Security Bug?? Accessing WEB-INF/web.xml from a URL

I can access http://localhost/NASApp/myApp/WEB-INF/web.xml (or any other
files in WEB-INF) from my browser! This can't be right. How do I turn this
off?
Hopefully, I can do this in the appserver, but if not, please tell me how to
do it in the webserver. I am using iWS 4.1 & iWS 6.0 on 2 different
machines.
Thanks,
Matt

This is known bug previously discussed in the following thread (search
in the newsgroup mcom.ias):
!!From - Fri Aug 31 08:12:02 2001
!!From: [email protected] (David Ogren)
!!Newsgroups: mcom.ias
!!Subject: Can someone cross-check this sp3 security concern
Matt Raible wrote:
I can access http://localhost/NASApp/myApp/WEB-INF/web.xml (or any other
files in WEB-INF) from my browser! This can't be right. How do I turn this
off?
Hopefully, I can do this in the appserver, but if not, please tell me how to
do it in the webserver. I am using iWS 4.1 & iWS 6.0 on 2 different
machines.
Thanks,
Matt

Similar Messages

Using security-constraint in web.xml; not recognizing url-pattern tag

I am creating a very simple jsp application within JDeveloper 10.1.3.1. I have 2 jsp files...a readData.jsp and a maintainData.jsp. I would like to deploy this application to Oracle Application Server 10.1.2.2. I would like to use Oracle Internet Directory with Single Sign on enabled. The deployment to OAS works fine. For the security, I would like an administrator user to get to both pages...and a user to only be able to see the readData.jsp. I used the security constraints on the properties of the web.xml file within JDeveloper. Here is my web.xml file:
<?xml version = '1.0' encoding = 'windows-1252'?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<description>Empty web.xml file for Web Application</description>
<session-config>
<session-timeout>35</session-timeout>
</session-config>
<mime-mapping>
<extension>html</extension>
<mime-type>text/html</mime-type>
</mime-mapping>
<mime-mapping>
<extension>txt</extension>
<mime-type>text/plain</mime-type>
</mime-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>adm_full_access</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>adm_all</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>usr_access</web-resource-name>
<url-pattern>readData.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>usr_all</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>usr_all</role-name>
</security-role>
<security-role>
<role-name>adm_all</role-name>
</security-role>
</web-app>
When I deploy to OAS I added an OID account to the adm_all role...this works fine I can log on as that user and get to both jsps. But, when I add my user to the usr_all role within OAS I try to log on to the app...I then enter my SSO username and password and I get Access Denied errors from my browser when trying to access either page. I am confused about the <url-pattern> tag...is that relative to a directory within my deployment? Most of the examples I have seen use servlets...so I was wondering if I can even use the <url-pattern> tag to restrict/allow access to individual jsps? If someone could point me to some documentation on this set-up I would appreciate it!
Thank you.

I was able to get this to work. By doing the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>adm_full_access</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>adm_all</role-name>
</auth-constraint>
</security-constraint>
I was restricting access to all other groups by uisng <url-pattern>*</url-pattern>. Any other security-constraints set-up after that will not work. So saying * requires usr_all will restrict ALL webpages to ONLY adm_all, regardless of what future constraints say. So, my first security-constraints lists all directories or pages that every user can access. My next security-constraint then list resources that only my admins (adm_all) can acess. Any other security constraints then are set-up for each user role that I have...if adm_all should have access to these then the <role-name>adm_all</role-name> is added to each security constraint.

Wrong security configuration in web.xml

Hi all
I am developing an application with JDeveloper 10.1.3.3 using ADF-BC/JSF. I have followed the example of SRDemo and my .jspx files are located in two folders : public_html/app and public_html/pricelist/
My application will have two user roles. The administrators who access everything and the users that need to access only the pages located in faces/app and get access denied mesages in all pricelist management pages.
I have used file based security and defined users and roles in jaz-data.xml. I have also verified that the data in that file are correct using the isUserInRole() function.
What I cannot get to work correctly is the security in the web.xml since the way I have it both users and admins are granted full access to the faces/app/pricelist pages.
The security constrains on my web.xml look like this :
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>PricelistData</web-resource-name>
            <description> Price list management pages</description>
            <url-pattern>faces/app/pricelist/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>UserData</web-resource-name>
            <url-pattern>faces/app/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>user</role-name>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>jazn.com</realm-name>
    </login-config>
    <security-role>
        <role-name>user</role-name>
    </security-role>
    <security-role>
        <role-name>admin</role-name>
    </security-role>Can anyone tell me what am I doing wrong, or suggest anything else I should check ?
Thanassis

