Issue with Security Constaraint in web.xml

Similar Messages

• Having issue with Listner component in web.xml

  I have created a application listner class and mentioned it in web.xml file also.
  My idea is to connect to the database, get some information and display the same in login page. since we are using form based authenticaiton.
  I have put the code in listner class, when I run the app its not coming to this class at all. Do I have to do any other setting for this.
  when I run the app in debug mode its not stopping at the breakpoint which I have put in listner class.
  Please help me to solve this issue.
  thanks in advance.

  Your question doesn't appear to be relevant to this forum.

• Wrong security configuration in web.xml

  Hi all
  I am developing an application with JDeveloper 10.1.3.3 using ADF-BC/JSF. I have followed the example of SRDemo and my .jspx files are located in two folders : public_html/app and public_html/pricelist/
  My application will have two user roles. The administrators who access everything and the users that need to access only the pages located in faces/app and get access denied mesages in all pricelist management pages.
  I have used file based security and defined users and roles in jaz-data.xml. I have also verified that the data in that file are correct using the isUserInRole() function.
  What I cannot get to work correctly is the security in the web.xml since the way I have it both users and admins are granted full access to the faces/app/pricelist pages.
  The security constrains on my web.xml look like this :
      <security-constraint>
          <web-resource-collection>
              <web-resource-name>PricelistData</web-resource-name>
              <description> Price list management pages</description>
              <url-pattern>faces/app/pricelist/*</url-pattern>           
          </web-resource-collection>
          <auth-constraint>
              <role-name>admin</role-name>
          </auth-constraint>
      </security-constraint>
      <security-constraint>
          <web-resource-collection>
              <web-resource-name>UserData</web-resource-name>
              <url-pattern>faces/app/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
              <role-name>user</role-name>
              <role-name>admin</role-name>
          </auth-constraint>
      </security-constraint>
      <login-config>
          <auth-method>BASIC</auth-method>
          <realm-name>jazn.com</realm-name>
      </login-config>
      <security-role>
          <role-name>user</role-name>
      </security-role>
      <security-role>
          <role-name>admin</role-name>
      </security-role>Can anyone tell me what am I doing wrong, or suggest anything else I should check ?
  Thanassis

  Well you're orion-application.xml file looks okay to me, and addition if the isUserInRole is returning proper values, it's hooked up correctly.
  (By the way, a useful bean/free piece of code to do just what you're doing is the JSF-Security scope as written by Duncan Mills on Sourceforge)
  As such I'd be looking at the security constraints URLs. You haven't by chance changed the url-pattern for the Faces Servlet? The default is this:
  <servlet-mapping>
      <servlet-name>Faces Servlet</servlet-name>
      <url-pattern>/faces/*</url-pattern>
  </servlet-mapping>...and your url-patterns assumes it starts with faces. Note it is correct in your url-patten to not include a forward slash before faces in the security constraint.
  Another thing that springs to mind, when you navigate to the protected page through your menu structure, what URL do you see in the browser? Is it the URL of the page you came from, or the URL of the page you navigated to ... and in addition ..... another thing to try is in your browser, rather than navigating through your menu structure, go straight to the URL of the page. Does the login page then show?
  The reason I mention this is if you're using the default navigation style in JSF for JDev 10.1.3 (if memory serves me well, it's direct), the Servlet may not actually inforce your protected page navigation as the navigated-to page is never actually served by the Faces servlet to the JEE engine to enforce security. I think I had a b1tch about this issue in the following OTN Re: ER: JSF direct navigation ignores JAZN container based security. Could this be what you're hitting?
  As such try changing the navigation type to redirect.
  CM.

• Need api for changing security role in web.xml !!

