security-constraints
Hi All,
<!-- Restrict direct access to JSPs.
For the security constraint to work, the auth-constraint
and login-config elements must be present -->
<security-constraint>
<web-resource-collection>
<web-resource-name>JSPs</web-resource-name>
<url-pattern>/jsp/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Area</web-resource-name>
<url-pattern>/User_input.action</url-pattern>
<url-pattern>/User.action</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>User Basic Authentication</realm-name>
</login-config>
<security-role>
<role-name>admin</role-name>
</security-role>
<error-page>
<error-code>403</error-code>
<location>/403.html</location>
</error-page>Can any one please confirm my understanding is correct or not?
In my first constratint no one access my directly and in the second admin only can access the mentioned URL.
When the second URL accessed by admin user it will shows the dialog box mentioning the BASIC authentication and also force the users to input the username and password.
My question is, The username and password are mentioned in tomcat-user.xml file in the directory /conf/.
Is this the only way that i mention the username and password in the .xml file?
I also need to know that can i store the password based on the username?
-vignesh
In my first constratint no one access my directly and in the second admin only can access the mentioned URL.Sounds good to me.
Is this the only way that i mention the username and password in the .xml file?No it is not the only way. You can look them up from a database, use LDAP, or JAAS...
The relevant documentation for Tomcat is here
cheers,
evnafets
Similar Messages
-
Web service proxy and security constraint
I've placed a security constraint on my web service and set the login-config auth-method as BASIC. When I run the Workshop test and the (Test View) browser begins to appear I am prompted for my username and password since it is protected --- great, it's working.
Here's my problem, when I create the Java Proxy and try to access the web service using the proxy in another application I am never prompted for my username and password and thus the request fails. Anyway to fix this so I can be promted using the proxy??
thanks in advance,
Steve TouwHi Shay Shmeltzer,
Thanks for the reply.
I tried in HTTP Analyzer in JDeveloper and there also it is not working. My concern is :-
There are many other web services deployed on the same SOA server in same partition and they are working fine in HTTP analyzer and I am able to create and use the web service proxy as well. So as per my understanding there is nothing like network issues between SOA server and jDeveloper.
1 more thing When I am creating the proxy for this web service and requesting from the proxy's main method SOA is getting proper input (which I am providing in the main method) and SOA is returning proper output I have checked the SOA instance in em. So there is no problem in SOA side. The problem is jDeveloper is not able to get back that response which SOA is returning.
Please Help.
-- NavinK -
Using security-constraint in web.xml; not recognizing url-pattern tag
I am creating a very simple jsp application within JDeveloper 10.1.3.1. I have 2 jsp files...a readData.jsp and a maintainData.jsp. I would like to deploy this application to Oracle Application Server 10.1.2.2. I would like to use Oracle Internet Directory with Single Sign on enabled. The deployment to OAS works fine. For the security, I would like an administrator user to get to both pages...and a user to only be able to see the readData.jsp. I used the security constraints on the properties of the web.xml file within JDeveloper. Here is my web.xml file:
<?xml version = '1.0' encoding = 'windows-1252'?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<description>Empty web.xml file for Web Application</description>
<session-config>
<session-timeout>35</session-timeout>
</session-config>
<mime-mapping>
<extension>html</extension>
<mime-type>text/html</mime-type>
</mime-mapping>
<mime-mapping>
<extension>txt</extension>
<mime-type>text/plain</mime-type>
</mime-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>adm_full_access</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>adm_all</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>usr_access</web-resource-name>
<url-pattern>readData.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>usr_all</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>usr_all</role-name>
</security-role>
<security-role>
<role-name>adm_all</role-name>
</security-role>
</web-app>
When I deploy to OAS I added an OID account to the adm_all role...this works fine I can log on as that user and get to both jsps. But, when I add my user to the usr_all role within OAS I try to log on to the app...I then enter my SSO username and password and I get Access Denied errors from my browser when trying to access either page. I am confused about the <url-pattern> tag...is that relative to a directory within my deployment? Most of the examples I have seen use servlets...so I was wondering if I can even use the <url-pattern> tag to restrict/allow access to individual jsps? If someone could point me to some documentation on this set-up I would appreciate it!