Well you're orion-application.xml file looks okay to me, and addition if the isUserInRole is returning proper values, it's hooked up correctly.
(By the way, a useful bean/free piece of code to do just what you're doing is the JSF-Security scope as written by Duncan Mills on Sourceforge)
As such I'd be looking at the security constraints URLs. You haven't by chance changed the url-pattern for the Faces Servlet? The default is this:
<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>/faces/*</url-pattern>
</servlet-mapping>...and your url-patterns assumes it starts with faces. Note it is correct in your url-patten to not include a forward slash before faces in the security constraint.
Another thing that springs to mind, when you navigate to the protected page through your menu structure, what URL do you see in the browser? Is it the URL of the page you came from, or the URL of the page you navigated to ... and in addition ..... another thing to try is in your browser, rather than navigating through your menu structure, go straight to the URL of the page. Does the login page then show?
The reason I mention this is if you're using the default navigation style in JSF for JDev 10.1.3 (if memory serves me well, it's direct), the Servlet may not actually inforce your protected page navigation as the navigated-to page is never actually served by the Faces servlet to the JEE engine to enforce security. I think I had a b1tch about this issue in the following OTN Re: ER: JSF direct navigation ignores JAZN container based security. Could this be what you're hitting?
As such try changing the navigation type to redirect.
CM.

Problems invoking a secure 8.1 web service from a 6.1 client

I'm trying to invoke a secure 8.1 web service from a 6.1 client application and keep getting rejected with the following message:
Security Violation: User: '<anonymous>' has insufficient permission to access EJB:
In the 6.1 client, I've established a WebServiceProxy and set the userName and password to the proper values, but I can't seem to get past the security.
If there something special I need to do on either the 8.1 securing side or on the 6.1 accessing side to make this work?
Any help would be GREATLY appreciated.

Hi Paul,
This sound familiar, but I cannot at the moment locate a reference to
the issue. I would encourage you to seek the help of our super support
team [1].
Regards,
Bruce
[1]
http://support.bea.com
[email protected]
Paul Merrigan wrote:
>
I'm trying to invoke a secure 8.1 web service from a 6.1 client application and keep getting rejected with the following message:
Security Violation: User: '<anonymous>' has insufficient permission to access EJB:
In the 6.1 client, I've established a WebServiceProxy and set the userName and password to the proper values, but I can't seem to get past the security.
If there something special I need to do on either the 8.1 securing side or on the 6.1 accessing side to make this work?
Any help would be GREATLY appreciated.

Is there any way to prevent web.xml from any change ?

hi all,
we have a filter in web.xml. Now we want to prevent it from any change in future. I mean after making a war(EAR) no one can change the filter in web.xml. if he chaged it then he will not be able to re deploy the application.Right now it is in web.xml so one can easily change it and then he can redeploy the application.
Is there any way to prevent web.xml from any change after making EAR(WAR)?
One can easily make a change in web.xml and redeploy the application to get the result. Now we want to restrict the web.xml as java class for any change after making EAR(or WAR).
Could some one help me to do this?
thanks,
dinesh

I think you could use some third party software to lock the folder like FolderLock, just make sure others ppl cannot access your file should be fined.
This is my stupid solution only,cheers.

SJSC2u1 JSP accessing web.xml session-config session-timeout

What is the best way of accessing web.xml session-config session-timeout from JSP page ?
I wish to have this on the JSP page and also have it count down automatically.
I did this by creating a propery in the session bean and then used javascript to count it down.
Is there a better way ? Simpler Way ?
/Roger

What is the best way of accessing web.xml session-config session-timeout from JSP page ?
I wish to have this on the JSP page and also have it count down automatically.
I did this by creating a propery in the session bean and then used javascript to count it down.
Is there a better way ? Simpler Way ?
/Roger

Is there any way to prevent web.xml from any change like java class?

hi all,
Is there any way to prevent web.xml from any change after making EAR(WAR)?
One can easily make a change in web.xml and redeploy the application to get the result. Now we want to restrict the web.xml as java class for any change after making EAR(or WAR).
Could some one help me to do this?
thanks,
dinesh

hi,
Not at development level. We want it after deploying the application on server .
We want to create it (web.xml) at tomcat startup (or in any other web/app server ) before loading any context.
Is there any way to run a simple java class(not servlet) on tomcat startup(before initializing the contexts)?
Message was edited by:
DP_java
Message was edited by:
DP_java

Need api for changing security role in web.xml !!

