In my project, I am using SSL but it works for all pages.I want to use it for only a login page, after that page it should revert to HTTP protocol. How can i do that? I found a way below, but it does not work.
<security-constraint>
<web-resource-collection>
<web-resource-name>Notify page, accessed internally by application</web-resource-name>
<url-pattern>/Login.xhtml</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Site</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
My project is a JSF 2.0 project, I am using Eclipse Helios and Tomcat 7.0.
Thanks.
That's not possible. When the session is created by HTTPS request, then it is not available to HTTP requests. Your best bet is to create a non-secure cookie yourself during login and maintain the login by that instead.
Map<String, Object> properties = new HashMap<String, Object>();
properties.put("secure", false);
externalContext.addResponseCookie(name, value, properties);
But think once again about this, what's the point of the HTTPS login then? If you go back to HTTP after HTTPS and you want to keep the user logged-in, then you're required to set the session cookie unsecure. This way hackers will still be able to sniff the session ID in the cookie to do a session fixation hack. With login over HTTPS you only prevent that hackers learn about the actual username/password, but that has no point anymore once a hacker figures the session ID in the cookie.
I'd say, forget the switch and stick to HTTPS all the time after login.
Related
My welcome screen is kind of home screen of any website (should be unprotected resource).
Say http://domain:port/myApp which redirects to the jsp file configured in welcome-file-list of web.xml say welcome.jsp.
But on click of any link present on welcome.jsp, those resources must be protected and corresponding urls will be like http://:port/myApp/someRequest
I have used below changes in deployment descriptor :
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SuperUser</role-name>
</auth-constraint>
<user-data-constraint>
<description>Encryption is not required for the application in general.
</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/styles/*</url-pattern>
<url-pattern>/welcome.jsp</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRealm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
The issue is still my home page i.e. welcome.jsp is protected and application redirecting to login screen for WebSphere Application server but working fine in tomcat and Wildfly.
how to make http://:port/myApp unprotected in WebSphere.
the WebContainer does not determine if it needs to use a welcome page for a specific request until the request is processed by the default servlet. When the WebContainer determines that there are no servlets mapped to this request, it will set the default servlet as the target which will then check if a welcome page is needed. Before servicing the default servlet, the WebContainer invokes the security checks, which is where the request URI will be compared against the defined security constraints. The request URI in this scenario (/myApp) matches the /* constraint defined, so the authentication process will be triggered.
This is working as designed. In order to get the desired behavior, the security constraints will need to be made more specific instead of just /*. One possibility is to keep all static resources intended to be secured in a separate directory and define a constraint for that directory, for example /secured/*. For servlets you can define a servlet mapping pattern to use for secured servlets and add a more specific constraint to your security configuration to match that pattern similarly to the static resource example above.
I am fairly new to Solr and I have been researching this for the past day and half and finally turning here.
I have a Solr server up and running and I had my network admin configure a rule in the firewall so that we can access it for queries from my JavaScript application. This works. The issue that I have is that the Solr admin pages is completely open to the world and I have tried everything as described in various posts with the exception of the ZooKeeper method which I don't really want to try coz I am not interested in setting up ZooKeeper and SolrCloud.
Reference post: http://muddyazian.blogspot.com/2013/11/how-to-require-password-authentication.html and some others
What I did was modify jetty.xml in /opt/solr/server/etc and added this
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Solr Admin Access</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
Then I added to web.xml in /opt/solr/server/solr-webapp/webapp/WEB-INF the config below
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Solr Admin Access</realm-name>
</login-config>
then I created a realm.properties file hashed the password according to this post Jetty/SOLR Admin Panel Password
Solr is now secure but everything is password protected, I want my queries to be open and the rest protected. I tried adding different url patterns such as /admin/* , /mycollection/dataimport/* etc but none of those seem to affect the fact that the query is also secure. Reference https://gist.github.com/jstrassburg/9777027
Following the advice of Exclude a JSP from web.xml's security-contraint you can keep your configuration as is, but expose that endpoints that you want to be public available.
So you could add a <security-constraint> like this to your web.xml, but leave out the <auth-constraint> for the matched <url-pattern>. This will make it open to the public. In addition with the basic auth for the rest of your Solr instance, you can then expose step by step the cores or handlers that shall be public.