Thank you.I was able to get this to work. By doing the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>adm_full_access</web-resource-name>
<url-pattern>*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>adm_all</role-name>
</auth-constraint>
</security-constraint>
I was restricting access to all other groups by uisng <url-pattern>*</url-pattern>. Any other security-constraints set-up after that will not work. So saying * requires usr_all will restrict ALL webpages to ONLY adm_all, regardless of what future constraints say. So, my first security-constraints lists all directories or pages that every user can access. My next security-constraint then list resources that only my admins (adm_all) can acess. Any other security constraints then are set-up for each user role that I have...if adm_all should have access to these then the <role-name>adm_all</role-name> is added to each security constraint. -
How to specify a servlet mapping as the url pattern with in the security constraints
Hi ,
Weblogic 6.0 documentation says the following:-
Define which resources in the Web Application the security constraint applies to using the <url-pattern> element that is nested inside the <web-resource-collection> element. The <url-pattern> can refer to either a directory, filename or a <servlet-mapping>.
To apply the security constraint to the entire Web Application, use the following <url-pattern>:
<url-pattern>/*</url-pattern>
Could any one let me know how to specify servlet mapping as the url pattern.
I tried various combination and it doesn't seem to work and any help in this regard will be greatly appreciated.
Thanks
kannanThe answer is posted here:
Unapproved User Flag in UME -
url-pattern for extension mapping in security-constraint not working
I'm trying to use extension mapping in a <security-constraint> configuration,
According to:
http://download.oracle.com/otn-pub/jcp/servlet-3_1-fr-eval-spec/servlet-3_1-final.pdf?AuthParam=1429824454_de04222eab1b8…
Section 12.2:
A string beginning with a ‘*.’ prefix is used as an extension mapping.
But WebLogic does not take in consideration my configuration. If I use path mapping exact mapping it work.
My configuration is:
<security-constraint>
<web-resource-collection>
<web-resource-name>Unsecured</web-resource-name>
<url-pattern>*.wsdl</url-pattern>
<url-pattern>*.xsd</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>HttpAuth</web-resource-name>
<url-pattern>/ws/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>ws-user</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>INTEGRAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test1</realm-name>
</login-config>
<security-role>
<role-name>ws-user</role-name>
</security-role>
WebLogic Server 12c (12.1.3)
Has anybody used extension mapping with security-constraint? Is that a WebLogic issue?Hi nikita,
I have delt with the same problem before. As you say, most JSF actions all get posted back to the original page, and the faces servlet internally redirects according to the navigation rules and actions. This can mean the URL seen by the browser does not always correspond to the actual JSP (wrapped by JSF) that produced the content.
Generally adding the "<redirect/>" tag to all your navigation rules (in faces-config.xml) remedies this, so the actions are still posted back to the original page, but then the JSF servlet sends an http-redirect to the browser before invoking the new page. This way, the URL is always in sync, and the security constraints defined in your web descriptor always get invoked properly.
regards,
tony -
Revision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. javaRevision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java -
Web.xml and security constraints
Hi,
I have several web services deployed. I only want to protect one of these web services.
If I use "/services/*" in <security-constraint> of my web.xml file, all my deployed web services are protected.
If I use "/services/aaaWebService" in <security-constraint> of my web.xml file, aaaWebService web service is NOT protected.
Please let me know what I should use for teh <url-pattern> to protect only aaaWebService.
Thanks /danWhat about "/services/aaaWebService*"?
I think whithout an asterisk service parameters don't match your pattern.
Vovencij -
What is the use of security-constraint tag in web.xml
what is the use of following tag , and how to use that, and where to use that tag.
<web-resource-collection>
<web-resource-name>SecureOrderJSP</web-resource-name>
<descrip<url-pattern>/order/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name></role-name>
</auth-constraint>
</security-constraint>tion>Protect the Order JSP Pages </description>Hi,
You can refer this link
http://www.whizlabs.com/tutorial/scwcd/j-scwcd-7-5.html
give the complete description of your doubt
Thanks,
Snigdha Sivadas -
RE: security-constraint in web.xml of sunone 6.1
Hello again,
Still url-pattern of security-constraint issue in web.xml of sunone 6.1 (SP5).