  My requirement is to change the value of the deployment descriptor "security-role" (in web.xml) through an api and inturn to persist the new value in web.xml. Also I need to know if this change is automatically redeployed or an explicit redeployment is needed ? In that case how do I redeploy using an api call ?
  I found a lot of apis related to roles like createRole, removeRole etc.. But there are no apis to change the name of the role and inturn persist in web.xml.
  Do I need to provide any more information ? Let me know
  Thanks,
  Karthick

  why and when do you change security-role? try to use ant task (perhaph you need xpath also). it´s the better when you perform task about life´s cycle of application.
  please, describe your problem.
  of course in you change web.xml you must restart the application.

• Issue with Date format - ABAP to XML

  Dear Users,
  We are currently facing an issue with the date formats in XML.
  We have a system (.Net), which has a webservice that we are calling for information from SAP. We created a Proxy class in SAP from the WSDL file and have attempted to use the method that gets us required information based on the Timestamp passed from SAP. However, the timestamp that the INPUT structure uses has a data element XSDDATETIME_Z.
  All we can send from SAP is a simple TIMESTAMP, but the .Net system doesn't accept it since it wants the timestamp in XML format i.e. <dd-mm-yyyy>T<hh:mm:ss>Z. SAP documentation says that the field should automatically do conversion from ABAP to XML format, but that doesn't happen. We don't want to build a string from Timestamp in the XML format and send it out since we might surely miss out on the different cases involved.
  Can anyone please suggest a way for us to send the date out in the required XML format?
  Many thanks!

  Hi Vijay,
  Look at the below sample code and it works fine, i guess there is something wrong in your code or conversion, post the actual code if you are still not able figure it out with the below example.
  DATA: l_xml_string TYPE string,
        l_dat_time TYPE xsddatetime_z.
  CALL FUNCTION 'CACS_DATE_GET_TIMESTAMP'
  EXPORTING
     I_DATE                         = sy-datum
     I_TIME                         = sy-uzeit
  IMPORTING
     E_TIMESTAMP                    = l_dat_time
  EXCEPTIONS
     DATE_NOT_FILLED_BUT_TIME       = 1
     DATE_HAS_NO_VALID_FORMAT       = 2
     OTHERS                         = 3.
  IF sy-subrc <> 0.
  * MESSAGE ID SY-MSGID TYPE SY-MSGTY NUMBER SY-MSGNO
  *         WITH SY-MSGV1 SY-MSGV2 SY-MSGV3 SY-MSGV4.
  ENDIF.
  CALL TRANSFORMATION id
    SOURCE root = l_dat_time
    RESULT XML l_xml_string.
  IF sy-subrc EQ 0.
  write: l_xml_string.
  ENDIF.
  Regards,
  Chen

• Problems with error-page in web.xml and page caching

  Having a few problems with error pages and web.xml with browsers caching the error pages and strange errors coming out of weblogic.servlet.intenal.WebAppServletContext
  I'm trying to set a web app up so that all http errors and all exceptions are routed thruogh predefined resources. For now, I'm simply send 400 errors to 400.html and the ServletException, IOException and RuntimeException to respective html pages.
  What I'm finding is that the error codes work fine but the exceptions are only be routed to the correct error page for the first call to the servlet after server restart.
  So for example, I have my servlet throwing a ServletException as a test case. The weblogic server log shows that ServletException is thrown, and the correct error page for ServletExceptions is shown.
  If I change the Servlet code to throw IOException in place of SevletException, the weblogic.log shows that IOExceptyion is being thrown (so the servlet has deployed successfully), however the Servletxception error page is shown on the browser.
  I'm using IE6 and I've changed the setting such that a new page is requested every time using the tools-internet options-temp internet files-settings option to "check for new versions of stored pages: Every visit to the page".
  Despite this, the servlet exception error page still appears.
  If you clear the cache from the temp intenet files->delete files IE option, the correct errror page will be shown so it appears that the browser cache is being used after all.
  everytime I delete the temp intenet files I get the correct error page on the first request after but then not after that.
  I have implemented the service method for this test to throw the exceptions - does this make a differecne?
  As a test, I have moved the imlpementation to the doGet method instead bu I now get a strange eror from weblogic comlpaining about an arrayOutOfBoundsException because eror codes in the web.xml are not supported! - see error above.
  Any help is appreciated

