How can I secure only some of the pages of a web application running on glassfish V3?
In your web.xml:
<security-constraint>
<display-name>Security Settings</display-name>
<web-resource-collection>
<web-resource-name>SSL Pages</web-resource-name>
<description/>
<url-pattern>/*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<description>CONFIDENTIAL requires SSL</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
change the url-pattern to whatever you need.
We need to add a filter further in configuration.
check it here
Related
My welcome screen is kind of home screen of any website (should be unprotected resource).
Say http://domain:port/myApp which redirects to the jsp file configured in welcome-file-list of web.xml say welcome.jsp.
But on click of any link present on welcome.jsp, those resources must be protected and corresponding urls will be like http://:port/myApp/someRequest
I have used below changes in deployment descriptor :
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SuperUser</role-name>
</auth-constraint>
<user-data-constraint>
<description>Encryption is not required for the application in general.
</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/styles/*</url-pattern>
<url-pattern>/welcome.jsp</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRealm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
The issue is still my home page i.e. welcome.jsp is protected and application redirecting to login screen for WebSphere Application server but working fine in tomcat and Wildfly.
how to make http://:port/myApp unprotected in WebSphere.
the WebContainer does not determine if it needs to use a welcome page for a specific request until the request is processed by the default servlet. When the WebContainer determines that there are no servlets mapped to this request, it will set the default servlet as the target which will then check if a welcome page is needed. Before servicing the default servlet, the WebContainer invokes the security checks, which is where the request URI will be compared against the defined security constraints. The request URI in this scenario (/myApp) matches the /* constraint defined, so the authentication process will be triggered.
This is working as designed. In order to get the desired behavior, the security constraints will need to be made more specific instead of just /*. One possibility is to keep all static resources intended to be secured in a separate directory and define a constraint for that directory, for example /secured/*. For servlets you can define a servlet mapping pattern to use for secured servlets and add a more specific constraint to your security configuration to match that pattern similarly to the static resource example above.
I am using the following to secure parts of my website.
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SecureUsers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I know I can create another security-constraint with transport-guarantee=NONE to allow certain URLs to go through without needing to be authenticated, e.g.
<security-constraint>
<web-resource-collection>
<web-resource-name>Insecure</web-resource-name>
<url-pattern>/oauth-request-consumer/*</url-pattern>
<url-pattern>/oauth-authorize-consumers/*</url-pattern>
<url-pattern>/oauth-request-token/*</url-pattern>
<url-pattern>/oauth-authorization/*</url-pattern>
<url-pattern>/oauth-access-token/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
But what if I want to allow without authentication
/a/b/*/d
but require authentication for
/a/b/*/
Aside from putting every combination of "/a/b/*/d" in the security constraint, is there a better way? These paths are dynamic and may change over time, also, which means every time it changes I have to update the web.xml file with updated security constraints.
Is there a way to delegate the url-pattern to a class? It seems that would allow me to set it once in the web.xml and then have code that decides if the URL needs authentication.
Am I going about this the wrong way? Is there a better way? I am also using WebSphere trust association interceptors for SSO.
I am fairly new to Solr and I have been researching this for the past day and half and finally turning here.
I have a Solr server up and running and I had my network admin configure a rule in the firewall so that we can access it for queries from my JavaScript application. This works. The issue that I have is that the Solr admin pages is completely open to the world and I have tried everything as described in various posts with the exception of the ZooKeeper method which I don't really want to try coz I am not interested in setting up ZooKeeper and SolrCloud.
Reference post: http://muddyazian.blogspot.com/2013/11/how-to-require-password-authentication.html and some others
What I did was modify jetty.xml in /opt/solr/server/etc and added this
<Call name="addBean">
<Arg>
<New class="org.eclipse.jetty.security.HashLoginService">
<Set name="name">Solr Admin Access</Set>
<Set name="config"><SystemProperty name="jetty.home" default="."/>/etc/realm.properties</Set>
<Set name="refreshInterval">0</Set>
</New>
</Arg>
</Call>
Then I added to web.xml in /opt/solr/server/solr-webapp/webapp/WEB-INF the config below
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Solr Admin Access</realm-name>
</login-config>
then I created a realm.properties file hashed the password according to this post Jetty/SOLR Admin Panel Password
Solr is now secure but everything is password protected, I want my queries to be open and the rest protected. I tried adding different url patterns such as /admin/* , /mycollection/dataimport/* etc but none of those seem to affect the fact that the query is also secure. Reference https://gist.github.com/jstrassburg/9777027
Following the advice of Exclude a JSP from web.xml's security-contraint you can keep your configuration as is, but expose that endpoints that you want to be public available.
So you could add a <security-constraint> like this to your web.xml, but leave out the <auth-constraint> for the matched <url-pattern>. This will make it open to the public. In addition with the basic auth for the rest of your Solr instance, you can then expose step by step the cores or handlers that shall be public.
<security-constraint>
<web-resource-collection>
<web-resource-name>mycollection</web-resource-name>
<url-pattern>/mycollection/*</url-pattern>
</web-resource-collection>
</security-constraint>
A caveat of this is that you will need to add anything that shall be public as an own URL pattern. But this may also be a plus, as you have the option to make fine grained access control to for the collections - e.g. one user per collection.
I have a Tomcat webapp deployed that is using security constraints at the WEB-INF level (webapps\app1\WEB-INF\web.xml). So it works on well:
<security-constraint>
<web-resource-collection>
<web-resource-name>app1</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
It just directs users to HTTPS if they try to go through HTTP. My issue is that I can not get it to work at the conf level. (conf/web.xml)
Why wouldn't it work at that level if it works just fine in webapps?
I'm trying to implement a simple form-based login for my web application deployed with Tomcat. loginPage.html has j_username and j_password as fields, and the form method is j_security_check, as specified. /Actions is a directory containing all of my html and jsp files, as well as the css and js files, and all of the servlet mappings are of the form /Actions/servletName.do. The only pages not in actions are index.html and loginPage and loginError.
Right now, the home page is index.html. There is a hyperlink to Actions/home.html in it. What I want is for that hyperlink to redirect to loginPage.html first, and then when the user logs in it will go to home.html. My understanding is that, since home.html is a constrained resource, this should happen automatically. However, instead, I am not redirected to a login page, and the browser displays an error saying it couldn't connect to the page; the URL at the top is either https://localhost:8443/myProject/Actions/home.html and https://localhost:8443/myProject/index.html.
I have looked at several tutorials but nowhere do they specify a complete example, including file locations. Help would be greatly appreciated. Oh yes, and if anyone's wondering, I did update the tomcat-users.xml file accordingly.
<welcome-file-list>
<welcome-file>/index.html</welcome-file>
</welcome-file-list>
<security-role><role-name>Admin</role-name></security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/loginPage.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>AllResources</web-resource-name>
<url-pattern>/Actions/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
You need to configure Tomcat to use SSL first whenever you'd like to use HTTPS. Otherwise you have to remove the <transport-guarantee>CONFIDENTIAL</transport-guarantee> entry and fix all links in your HTML/JSP files to point to http:// instead of https://.