I am pretty sure this pattern works fine in SunOne 6.0 and SunOne 6.1 SP2,
<security-constraint>
<url-pattern>/app/jws1/*.jsp</url-pattern>
<url-pattern>/app/jws1/*.jnlp</url-pattern>
</security-constraint>
In SunOne 6.0 or SunOne 6.1 SP2, if I have not yet logged in and type in a url matching the above patterns in a browser, I will be asked for username and password. But in SunOne 6.1 SP5, I won't be asked for username and password.Unfortunately, that's not how <url-pattern> values work. They shouldn't have "worked" in 6.1 SP2. I'm pretty sure they didn't. 6.0 takes a more intuitive, but nonstandard, approach to <url-pattern> wildcards. That nonstandard behaviour was corrected in 6.1.
The Java Servlet Specification 2.3 -- see http://www.jcp.org/aboutJava/communityprocess/final/jsr053/ -- defines the contents of the <url-pattern> as follows:
� A string beginning with a �/� character and ending with a �/*� postfix is used for path mapping.
� A string beginning with a �*.� prefix is used as an extension mapping.
� A string containing only the �/� character indicates the "default" servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null.
� All other strings are used for exact matches only.
That means that /app/jws1/* will do what you might expect, as will *.jsp, but /app/jws1/*.jsp will only match the exact URI /app/jws1/*.jsp. /app/jws1/*.jsp will not match a URI such as /app/jws1/filename.jsp.
If you can't construct appropriate authorization rules using <url-pattern>, you may wish to a) restructure your web app or b) use Web Server ACLs. -
Web.xml - security constraint question
I want to make a kind of inverted security constraint. I want to ALLOW access to one specific page over HTTP. All other pages should be HTTPS.
Is that possible???Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
Bean code:
this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
<security-role>
<role-name>Local Admin Group</role-name>
</security-role>
<security-role>
<role-name>DBA Group</role-name>
</security-role>
<!-- Faces Servlet -->
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<security-role-ref>
<role-name>admin</role-name>
<role-link>DBA Group</role-link>
</security-role-ref>
<security-role-ref>
<role-name>admin</role-name>
<role-link>Local Admin Group</role-link>
</security-role-ref>
</servlet> -
RBAC check fails Security Constraint Not Enforced
I configured a simple WAR to ony allow a specific role to be able to execute my Helloworld url. Now it appears that any valid user defined on the appserver can access the url. Shouldn't it be limited to the specific role i defined using the deploytool? It almost appears as if the security constraint is not being enforced. All of the users in the file realm are allowed to access it, instead of the role that's specified in the security constraints.
I'm using Sun Java System Application Server Enterprise Edition 8.2 (build b25-fcs)
web.xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.4" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>Helloworld</display-name>
<servlet>
<display-name>HelloworldImpl</display-name>
<servlet-name>HelloworldImpl</servlet-name>
<servlet-class>com.boeing.mcc.trade.HelloworldImpl</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HelloworldImpl</servlet-name>
<url-pattern>/Helloworld</url-pattern>
</servlet-mapping>
<jsp-config/>
<security-constraint>
<display-name>SecurityConstraint</display-name>
<web-resource-collection>
<web-resource-name>WRCollection</web-resource-name>
<url-pattern>/Helloworld/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>OPERATOR</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>file</realm-name>
</login-config>
<security-role>
<role-name>ADMIN</role-name>
</security-role>
<security-role>
<role-name>ANALYST</role-name>
</security-role>
<security-role>
<role-name>OPERATOR</role-name>
</security-role>
</web-app>
Message was edited by:
weinhard
Message was edited by:
weinhard
Message was edited by:
weinhardNote: I used the deploytool to create/package the WAR.