  After further investigation: -
  There are no problems with error pages based on error codes, only error exceptions.
  As a test case, I have a service method in a servlet throwing either one of the three exception types that servlets can throw (Runtime, Servlet & IO) the following rules apply. The exception to be thrown is hardcoded and is changed and the web app rebuilt each time. The correct web.xml has been deployed to the app server (checked through console). the webapp is being redeployed correctly - this can be seen in the weblogic log, where the correct exception is reported.
  I am using WLS 8.1, Servlet 2.3, JDK 1.4.1_02
  In all cases, the weblogic log reports that the servlet is throwing the exception as expected.
  Despite having set error-page for exception javax.servlet.ServletException, the exceptions are diverted to the error page that has been set up for http error code 500
  The error page for ServletException is therefore never reached.
  I have the browser set to request pages every time it is asked.
  Once the servlet has thrown an IOException, the only way to get the browser to report an IO or Runtime exception error-page is to clear the browser cache. Restarting the server has no effect.
  Once the servlet has responded with ANY exception, it is not possible to get it to report a ServletException (which is incorrectly reported as a 500 anyway) unless the cache is cleared. Restarting the server has no effect.
  In the case where the servlet throws ServletException, it has no root exception. The servlet 2.3 spec states that if ServletException is thrown but cannot be found in the error pages, the root excpetion will be extracted and the error page list traversed again. Knowing that the RuntimeException error page is correct shown when RuntimeException is throwm, I have nested this inside the ServletException, however error page for http error 500 is still shown.
  I don't believe this is a WLS 8.1 problem, as the console shows that the correct exception is thrown each time. this is backed up by the fact that the correct exception page is thrown when the cache is cleared regardless of what exception was previousdly thrown by the servlet. This excludes ServletException which is always incorrectly thrown as a 500.

• Issue with calling an external web service using web service proxy

  Hi,
  I've created several web services using JDeveloper succesfully in the past, however I'm getting an issue with one that was working ok previously. Have spoken to the developers of the external web service and they say they haven't changed anything. Also if I test the external web service through soapUI for example it seems fine so it would seem that the issue is with the autogenerated code created by JDeveloper.
  Basically I get the following exception as it sends the request to the external service:
  java.security.PrivilegedActionException: javax.xml.soap.SOAPException: Message send failed: Bad Authentication header format: 'Basic realm="Integration Server" encoding="UTF-8"'
  Expected "," at position 33
  The user name/password appear correct.
  JDev version 10.1.3.42.70
  Any ideas?
  Many Thanks
  Gary
  Edited by: user10916721 on 08-May-2012 09:54

  Found the answer. Basically I had one proxy web service working and one not both linking to a middle tier written in web methods. THe issue actually ended up being with the web methods code in that the one web service (that was not working) was put together using a backwards compatability mode. Once this was switched back then started working again in JDev.

• RE: security-constraint in web.xml of sunone 6.1

  Hello again,
  Still url-pattern of security-constraint issue in web.xml of sunone 6.1 (SP5).
  I am pretty sure this pattern works fine in SunOne 6.0 and SunOne 6.1 SP2,
  <security-constraint>
  <url-pattern>/app/jws1/*.jsp</url-pattern>
  <url-pattern>/app/jws1/*.jnlp</url-pattern>
  </security-constraint>
  In SunOne 6.0 or SunOne 6.1 SP2, if I have not yet logged in and type in a url matching the above patterns in a browser, I will be asked for username and password. But in SunOne 6.1 SP5, I won't be asked for username and password.