My requirement is to change the value of the deployment descriptor "security-role" (in web.xml) through an api and inturn to persist the new value in web.xml. Also I need to know if this change is automatically redeployed or an explicit redeployment is needed ? In that case how do I redeploy using an api call ?
I found a lot of apis related to roles like createRole, removeRole etc.. But there are no apis to change the name of the role and inturn persist in web.xml.
Do I need to provide any more information ? Let me know
Thanks,
Karthick

why and when do you change security-role? try to use ant task (perhaph you need xpath also). itÂ´s the better when you perform task about lifeÂ´s cycle of application.
please, describe your problem.
of course in you change web.xml you must restart the application.

Can anybody tell how to access web service from Message Driven bean

Can anybody tell how to access web service from Message Driven bean

Can anybody tell how to access web service from Message Driven bean

Security Error in accessing Web service from Flex.Where to put crossdomain.xml in axis container?

Hi guys.
Typically webservices are invoked across domains. Flash has defined certain policies which prevent crossdomain access. The only way to bypass this security feature is to put a crossdomain.xml file within the server root of the webservice provider i.e. in our case at http://abc.com. A sample example of crossdomain.xml is as below:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
     <site-control permitted-cross-domain-policies="all" />
     <allow-access-from domain="*" secure="false"/>
     <allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>
If the crossdomain.xml is not added the developer will get “Security Error accessing URL” type of messages.
The above mentioned information should be enough for you to get your flex based WebService client up and running.
We are using axis2 to build webservices. We deployed the webservices under axis2 container under repository/srvices folder . But in Flex when we try to call the webservices we were getting the exception saying security error in accessing url. The solution is we need to put the crossdomain.xml o that it is loaded at runtime and allow us to access. In tomcat if we put the file under ROOT directory we could accss the file and we were able to access the webservices deployed under Tomcat. But I googled for Axis2 container and couldnt find any solution.
Please post the reply if anyone knows the solution to it.
Thanks
Raja

Hi. So, I did take a quick look at the Axis2 standalone server and didn't see any way to server up a file such as crossdomain.xml. It seems like it might be a useful enhancement to have the ability to serve up files even if this functionality was very simple/limited and nothing like a full blown http server.
I'd log an enhancement request against axis2 if this is something you'd like to have.
http://issues.apache.org/jira/browse/AXIS2
-Alex

Security constraint in web.xml

Hi All
I want to set a security contraint to verfity my system user, I know I need to put the following section into the tomcat created web.xml. But I dont know where is the web.xml on my Tomcat 4.1.24, because i found many web.xml files in different directory.
Q1) Sorry I know this is a silly question, but can u tell me which web.xml is the one I need to edit in order to set my the security constraint?
Q2) Instead of editing the created Tomcat web.xml, can I create my own web.xml and put it in <Tomcat_Homw>/webapps/ROOT/WEB-INF. This is just only for the security constraint towards my system.
Many many thanks
Kelvin
<security-constraint>
<web-resource-collection>
<web-resource-name>Administration</web-resource-name>
<url-pattern>/admin</url-pattern>
<url-pattern>/users</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/login-error</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>administrator</role-name>
</security-role>

you need to do it for every web-app... thats why there is one web.xml file for each! There is a thing in CATALINA_HOME/conf/server.xml that u can uncomment to enable 'single-logon' which means u cna log on once and be authenticated for every web-app...
root isn't a web-app i don't think... so therefore u can't restrict access to it (someone correct me if wrong)... I don't know what u mean by restricting access to your 'system'

Security in my web.xml in Tomcat 4

Hello,
I was using this application on Tomcat 3 and my web.xml worked perfectly well.
However when I tried to start it on Tomcat 4 there is something wrong with the
security part of my web.xml . If I leave out the security constraint for this application, it
works. However if I make my application secure I am unable to view it in the browser.
It does not try to connect to the login.jsp page for log in , but simply displays the message that the page is unavailable and that I have to refresh my browser. Please help me with that because I am stuck.
Here is my web.xml :
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>UploadServlet</servlet-name>
<servlet-class>UploadServlet</servlet-class>
<init-param>
<param-name>SaveDirectory</param-name>
<param-value>C:\Homeworks\</param-value>
</init-param>
<init-param>
<param-name>Proffesors</param-name>
<param-value>Clayton,Douglass,Guruvado</param-value>
</init-param>
</servlet>
<security-constraint>
<display-name>Protected Homework Upload</display-name>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
     

     <url-pattern>/servlet/UploadServlet</url-pattern>
     
     <http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
     <http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>

