Guide to developing SECURE TOMCAT/JSP web apps - ??

Hi,
It would be very useful to have a checklist or guidelines to ensure a JSP/tomcat web site one develops is secure, in particular for the scenario where the web application is not huge/complex &/or is developed by part-time developers. That is I guess I'm generally asking for the easiest way of ensuring one develops a secure JSP/tomcat app.
Q1 - Does anyone know of a tutorial/checklist for ensuring a JSP/tomcat web app is secure? The types of things I'm thinking of include the following items, which I've put forward as specific questions to the mail group in their own right.
Q2 - How do you ensure directory's under doc root can't be viewed? (ie users see a directory listings)
     - is putting in an index.html in each sub-directory a solid answer?
     - can this be handled in one hit via WEB.XML entries? if so an example if possible?
Above and beyond basic User Authentication checking (eg username/password check at beginning of session) what is an easy but secure way of checking -:
Q3 check that user (ie specific) is allowed to access a specific JSP page? (assuming the web app is a totally JSP based solution, ie no controller servlet frontend, ie and that all JSP pages are effectively assessable under docroot). Easy way of doing this?
     eg (a) put specific check at beginning of each JSP page?
     (b) other?
and
Q4 given that a user is allowed to access that JSP page, check that he is allowed to view the data which he has requested? (ie stop people determining how the URL with parameters is constructed and manually changing the parameters - eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4". Easy way of doing this?
     eg (a) put specific check at beginning of JSP page?
     (b) other
Q5 Is it generally acceptable, given appropriate precautions are taken, to setup a web site with all JSP files assessable under doc root, and that the manner in which the user navigates around the application is based on direct calls from the browser to the next JSP page with parameters? (again one concern I have is eg changing "http://www.test/test.jsp?id=3", manually "http://www.test/test.jsp?id=4"). If this is not acceptable what is recommended?
     (a) as above put a specific check at the beginning of the JSP page
     (b) for example having to specifically put a controller servlet as a front end, and then direct to JSP pages which are hidden?
- in this case how can one hide specific directories under doc root?
     (c) other??
Q6. Regarding image security I assume one really does have to store them outside doc root and develop a small "getImage" servlet so that requests to images can be verified to ensure that (assuming the app lets users load images) the end user can't see another user's image?
Q7. Any other general checklist items for a simple JSP/tomcat web site re security one should check for???
Thanks in Advance
Greg

Have you ever looked at the Jakarta struts framework for developing web apps? You could then incorporate your custom designed security both into your own extension of the controller servlet (check if particular user has access to certain pages / actions). You can also design your own custom tags which determine whether a particular user has access to certain parts of the page. You cal also perform additional checks in the actions, to ensure that the user does have access to certain actions (i.e. checking parameters etc.)

Similar Messages

Securing a J2EE web app

Hi, probably the wrong place to put this but i couldn't find anywhere more suitable :-p
I've got a web app that i've got secured using a JDBC realm, using web.xml configuration etc and all is well. However I want to limit it so that if a user logs in then no-one can log in again with the same credentials until said user has logged out. Is this possible out of the box with JEE5 or do i have to implement something myself to redirect output.
Regards
ARB

Not sure how 'out the box' you want.
Tomcat has this feature which can be configured by adding username/password paris to an xml file, I realise Tomcat is not part of the JEE5 bundle but it is 'out the box' and you need a server, right?

PHP_MySQL version of a high security user authentication web app.

Since you folks deal with PHP Application Development, I am posting this here.
For a demo of the PHP_MySQL version of the UltraSuite High Security User Authentication Web Application, you can sign up at http://bit.ly/hgNjek.
It offers a multi-layered approach security approach towards protecting important information like user authentication credentials. Protection from dictionary attacks, rainbow table attacks, brute force attacks, SQL injection attacks and much more.
I hope your feedback will help make the application even more useful and secure.
Thank you!
J.S.

Hi,
could you or someone tell me if ADDT supports protection against these methods you mention:
Protection from dictionary attacks, rainbow table attacks, brute force attacks, SQL injection attacks and much more??
And can this system work alongside ADDT?
thanks again

Setting security constraint for web App

Hai all!
I am new to bea and i am trying to set up security constraints for my webaplication..
I want user to be authenticated before he access any of the pages in browser..
All i did was adding following entries to web.xml
<security-constraint>
          <web-resource-collection>
               <web-resource-name>
                    webresources
               </web-resource-name>
               <url-pattern>
               </url-pattern>
          </web-resource-collection>
          <login-config>
               <auth-method>
               BASIC
               </auth-method>
          </login-config>
     </security-constraint>
But no such thing is happening,,
I know i am doing wrong but donno where exactly i am wrong..
Pls guide me in sequnece of steps regarding what to do to accomplish what i want..
Thanks and Regards
Manohar