  Unfortunately, that's not how <url-pattern> values work. They shouldn't have "worked" in 6.1 SP2. I'm pretty sure they didn't. 6.0 takes a more intuitive, but nonstandard, approach to <url-pattern> wildcards. That nonstandard behaviour was corrected in 6.1.
  The Java Servlet Specification 2.3 -- see http://www.jcp.org/aboutJava/communityprocess/final/jsr053/ -- defines the contents of the <url-pattern> as follows:
  � A string beginning with a �/� character and ending with a �/*� postfix is used for path mapping.
  � A string beginning with a �*.� prefix is used as an extension mapping.
  � A string containing only the �/� character indicates the "default" servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null.
  � All other strings are used for exact matches only.
  That means that /app/jws1/* will do what you might expect, as will *.jsp, but /app/jws1/*.jsp will only match the exact URI /app/jws1/*.jsp. /app/jws1/*.jsp will not match a URI such as /app/jws1/filename.jsp.
  If you can't construct appropriate authorization rules using <url-pattern>, you may wish to a) restructure your web app or b) use Web Server ACLs.

• Issue with OSI PI WCF Web Service with wshttpbinding

  Hi Experts,
  System Details:
  SAP MII 14 SP4
  OSI PI Web Service: PITimeSeries
  I am having issue when trying to call OSI PI web service using http post. it is returning status 0 when i am using exception handler in BLS.
  Same web service works fine with basichttpbinding (SOAP 1.1)  but with wshttpbinding (SOAP 1.2) it is giving error.
  Following are Web config binding details for web service.
        <wsHttpBinding>
          <binding name="wsBinding_2011" sendTimeout="00:01:00" receiveTimeout="00:10:00" bypassProxyOnLocal="false" transactionFlow="false" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="65536" messageEncoding="Text" textEncoding="utf-8" useDefaultWebProxy="true" allowCookies="false">
            <reliableSession ordered="true" inactivityTimeout="00:10:00" enabled="false" />
            <security mode="Message">
              <message clientCredentialType="Windows" negotiateServiceCredential="true" algorithmSuite="Default" establishSecurityContext="true" />
            </security>
          </binding>
        </wsHttpBinding>
  I am not sure it could be the issue with passing windows credentials.
  Did anybody consumed WCF web service with wshttpbinding with security mode as Message and clientCredentialType as Windows.
  Also i was trying to pass MYSAPSSO2 SSO token to service in http post but first i am not sure if this is correct windows token and second which header property of service should be mapped and i am not sure that I am going into correct direction or not.
  Please let me know what i am missing.
  I have tried following other options and tools:
  SOAP UI: basichttpbinding works fine for wshttpbinding receiving Internal Server error in log and Response as
                    The security context token is expired or is not valid.
  MII Web Service Action Block: basichttpbinding works fine for wshttpbinding not able to configure url through wizard because as per                                                                              my discussion with other MII experts MII does not support SOAP1.2. that is one reason for using http post.
  WCF Storm: both bindings works fine (There is option to select windows authentication and Impersonation level as delegation)
  WCF Test Client: Both bindings works fine
  Any help is appreciated.
  Thanks & Regards,
  Manoj Bilthare

  Hi Sam,
  The web service is valid following are details of testing on various tools.
  SOAP UI: basichttpbinding works fine for wshttpbinding receiving Internal Server error in log and Response as The security context token is expired or is not valid.
  MII Web Service Action Block: basichttpbinding works fine for wshttpbinding not able to configure url through wizard because as per my discussion with other MII experts MII does not support SOAP1.2. that is one reason for using http post.
  WCF Storm: both bindings works fine (There is option to select windows authentication and Impersonation level as delegation)
  WCF Test Client: Both bindings works fine
  Please let me know if additional details required.
  Thanks & Regards,
  Manoj Bilthare