sun-web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 8.1 Servlet 2.4//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_4-1.dtd">
<sun-web-app>
<context-root>/hello</context-root>
<security-role-mapping>
<role-name>OPERATOR</role-name>
<principal-name>user1</principal-name>
<principal-name>user2</principal-name>
<principal-name>user3</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>ANALYST</role-name>
<principal-name>user4</principal-name>
<principal-name>user2</principal-name>
<principal-name>user3</principal-name>
<principal-name>user5</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>ADMIN</role-name>
<principal-name>user6</principal-name>
</security-role-mapping>
<servlet>
<servlet-name>HelloworldImpl</servlet-name>
<webservice-endpoint>
<port-component-name>HelloworldIF</port-component-name>
<endpoint-address-uri>Helloworld</endpoint-address-uri>
</webservice-endpoint>
</servlet>
<session-config>
<session-manager persistence-type="memory">
<manager-properties/>
<store-properties/>
</session-manager>
<session-properties/>
<cookie-properties/>
</session-config>
<cache enabled="true" max-entries="4096" timeout-in-seconds="30">
<default-helper/>
</cache>
<class-loader delegate="true"/>
<jsp-config/>
<parameter-encoding default-charset="UTF8"/>
</sun-web-app> -
Prevent viewing of source files - security-constraint
I'm using JSF and Facelets and I'd like to restrict visibility of the .xhtml source files.
Currently if a user types in the source file name index.xhtml instead of index.jsf in the url they get presented with the raw source file.
I've got a blanket security constraint that requires authentication of all users and I've added a second constraint that denies access to .xhtml files.
This doesn't work I imagine because the first constraint is allowing access to all pages.
I'd appreciate some suggestions how I can stop users viewing the .xhtml files while requiring authentication for all pages.
<security-constraint>
<display-name>Secure Pages</display-name>
<web-resource-collection>
<web-resource-name>Secure Pages</web-resource-name>
<description/>
<url-pattern>/*</url-pattern>
<http-method>..snip..</http-method>
</web-resource-collection>
<auth-constraint>
<description/>
<role-name>User</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>Source Files</display-name>
<web-resource-collection>
<web-resource-name>XHTML Source</web-resource-name>
<description/>
<url-pattern>*.xhtml</url-pattern>
<http-method>..snip..</http-method>
</web-resource-collection>
</security-constraint>
-GianniI don't think you can,
the XHTML pages will always be saved to the browser, you can prevent caching, you can use some encoding to encrypt them and javascript to prevent right click - but it would still be possible to view source - but you can make it difficult. -
Using a custom Custom AuthorizatioProvider with security-constraints on webApp?
Hi,
we have adapted the security from the medrec-example to build our own
authorization-provider to fetch our users from an RDBMS. Mainly we want
to secure a web-application using <security-constraint>'s:
The MBean for the AUthorizationProvider gets properly deployed into
<wl-home>/server/lib/mbeantypes
and the log-messages show, that the user gets logged in and the groups
for the user are properly resolved. However, when we access a ressource
in a web-app that is secured using:
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureCollection</web-resource-name>
<description>
These pages are only accessible by members of the dvr.
</description>
<url-pattern>/htdocs/secure/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access</description>
<role-name>securegroup</role-name>
</auth-constraint>
<user-data-constraint>
<description>
This is how the user data must be transmitted
</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
access to the ressource is denied, although the user is in securegroup.
Is there something else we need?! From the docs I understood, that in
absence of a security-role-assignment in weblogic.xml, the server takes
the rolename as principal, so our weblogic.xml is empty right now....
Any ideas anybody?!
Cheers
stfAs there is obviously noone else to answer this, I had to figure this
out myself: The reason for this is the "REQUIRED"-Controlflag on the
Default-AuthorizationProvider. The docs for the medrec-example forgot to
say, that unless you have your users in both the Database and the
internal LDAP-Server the Default-AuthorizationProvider, you are not
granted access - changing the Flag to optional does the trick.
By the way: Same holds true for the Compatibility-Security you can use
to upgrade your old RDBMS-Realms from 6.1: Without the Control-Flag on
the Default-AuthorizationProvider you can search endlessly for the
reason you can't log in although your realm properly authenticates you....
Stefan Frank wrote:
Hi,
we have adapted the security from the medrec-example to build our own
authorization-provider to fetch our users from an RDBMS. Mainly we want
to secure a web-application using <security-constraint>'s:
The MBean for the AUthorizationProvider gets properly deployed into
<wl-home>/server/lib/mbeantypes
and the log-messages show, that the user gets logged in and the groups
for the user are properly resolved. However, when we access a ressource
in a web-app that is secured using:
<security-constraint>
<web-resource-collection>
<web-resource-name>SecureCollection</web-resource-name>
<description>
These pages are only accessible by members of the dvr.
