and assign your user(s) to that group.
Create a weblogic.xml file and map the HELLO_USER role onto the HELLO_GROUP with a structure like:
<weblogic-web-app>
...
<security-role-assignment>
<role-name>HELLO_USER</role-name>
<principal-name>HELLO_GROUP</principal-name>
</security-role-assignment>
...
</weblogic-web-app>
I've implemented a own LoginCommand and it works perfectly for all the remote calls from flex. But beside the flex remote objects I'd like to protect some other web resources like html, jsp and swf files so I added a security-constraint with url pattern in the web.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>FlexClient Secure Webapp</web-resource-name>
<description>Security constraint /secure</description>
<url-pattern>/main.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>only authenticated user</description>
<role-name>flexclient-user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>flexclient-user</role-name>
</security-role>
Security configuration in services-config.xml
<security>
<login-command class="ch.tie.iengine.flex.security.LoginCommand" server="all" >
<per-client-authentication>false</per-client-authentication>
</login-command>
<security-constraint id="trusted">
<auth-method>Custom</auth-method>
<roles>
<role>flexclient-user</role>
</roles>
</security-constraint>
</security>
But even I got once authenticated successfully through remote calls I can not call the other resources. It always forwards me to login.jsp.
Does anyone had a similar issue?