• Using security-constraint in web.xml; not recognizing url-pattern tag

  I am creating a very simple jsp application within JDeveloper 10.1.3.1. I have 2 jsp files...a readData.jsp and a maintainData.jsp. I would like to deploy this application to Oracle Application Server 10.1.2.2. I would like to use Oracle Internet Directory with Single Sign on enabled. The deployment to OAS works fine. For the security, I would like an administrator user to get to both pages...and a user to only be able to see the readData.jsp. I used the security constraints on the properties of the web.xml file within JDeveloper. Here is my web.xml file:
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
  <description>Empty web.xml file for Web Application</description>
  <session-config>
  <session-timeout>35</session-timeout>
  </session-config>
  <mime-mapping>
  <extension>html</extension>
  <mime-type>text/html</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>txt</extension>
  <mime-type>text/plain</mime-type>
  </mime-mapping>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adm_full_access</web-resource-name>
  <url-pattern>*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>adm_all</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>usr_access</web-resource-name>
  <url-pattern>readData.jsp</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>usr_all</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  </login-config>
  <security-role>
  <role-name>usr_all</role-name>
  </security-role>
  <security-role>
  <role-name>adm_all</role-name>
  </security-role>
  </web-app>
  When I deploy to OAS I added an OID account to the adm_all role...this works fine I can log on as that user and get to both jsps. But, when I add my user to the usr_all role within OAS I try to log on to the app...I then enter my SSO username and password and I get Access Denied errors from my browser when trying to access either page. I am confused about the <url-pattern> tag...is that relative to a directory within my deployment? Most of the examples I have seen use servlets...so I was wondering if I can even use the <url-pattern> tag to restrict/allow access to individual jsps? If someone could point me to some documentation on this set-up I would appreciate it!
  Thank you.

  I was able to get this to work. By doing the following:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adm_full_access</web-resource-name>
  <url-pattern>*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>adm_all</role-name>
  </auth-constraint>
  </security-constraint>
  I was restricting access to all other groups by uisng <url-pattern>*</url-pattern>. Any other security-constraints set-up after that will not work. So saying * requires usr_all will restrict ALL webpages to ONLY adm_all, regardless of what future constraints say. So, my first security-constraints lists all directories or pages that every user can access. My next security-constraint then list resources that only my admins (adm_all) can acess. Any other security constraints then are set-up for each user role that I have...if adm_all should have access to these then the <role-name>adm_all</role-name> is added to each security constraint.

• How to add another secure url in web.xml?

  hello i want to secure my web application i have two kind of users i have users and admin.each of them has each certificat users have permission to enter /users and admin have permission to enter /admins/ but i want also users to enter another folder which is /otheruserplace how can i add this in my web.xml file here is my code
  http://pastebin.com/m3e13d3d9

  Just add another url-pattern.
  This has nothing to do with JSF however. More suitable place would have been the Servlets forum.

• Security in my web.xml in Tomcat 4

  Hello,
  I was using this application on Tomcat 3 and my web.xml worked perfectly well.
  However when I tried to start it on Tomcat 4 there is something wrong with the
  security part of my web.xml . If I leave out the security constraint for this application, it
  works. However if I make my application secure I am unable to view it in the browser.
  It does not try to connect to the login.jsp page for log in , but simply displays the message that the page is unavailable and that I have to refresh my browser. Please help me with that because I am stuck.
  Here is my web.xml :
  <?xml version="1.0" encoding="ISO-8859-1"?>
  <!DOCTYPE web-app
  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
  "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
  <servlet>
  <servlet-name>UploadServlet</servlet-name>
  <servlet-class>UploadServlet</servlet-class>
  <init-param>
  <param-name>SaveDirectory</param-name>
  <param-value>C:\Homeworks\</param-value>
  </init-param>
  <init-param>
  <param-name>Proffesors</param-name>
  <param-value>Clayton,Douglass,Guruvado</param-value>
  </init-param>
  </servlet>
  <security-constraint>
  <display-name>Protected Homework Upload</display-name>
  <web-resource-collection>
  <web-resource-name>Protected Area</web-resource-name>
       <!-- Define the context-relative URL(s) to be protected -->
  <!--<url-pattern>/servlet/Upload</url-pattern>-->
       <url-pattern>/servlet/UploadServlet</url-pattern>
       <!-- If you list http methods, only those methods are protected -->
       <http-method>DELETE</http-method>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
       <http-method>PUT</http-method>
  </web-resource-collection>
  <auth-constraint>
  <!-- Anyone with one of the listed roles may access this area -->
  <role-name>student</role-name>
  <role-name>proffesor</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <realm-name>Example Form-Based Authentication Area</realm-name>
  <form-login-config>
  <form-login-page>/login.jsp</form-login-page>
  <form-error-page>/error.jsp</form-error-page>
  </form-login-config>
  </login-config>
  </web-app>
  Thank you very much for your time and advise. I appreciate it very much
  Martin