</description>
<url-pattern>/htdocs/secure/*</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
</web-resource-collection>
<auth-constraint>
<description>These are the roles who have access</description>
<role-name>securegroup</role-name>
</auth-constraint>
<user-data-constraint>
<description>
This is how the user data must be transmitted
</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
access to the ressource is denied, although the user is in securegroup.
Is there something else we need?! From the docs I understood, that in
absence of a security-role-assignment in weblogic.xml, the server takes
the rolename as principal, so our weblogic.xml is empty right now....
Any ideas anybody?!
Cheers
stf -
Error deploying when web.xml contains similiar security-constraint elements
I am receiving an error when I include similiar security constraints in my web.xml descriptor. I actually have many security-constraint elements defined but I have narrowed it down to the following two that appear kind of similiar which are causing the problem:
<security-constraint>
<web-resource-collection>
<web-resource-name>ProcessesPosts</web-resource-name>
<url-pattern>/processPost/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Processes</web-resource-name>
<url-pattern>/process/*</url-pattern>
</web-resource-collection>
</security-constraint>
The error I receive is:
#1#com.sap.engine.services.deploy.exceptions.ServerDeploymentException: Exception during generating components of sap.com/s25qoie_1_SAP application in servlet_jsp container.
at com.sap.engine.services.deploy.server.application.DeploymentTransaction.makeComponents(DeploymentTransaction.java:512)
at com.sap.engine.services.deploy.server.application.DeployUtilTransaction.commonBegin(DeployUtilTransaction.java:248)
at com.sap.engine.services.deploy.server.application.DeploymentTransaction.begin(DeploymentTransaction.java:215)
at com.sap.engine.services.deploy.server.application.ApplicationTransaction.makeAllPhasesOnOneServer(ApplicationTransaction.java:371)
at com.sap.engine.services.deploy.server.application.ApplicationTransaction.makeAllPhases(ApplicationTransaction.java:405)
at com.sap.engine.services.deploy.server.DeployServiceImpl.makeGlobalTransaction(DeployServiceImpl.java:2298)
at com.sap.engine.services.deploy.server.DeployServiceImpl.deploy(DeployServiceImpl.java:286)
at com.sap.engine.services.deploy.server.DeployServiceImplp4_Skel.dispatch(DeployServiceImplp4_Skel.java:2636)
at com.sap.engine.services.rmi_p4.P4Message.process(P4Message.java:253)
at com.sap.engine.services.rmi_p4.P4Message.execute(P4Message.java:109)
at com.sap.engine.services.cross.fca.FCAConnectorImpl.executeRequest(FCAConnectorImpl.java:841)
at com.sap.engine.services.rmi_p4.P4Message.process(P4Message.java:125)
at com.sap.engine.services.cross.fca.MessageReader.run(MessageReader.java:59)
at com.sap.engine.core.thread.execution.Executable.run(Executable.java:108)
at com.sap.engine.core.thread.execution.CentralExecutor$SingleThread.run(CentralExecutor.java:168)
Caused by: java.lang.IllegalArgumentException: Invalid prefix pattern in URLPatternList
at javax.security.jacc.URLPatternSpec.setURLPatternArray(URLPatternSpec.java:329)
at javax.security.jacc.URLPatternSpec.<init>(URLPatternSpec.java:106)
at javax.security.jacc.WebResourcePermission.<init>(WebResourcePermission.java:188)
at com.sap.engine.services.servlets_jsp.server.deploy.util.jacc.JACCRulesGenerator.generatePermissionsUnchecked(JACCRulesGenerator.java:311)
at com.sap.engine.services.servlets_jsp.server.deploy.util.jacc.JACCRulesGenerator.generateAndAddPermissionsIntoPolicyConfiguration(JACCRulesGenerator.java:132)
at com.sap.engine.services.servlets_jsp.server.deploy.util.jacc.SecurityConstraintParser.processAllSecurityConstraints(SecurityConstraintParser.java:151)
at com.sap.engine.services.servlets_jsp.server.deploy.util.jacc.SecurityConstraintParser.createSecurityResourcesJACC(SecurityConstraintParser.java:57)
at com.sap.engine.services.servlets_jsp.server.deploy.util.SecurityUtils.createSecurityResources(SecurityUtils.java:122)
at com.sap.engine.services.servlets_jsp.server.deploy.DeployAction.initXmls(DeployAction.java:722)
at com.sap.engine.services.servlets_jsp.server.deploy.DeployAction.deploy(DeployAction.java:276)
at com.sap.engine.services.servlets_jsp.server.deploy.WebContainer.deploy(WebContainer.java:181)
at com.sap.engine.services.deploy.server.application.DeploymentTransaction.makeComponents(DeploymentTransaction.java:506)
... 14 more
Has anyone seen anything like this? Have I defined something wrong in my web.xml? The exact same web.xml file does work in several other application servers.Hi Jay,
I am not aware of such document for the preview release.