I guess you need to set the role that is allowed to log into your application.
try this in web.xml:
     <security-constraint>
          <display-name>Whatever</display-name>
          <web-resource-collection>
               <web-resource-name>resource</web-resource-name>
               <description>Desc</description>
               <url-pattern>/*</url-pattern>
               <http-method>GET</http-method>
               <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
               <description>desc</description>
               <role-name>MyRole</role-name>
          </auth-constraint>
               <user-data-constraint>
               <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
     </security-constraint>
     <login-config>
          <auth-method>BASIC</auth-method>
     </login-config>
     <security-role>
          <description>desc</description>
          <role-name>MyRole</role-name>
     </security-role>
and map the role with a group/user in weblogic.xml:
     <security-role-assignment>
          <role-name>MyRole</role-name>
          <principal-name>MyGroupOfUsers</principal-name>
     </security-role-assignment>
Hope this helps.
Xavi
"Manohar" <[email protected]> wrote:
>
Hai all!
I am new to bea and i am trying to set up security constraints for my
webaplication..
I want user to be authenticated before he access any of the pages in
browser..
All i did was adding following entries to web.xml
<security-constraint>
          <web-resource-collection>
               <web-resource-name>
                    webresources
               </web-resource-name>
               <url-pattern>
               </url-pattern>
          </web-resource-collection>
          <login-config>
               <auth-method>
               BASIC
               </auth-method>
          </login-config>
     </security-constraint>
But no such thing is happening,,
I know i am doing wrong but donno where exactly i am wrong..
Pls guide me in sequnece of steps regarding what to do to accomplish
what i want..
Thanks and Regards
Manohar

Help.jsp web app war file (how to exclude resources)

Hi, I am making a jsp/JSF application and now wanted to deploy it on a glassfish server. this is the first time i am deploying so am still learning it as i go.
I wanted to clear out something before i go ahead.
My application has tons of resuorce files (mainly huge Picture and videos) which are roughly the size of 1-2 GB. I do not want to add them to my WAR file. is it possible to exclude the resources from the war file?
How difficult would it be for me to to then link the resources folder to the deployed application?
I am running against time. i need to clear the above out to make a decision.

thyscorpion wrote:
My application has tons of resuorce files (mainly huge Picture and videos) which are roughly the size of 1-2 GB. I do not want to add them to my WAR file. is it possible to exclude the resources from the war file?Yes.
How difficult would it be for me to to then link the resources folder to the deployed application?Create a servlet which access them by aforeknown file system path, reads the stream from the file and writes it to the response.
You may find this servlet example useful: [http://balusc.blogspot.com/2007/04/imageservlet.html] (specific for images).

Remote Memory Profiling Web App on Tomcat/Linux?

Is there a straightforward set of instructions somewhere for setting up JDev, Tomcat, the Web App, etc for remote memory profiling a web application running on a Tomcat installation on Linux? (JDev is on a Windows box)
Thanks!
Jim

'Cmon Team JDeveloper - in a matter of a few hours, I was able to download and setup NetBeans and start remote profiling my JDeveloper-developed web app on Tomcat. Surely somebody knows how to do this with JDeveloper!?
I'm a long-time JDeveloper user and a very vocal proponent of the tool - I pains me to have to use another tool to do what JDeveloper should clearly be able to do. Heck, I'm willing to help document the process if someone can just help get me going on this.
Jim

JSP Web Application State

Hi there,
I have a question regarding application state in a jsp web app. Can value be passed across different server like the use of cookie and session? If so what do I need to do? I'm current running the same web app on two different server because of an external plugins features that I'm using.
ex: If I start at the main webpage on Server A and intial an application variable called "test = A" and then directed to a second page on Server B and try to change the same variable to say "Test = B", now when I go back to the initial page on Server A, I should see "Test = B" not "Test = A". But I'm seeing "Test = A", my initial guess is that there when my application move to a second page on a different Server it started up a new state which on the page on the second Server will recognize while Server A still retain the application initial state.
So back to question, is it possible to have the same Application state run on two different Server? If so please provide me an example or a source to resolve this. Thanks for all you help.
Alex

Never mind, Just realize doing what I describe earlier will violate the web security standard.