<role-name>student</role-name>
<role-name>proffesor</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
</web-app>
Thank you very much for your time and advise. I appreciate it very much
Martin

hi,slice
I donot really find exactly what is wrong in your config file. But I have some suggestions:
1.Please use servlet URL mapping in "servlet" tag (for example: "/security/upload") instead of using default servlet URL(just like "/servlet/UploadServlet").
2. In the "url-pattern" tag inside "web-resource-name" ,please using "/security/*", if you are using my suggestion above.
3.Make sure that your "login.jsp" page is in the right place of the application's doc-root.
Make a try and good luck!
Wang Yu
Developer Technical Support
Sun Microsystems
http://sun.com/developers/support

Security API on web.xml

hello i'm java junior programmer.
my file web.xml bind the follow tag
<security-constraint>
<web-resource-collection>
<web-resource-name>UIWebSecurity</web-resource-name>
<description></description>
<url-pattern>/</url-pattern>
<http-method>
GET</http-method>
<http-method>
POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Utente Autenticato</description>
<role-name>UtenteAutenticato</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>OpenWAY</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
bat a i got a trouble .
after my login in login.html page ,the application required my ather log
thanks for help me

Please read the Servlet specification for details on how to specify url-patterns (see section 11.2). Your "index.*" is not a legal pattern. You can only end in "/*" or "*.foo". See Servlet spec.
If after fixing that you have more questions, please include the actual sequence of requests (and responses), preferably from a network snoop.

Security problem in Web xml??

Hi all,
1)I have webapplication , I want to use form authentication to security it , under my root test , I have login.html, and secure folder ( group of pages),
I have two tables in my sql server , they are users, and user_role, mean time I give every user role member.
2) in my conf/server
I have <Realm className="org.apache.catalina.realm.JDBCRealm" debug="99"
             driverName="com.microsoft.jdbc.sqlserver.SQLServerDriver"
          connectionURL="jdbc:microsoft:sqlserver://localhost:1433"
         connectionName="test" connectionPassword="1234"
              userTable="users" userNameCol="Name" userCredCol="user_pass"
          userRoleTable="user_roles" roleNameCol="role_name" />in my root test, I have web xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
     PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
    "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<welcome-file-list>
        <welcome-file>Home.html</welcome-file>
</welcome-file-list>
<security-constraint>
          <web-resource-collection>
               <web-resource-name>SecurePages</web-resource-name>
               <description>Security constraint for resources in the secure directory</description>
               <url-pattern>/secure/*</url-pattern>
               <http-method>GET</http-method>
          </web-resource-collection>
           <auth-constraint>
                       <role-name>member</role-name>
                        </auth-constraint>
          <user-data-constraint>
               <description>SSL not required</description>
               <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
     </security-constraint>
         <login-config>
              <auth-method>FORM</auth-method>
              <form-login-config>
                   <form-login-page>/Home.html</form-login-page>
                   <form-error-page>/ErrorLogin.jsp</form-error-page>
              </form-login-config>
         </login-config>
</web-app> if I take away the security <auth-constraint>
<role-name>member</role-name>
</auth-constraint> in my web xml the whole application work fine after login, jump from page to page, action to action. but if I add it , I only can go to one page , every time I click the link it jump back to login page .
What mistake I make??
Best regard.

Hi,
I'm assuming you invoking the JWS from JPD via a service control.
In this case, the serviceControl has setUsername and setPassword method which will allow you to specify the username and password
cheers
Raj

Security constraint in Web.xml of tomcat

Hi
I have a web-application running on tomcat . Inside the context folder i have several directories having some pre-defined configuration files . But the user is able to directly access them by typing the path including the fileName in the URL ( I have disabled the listings property however)
How can i prevent accessing the specific files .... I tried using
<security-constraint>
<display-name>Security constarint</display-name>
<web-resource-collection>
<web-resource-name>Java Application</web-resource-name>
<url-pattern>/folder/*</url-pattern>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>OnJava Application</realm-name>
</login-config>
This seems to be working fine , but when the user enters the wrong security info thrice , 401 error page is coming instead i want my custom page . Hence i configured an error page for 401 code which overwrited the earlier behavaiour ie.. that BASIC authentication popup is not coming
Can any one let me know how to go about this

Hi ,
I have tried adding the following into web.xml but the security feature just doesnt work and the user can go to any page without any restriction.
<security-constraint>
<web-resource-collection>
<web-resource-name>Declarative Security Test</web-resource-name>
<url-pattern>/SuperServlet</url-pattern>
<url-pattern>/*</url-pattern>
<http-method>post</http-method>
<http-method>get</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>guest</role-name>
<role-name>member</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>guest</role-name>
<role-name>member</role-name>
</security-role>
The roles mentioned above have been added correctly into tomcat-users.xml..The version of tomcat I am using is tomcat5.0.28.Please help.

Security Bug?? Accessing WEB-INF/web.xml from a URL

Similar Messages

Maybe you are looking for