About the concrete problem your investigation was enough detailed so we managed to reproduce and fix it.
Thanks and regards -
Form based authentication problem - security constraint in web.xml
Hi ,
I have j_security_check in my login page
<form name="loginForm" id="loginForm" method="post" action="j_security_check">
<table id="login" align="center" cellspacing="0" cellpadding="0">
<tr>
<td class="label">Name</td>
<td class="value"><input id="j_username" name="j_username" value="" type="text" ></td>
</tr>
<tr>
<td class="label">Password</td>
<td class="value"><input name="j_password" type="password"></td>
</tr>
<tr>
<td colspan="2" class="submit"><input type="submit" name="Submit" value="Log in >>"></td>
</tr>
</table>
</form>
And my web.src consists the following
<security-constraint>
<web-resource-collection>
<web-resource-name>EP</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>EP</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>EPULSE</auth-method>
<realm-name>AuditManager</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
After I start the tomcat server I can go to the login page, however when I enter the username and password and press enter..
http://localhost:8443/au/j_security_check ...
Can you please advise me whether there is a problem in this?
ManishaPlease read the Servlet specification for details on how to specify url-patterns (see section 11.2). Your "index.*" is not a legal pattern. You can only end in "/*" or "*.foo". See Servlet spec.
If after fixing that you have more questions, please include the actual sequence of requests (and responses), preferably from a network snoop. -
Query string in security constraint in web.xml
Hi All
I want to portect following URL in securit-constraint tag of web.xml
/appmanager/website/portal?_nfpb=true&_pageLabel=myaccount
but when i write :
<security-constraint>
<display-name>FormProtectedPages</display-name>
<web-resource-collection>
<web-resource-name>Constraint-0</web-resource-name>
<url-pattern/appmanager/website/portal?_nfpb=true&_pageLabel=myaccount</url-pattern> //line 1
</web-resource-collection>
<auth-constraint>
<role-name>MyRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
It gives me error in line 1 that
"the reference to entity "_pagelabel" must end with ";" delimiter."
What could be the reason for this. Cant i portect URLs of this kind in my web.xml?
Any suggestions would be helpful.
ThanksShabd wrote:
It gives me error in line 1 that
"the reference to entity "_pagelabel" must end with ";" delimiter."
What gives you an error?
Maybe you are looking for
-
Help with macbook to flatscreen tv
I have my comp going to my flatscreen from dvi to hdmi and into tv. my tv shows the "starry night with northern lights" on the screen the apple has, but nothing i do on the computer shows up on the screen??? I've tried switching from "hdmi source" to
-
Upgraded my phone to iphone 6 from iphone 4. My iTunes with all my music is on a computer that no longer works and can't access the music. Will iTunes Match allow me to get my music off of my iphone 4 and put it on my iphone 6? Sorry about copying tw
-
Hi all. I've got a Nikon D50, I want to be able to upload my pictures from my camera to my computer WITHOUT USING Iphoto. I have Adobe bridge and like using that a lot more for my photographs. Don't get my wrong, I love iPhoto for my pictures of frie
-
Location services not working on Mountain Lion
I am running OS X Mountain Lion and ever since I have updated location services haven't been working how they were in Lion. I have location services on in System Prefrences. When ever I encounter this problem I am using Wi-Fi. Please Help!
-
Serius project problems - Need help please
Hi, I'm using adobe premiere and after effects to my last film (this is not the first time). I'm using DV 1280*720 default sound settings (as I did before in other movies). I have an Imac C2D and plenty of hard disk space. Yesterday when I import new