  hi,slice
  I donot really find exactly what is wrong in your config file. But I have some suggestions:
  1.Please use servlet URL mapping in "servlet" tag (for example: "/security/upload") instead of using default servlet URL(just like "/servlet/UploadServlet").
  2. In the "url-pattern" tag inside "web-resource-name" ,please using "/security/*", if you are using my suggestion above.
  3.Make sure that your "login.jsp" page is in the right place of the application's doc-root.
  Make a try and good luck!
  Wang Yu
  Developer Technical Support
  Sun Microsystems
  http://sun.com/developers/support

• Calling servlet with out entry in web.xml

  Hi
  I want to know whether can a servlet be invoked with out having an entry in web.xml.Because to my knowledge when ever an entry is made in teh web.xml the <url-pattern> and the class file will be stored as key value combination it is only then when ever a request is made the server gets the class taht is to be invoked from the <url-pattern> that is passed from the client side.
  Is ther any way by whihc we can call the servlet directly with out an entry in web.xml
  Thanks in advance
  Ajithkumar.S

  Interesting that it is possible on Tomcat anyway.
  What's the real benefit of not having a Servlet
  definied in web.xml?
  The only benefit I see is that
  you don't need to understand/read/change XML when
  adding or removing a servlet. That isn't worth that
  imho. What are the other benefits?The only thing I can think of is , to be able to quickly access a Servlet that you've just written, because it takes additional steps to define it in the web.xml.
  I think it would be a security concern (of some sort) , if the Servlet's class is known, that's why it is better to access a Servlet with a mapping from web.xml

• Query string in security constraint in web.xml

  Hi All
  I want to portect following URL in securit-constraint tag of web.xml
  /appmanager/website/portal?_nfpb=true&_pageLabel=myaccount
  but when i write :
  <security-constraint>
  <display-name>FormProtectedPages</display-name>
  <web-resource-collection>
  <web-resource-name>Constraint-0</web-resource-name>
  <url-pattern/appmanager/website/portal?_nfpb=true&_pageLabel=myaccount</url-pattern> //line 1
  </web-resource-collection>
  <auth-constraint>
       <role-name>MyRole</role-name>
  </auth-constraint>
  <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  It gives me error in line 1 that
  "the reference to entity "_pagelabel" must end with ";" delimiter."
  What could be the reason for this. Cant i portect URLs of this kind in my web.xml?
  Any suggestions would be helpful.
  Thanks

  Shabd wrote:
  It gives me error in line 1 that
  "the reference to entity "_pagelabel" must end with ";" delimiter."
  What gives you an error?

• Trouble with war file contianing web.xml

  I have a problem with my ISP. I have to send a war file to upload my files. It includes my web.xml file, but it seems that it's ignored when i visit my site. Can somebody help me with this. When I run the web.xml file on my own computer it works fine.
  I create my war file at the moment with the command jar cvf name.war -C d:\directory .
  It also look like a good deploy of the site because everything gets into the right please.
  Tnx for the help already

  Well when I go to my site and I go into my small Content Management System I press a button and it should call on a page under de alias admintool. In my web.xml file it will redirect the request to the proper class file. This doesn't work. I also add a form-login-page option into my web.xml file. So that when I call on a page it should redirect to a login screen. But that doesn't work also. It doesn't redirect, it's goes straight to the page that should be secure.