Link to goto deployed web app

hi all,
i have deployed a web application(war file) in UCM using the JSP Web App Administration Page. I need the url to access it. Please help.
Also if i want to use webdav to replace the jsps inside the web app, how do i do it? As far as i know the webdav url checks out folders and since i checked in a war file i am able to view that. how do i replace the jsp file in the deployed web app? Please suggest.
Thanks and Regards,
nithya

Check this out: http://download.oracle.com/docs/cd/E17904_01/doc.1111/e10807/c06_integration.htm#i1084683

Communication between a web app and a desktop app

Hi,
I would like to know how i can make a web application communicate with a desktop application (protocols,technologies, patterns�).
And if I'm using a jsp web app and a java se app?
Indeed, i have a desktop app. which use some information provided by an user via a web app,and the work performed by the desktop app cannot be performed inside a web container.
Thanks.

you mean it the other way around I think. You have a desktop app that needs to communicate with a web application.
There are multiple ways.
1) use plain old XML combined with URLConnection / HttpClient
2) use XML-RPC
3) use SOAP
and there are more even. You will need to decide for yourself which technology can do what you require.

Security in my web.xml in Tomcat 4

Hello,
I was using this application on Tomcat 3 and my web.xml worked perfectly well.
However when I tried to start it on Tomcat 4 there is something wrong with the
security part of my web.xml . If I leave out the security constraint for this application, it
works. However if I make my application secure I am unable to view it in the browser.
It does not try to connect to the login.jsp page for log in , but simply displays the message that the page is unavailable and that I have to refresh my browser. Please help me with that because I am stuck.
Here is my web.xml :
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>UploadServlet</servlet-name>
<servlet-class>UploadServlet</servlet-class>
<init-param>
<param-name>SaveDirectory</param-name>
<param-value>C:\Homeworks\</param-value>
</init-param>
<init-param>
<param-name>Proffesors</param-name>
<param-value>Clayton,Douglass,Guruvado</param-value>
</init-param>
</servlet>
<security-constraint>
<display-name>Protected Homework Upload</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
     

     <url-pattern>/servlet/UploadServlet</url-pattern>
     
     <http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
     <http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>

<role-name>student</role-name>
<role-name>proffesor</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>
Thank you very much for your time and advise. I appreciate it very much
Martin

hi,slice
I donot really find exactly what is wrong in your config file. But I have some suggestions:
1.Please use servlet URL mapping in "servlet" tag (for example: "/security/upload") instead of using default servlet URL(just like "/servlet/UploadServlet").
2. In the "url-pattern" tag inside "web-resource-name" ,please using "/security/*", if you are using my suggestion above.
3.Make sure that your "login.jsp" page is in the right place of the application's doc-root.
Make a try and good luck!
Wang Yu
Developer Technical Support
Sun Microsystems
http://sun.com/developers/support

Problem with Configuring Tomcat for running jsp web applications..Plz HELP

I am using Tomcat 5.5 and Jdk 1.5.0_12 and Oracle 10g. I am using jdbc-odbc bridge connection
to connect to the database. I have placed my project folder called
tdm under the webapps folder in Tomcat. This 'tdm' folder consists of
a collection of html pages,jsp pages and images of my project. Also I created a
WEB-INF folderand in that I have lib folder which contains catalina-root.jar
, classes12.jar and nls_charset.jar files. And also in the WEB-INF folder I have the web.xml
file which looks like this
<?xml version="1.0" encoding="ISO-8859-1"?>

<web-app>
<resource-ref>
<description>Oracle Datasource example</description>
<res-ref-name>jdbc/gdn</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
</web-app>
My Server.xml file in Tomcat\conf folder is as follows



<Server port="8005" shutdown="SHUTDOWN">

<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

<GlobalNamingResources>

<Environment name="simpleValue" type="java.lang.Integer" value="30"/>

<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
<Resource name="jdbc/gdn" auth="Container"
type="javax.sql.DataSource" driverClassName="sun.jdbc.odbc.JdbcOdbcDriver"
url="jdbc:odbc:gdn"
username="system" password="tiger" maxActive="20" maxIdle="10"
maxWait="-1"/>
</GlobalNamingResources>


<Service name="Catalina">


<Connector
port="5050" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />

     