<security-constraint>
<web-resource-collection>
<web-resource-name>mycollection</web-resource-name>
<url-pattern>/mycollection/*</url-pattern>
</web-resource-collection>
</security-constraint>
A caveat of this is that you will need to add anything that shall be public as an own URL pattern. But this may also be a plus, as you have the option to make fine grained access control to for the collections - e.g. one user per collection.
I have a web application developed using JSF1.2 running on JBoss AS7. Except for the login page, all other pages are protected. I also have a custom FormAuthenticator valve that needs to get triggered as part of the authentication processs.
The login page uses j_security_check.
My core requirements are:
Present the user with the login page when the try to access a protected page (and take the user to the originally requested page after successful login).
If the user access the login page directly, take the user to a welcome page after successful login.
Requirement #1 works fine, when I attempt to access http://server.com/my-app/faces/protected1.jsp.
However, I get a 404 when attempting to access the web application by its context-root (i.e. http://server.com/my-app/).
I tried to use welcome-file attribute in web.xml and my web.xml looks as follows:
<welcome-file-list>
<welcome-file>/faces/protected1.jsp</welcome-file>
</welcome-file-list>
...
<!-- login config -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- security constraints -->
<security-constraint>
<display-name>protected1</display-name>
<web-resource-collection>
<web-resource-name>protected1</web-resource-name>
<url-pattern>/faces/protected1.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>protected1Group</description>
<role-name>WebUserRole</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>WebUserRole</role-name>
</security-role>
I have 2 questions:
Am I on the correct track trying to get welcome-file to behave as the default landing page after login (when the user access either the context-root of my app or the login.jsp directly)?
Why does the same thing work flawlessly if I change the welcome-file to an unprotected jsp (e.g. hello.jsp that has no security constraints)?
Any ideas are much appreciated! Thanks.
It doesn't make any sense to me to have your welcome file protected. Normally that would be the home page of a site, which anybody should be able to see. Then, if they click on some link to a protected resource such as 'My Stuff', that would take them to /faces/mystuff.something, which would be protected, so there would be a login before they got there.
I'm trying to implement a simple form-based login for my web application deployed with Tomcat. loginPage.html has j_username and j_password as fields, and the form method is j_security_check, as specified. /Actions is a directory containing all of my html and jsp files, as well as the css and js files, and all of the servlet mappings are of the form /Actions/servletName.do. The only pages not in actions are index.html and loginPage and loginError.
Right now, the home page is index.html. There is a hyperlink to Actions/home.html in it. What I want is for that hyperlink to redirect to loginPage.html first, and then when the user logs in it will go to home.html. My understanding is that, since home.html is a constrained resource, this should happen automatically. However, instead, I am not redirected to a login page, and the browser displays an error saying it couldn't connect to the page; the URL at the top is either https://localhost:8443/myProject/Actions/home.html and https://localhost:8443/myProject/index.html.
I have looked at several tutorials but nowhere do they specify a complete example, including file locations. Help would be greatly appreciated. Oh yes, and if anyone's wondering, I did update the tomcat-users.xml file accordingly.
<welcome-file-list>
<welcome-file>/index.html</welcome-file>
</welcome-file-list>
<security-role><role-name>Admin</role-name></security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/loginPage.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>AllResources</web-resource-name>
<url-pattern>/Actions/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
You need to configure Tomcat to use SSL first whenever you'd like to use HTTPS. Otherwise you have to remove the <transport-guarantee>CONFIDENTIAL</transport-guarantee> entry and fix all links in your HTML/JSP files to point to http:// instead of https://.
We would like to redirect user after a successful post to secure pages.
#RequestMapping(value="/myapp", method=POST)
public String processForm(Formbean formbean){
// redirect to https ??????
return "redirect:/secure";
}
Is there any easy way to make it without writing full redirection url?
you can check out RedirectView and the contextRelative parameter in the Spring API Docs:
http://static.springsource.org/spring/docs/2.0.x/api/org/springframework/web/servlet/view/RedirectView.html
hope that helped...
Not too sure you can do that without specifying the entire url in the redirect string.
Perhaps its best to add a security constraint for that url in your web.xml setting the transport-guarantee to CONFIDENTIAL. If your servlet container is setup correctly then that should be all you need to get it to do the automatic redirect for you.
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure page</web-resource-name>
<url-pattern>/securePage.html</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>