<Connector port="8009"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />






<Engine name="Catalina" defaultHost="localhost">




<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>







<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">









<Context path="/tdm" docBase="tdm" debug="0" reloadable="true" />
</Host>
</Engine>
</Service>
</Server>
I have set the context path to /tdm in the server.xml file. Should this be placed in context.xml?
My first page in the project is called Homepage.html. To start my project I give http://localhost:5050/tdm/homepage.html
in a browser. Here I accept a username and password from the user and then do the validation in
a valid.jsp file, where I connect to the database and check and use jsp:forward to go to next pages
accordingly. However when I enter the username and password and click Go in the homepage, nothing is
displayed on the next page. The URL in the browser says valid.jsp but a blank screen appears.
WHY DOES IT HAPPEN SO? DOES IT MEAN THAT TOMCAT IS NOT RECOGNIZING JAVA IN MY SYSTEM OR IS IT A PROBLEM
WITH THE DATABASE CONNECTION OR SOMETHING ELSE? I FEEL THAT TOMCAT IS NOT EXECUTING JSP COMMANDS?
IS IT POSSIBLE?WHY WILL THIS HAPPEN?
I set the JAVA_HOME and CATALINA_HOME environment to the jdk and tomcat folders resp.
Is there any other thing that I need to set in classpath? Should I have my project as a
WAR file in the webapps of TOMCAT or just a folder i.e. directory structure will fine?

I am using Tomcat 5.5 and Jdk 1.5.0_12 and Oracle 10g. I am using jdbc-odbc bridge connection
to connect to the database. I have placed my project folder called
tdm under the webapps folder in Tomcat. This 'tdm' folder consists of
a collection of html pages,jsp pages and images of my project. Also I created a
WEB-INF folderand in that I have lib folder which contains catalina-root.jar
, classes12.jar and nls_charset.jar files. And also in the WEB-INF folder I have the web.xml
file which looks like this
<?xml version="1.0" encoding="ISO-8859-1"?>

<web-app>
<resource-ref>
<description>Oracle Datasource example</description>
<res-ref-name>jdbc/gdn</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>Container</res-auth>
</resource-ref>
</web-app>
My Server.xml file in Tomcat\conf folder is as follows



<Server port="8005" shutdown="SHUTDOWN">

<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />

<GlobalNamingResources>

<Environment name="simpleValue" type="java.lang.Integer" value="30"/>

<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
<Resource name="jdbc/gdn" auth="Container"
type="javax.sql.DataSource" driverClassName="sun.jdbc.odbc.JdbcOdbcDriver"
url="jdbc:odbc:gdn"
username="system" password="tiger" maxActive="20" maxIdle="10"
maxWait="-1"/>
</GlobalNamingResources>


<Service name="Catalina">


<Connector
port="5050" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />

     



<Connector port="8009"
enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />






<Engine name="Catalina" defaultHost="localhost">




<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>







<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">









<Context path="/tdm" docBase="tdm" debug="0" reloadable="true" />
</Host>
</Engine>
</Service>
</Server>
I have set the context path to /tdm in the server.xml file. Should this be placed in context.xml?
My first page in the project is called Homepage.html. To start my project I give http://localhost:5050/tdm/homepage.html
in a browser. Here I accept a username and password from the user and then do the validation in
a valid.jsp file, where I connect to the database and check and use jsp:forward to go to next pages
accordingly. However when I enter the username and password and click Go in the homepage, nothing is
displayed on the next page. The URL in the browser says valid.jsp but a blank screen appears.
WHY DOES IT HAPPEN SO? DOES IT MEAN THAT TOMCAT IS NOT RECOGNIZING JAVA IN MY SYSTEM OR IS IT A PROBLEM
WITH THE DATABASE CONNECTION OR SOMETHING ELSE? I FEEL THAT TOMCAT IS NOT EXECUTING JSP COMMANDS?
IS IT POSSIBLE?WHY WILL THIS HAPPEN?
I set the JAVA_HOME and CATALINA_HOME environment to the jdk and tomcat folders resp.
Is there any other thing that I need to set in classpath? Should I have my project as a
WAR file in the webapps of TOMCAT or just a folder i.e. directory structure will fine?

Error in migrating a Spring/Struts-App from Tomcat to WebAS

I tried migrating a Struts/Spring-App (war) which is running smoothly in Tomcat to WebAS.
Deploying is no problem and the plain JSPs work fine. But the 'real' app is not running and throws the following error at startup:
24 Mai 2006 09:07:13,593 - ActionServlet.initServlet(1149) | The /WEB-INF/web.xml was not found.
org.xml.sax.SAXParseException: Dokumentwurzelelement fehlt
     at org.apache.crimson.parser.Parser2.fatal(Parser2.java:3376)
     at org.apache.crimson.parser.Parser2.fatal(Parser2.java:3364)
     at org.apache.crimson.parser.Parser2.parseInternal(Parser2.java:668)
     at org.apache.crimson.parser.Parser2.parse(Parser2.java:337)
     at org.apache.crimson.parser.XMLReaderImpl.parse(XMLReaderImpl.java:448)
     at org.apache.commons.digester.Digester.parse(Digester.java:1567)
     at org.apache.struts.action.ActionServlet.initServlet(ActionServlet.java:1142)
     at org.apache.struts.action.ActionServlet.init(ActionServlet.java:328)
     at javax.servlet.GenericServlet.init(GenericServlet.java:258)
     at com.sap.engine.services.servlets_jsp.server.runtime.context.WebComponents.addServlet(WebComponents.java:134)
     at com.sap.engine.services.servlets_jsp.server.container.ApplicationThreadInitializer.loadServlets(ApplicationThreadInitializer.java:376)
     at com.sap.engine.services.servlets_jsp.server.container.ApplicationThreadInitializer.run(ApplicationThreadInitializer.java:110)
     at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
     at java.security.AccessController.doPrivileged(Native Method)
     at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:94)
     at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:162)
Any help much appreciated!

hi istvan,
we are also migrating from websphere to netweaver.
But in spring framework we r facing problems.
We hav spring-beans.jar file in lib dir of Web Application. But When we are creating BeanFactory from xml as,
BeanFactory beanFactory = new ClassPathXmlApplicationContext ("client-config.xml");
clent-config.xml file contains :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
     <bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer" >
          <property name="location">
               <value>conf/service-client/client.properties</value>
          </property>
     </bean></beans>
But code is giving exception: ClassNotFoundException -org.springframework.beans.factory.config.PropertyPlaceholderConfigurer.
Wat is the problem ?
Kindly help.
We are also using JAAS for authentication.We are refering above code from our LoginModules login() method.
Regards,
sagar.

Web app security not working

Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basic secure web
app.
I created an App and created a web project. In it, I deleted the controller, etc
and just have index. jsp. All the index.jsp does is: <%= request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment>
When I run the app, it just renders the JSP and does not challenge me to login.
Can you please help what is that I am doing wrong here?
Thanks,
John

"john hryn" <[email protected]> wrote in message
news:3fce2551$[email protected]..
>
Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
app.
I created an App and created a web project. In it, I deleted thecontroller, etc
and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>I think you should have dealers instead of *
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>And here too.
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment>

Web-app scoped security policies not working in WL 8

Hi,
I can't get web-app scoped security policies working in WL 8.1
I have a simple web application. It defines a role(ROLE) and security
constraint (on *.jsp).
If I examine the web app in the administration console, I see that it
has created a role (scoped to /*) called "ROLE" just as you would
expect. It has also created a scoped policy (to *.jsp) with constraints
that the user be in the role ROLE. This is as expected, and it works.
However, if I proceed to create my own scoped policy (on *.html) with
constraints (on ALL methods) that the user be in role ROLE, then I get
no security at all. ie. I can go to server:port/foo.html and it will
work - it is not secured.
Any ideas?
On a completely unrelated issue, when I deploy an EAR (exploded) with a
WAR (exploded) and using the admin console expand the application
correpsonding to th EAR, right click on the WAR node, and try and define
a scoped role, then I get an error "There are no appropriate RoleEditor
providers configured". This sounds like a bug. Trying to define a
scoped policy works as expected.
TIA,
Jon

I can't get web-app scoped security policies working in WL 8.1Well, I can answer this one myself.
WebLogic 8 has a new optimisation (this wasn't present in 7 AFAIK),
available on the Security / Realm / myreal / General tab, which
determines whether or not weblogic considers authorisation of resources
protected by descriptors or not. (ie. it can force only
descriptor-protected authorisation, ignoring admin console policies).
It defaults to ignoring admin console policies, hence my problem.
Jon

Web app security + JAAS

I'm working on the authentication/authorisation aspects of a fairly
large web application using WLS 6.0 (ie allowing users to login and
access resources based on role etc).
Its a standard JSP/Servlet/EJB type architecture and so far it seems
the FORM-based authentication will serve our needs well. However, I've
been instructed (by higher powers) to investigate JAAS authentication.
It looks far more complex to implement so my question is, does it
offer any significant advantages that justify the extra work?
Thanks for your time.

"john hryn" <[email protected]> wrote in message
news:3fce2551$[email protected]..
>
Hi,
I am using WebLogic 8.1 platform. I am trying to create a very basicsecure web
app.
I created an App and created a web project. In it, I deleted thecontroller, etc
and just have index. jsp. All the index.jsp does is: <%=request.getRemoteUser()
%>
In web.xml I have
<security-constraint>
<web-resource-collection>
<web-resource-name>Success</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>I think you should have dealers instead of *
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>And here too.
</security-role>
In weblogic.xml I have
<security-role-assignment>
<role-name>dealers</role-name>
<principal-name>dealer1</principal-name>
</security-role-assignment>

Guide to developing SECURE TOMCAT/JSP web apps - ??

Similar Messages

Maybe you are looking for