Setting security constraint for web App

Similar Messages

• RE: security-constraint in web.xml of sunone 6.1

  Hello again,
  Still url-pattern of security-constraint issue in web.xml of sunone 6.1 (SP5).
  I am pretty sure this pattern works fine in SunOne 6.0 and SunOne 6.1 SP2,
  <security-constraint>
  <url-pattern>/app/jws1/*.jsp</url-pattern>
  <url-pattern>/app/jws1/*.jnlp</url-pattern>
  </security-constraint>
  In SunOne 6.0 or SunOne 6.1 SP2, if I have not yet logged in and type in a url matching the above patterns in a browser, I will be asked for username and password. But in SunOne 6.1 SP5, I won't be asked for username and password.

  Unfortunately, that's not how <url-pattern> values work. They shouldn't have "worked" in 6.1 SP2. I'm pretty sure they didn't. 6.0 takes a more intuitive, but nonstandard, approach to <url-pattern> wildcards. That nonstandard behaviour was corrected in 6.1.
  The Java Servlet Specification 2.3 -- see http://www.jcp.org/aboutJava/communityprocess/final/jsr053/ -- defines the contents of the <url-pattern> as follows:
  � A string beginning with a �/� character and ending with a �/*� postfix is used for path mapping.
  � A string beginning with a �*.� prefix is used as an extension mapping.
  � A string containing only the �/� character indicates the "default" servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null.
  � All other strings are used for exact matches only.
  That means that /app/jws1/* will do what you might expect, as will *.jsp, but /app/jws1/*.jsp will only match the exact URI /app/jws1/*.jsp. /app/jws1/*.jsp will not match a URI such as /app/jws1/filename.jsp.
  If you can't construct appropriate authorization rules using <url-pattern>, you may wish to a) restructure your web app or b) use Web Server ACLs.

• JavaHelp for web app?

  Hello,
  I'm trying to include JavaHelp for our web application.
  Has anyone used this tool or any other tool with javascript for displaying help for web apps?
  I tried to follow the browser demo that is in applet and comes with javahelp zip. It worked fine for me, but when tried to follow the same setting for the web application, I am getting this error.
  java.lang.NoClassDefFoundError: Could not initialize class com.inmedius.mentor.support.amecr.JavaHelpApplet
       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
       at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source)
       at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
       at java.lang.reflect.Constructor.newInstance(Unknown Source)
       at java.lang.Class.newInstance0(Unknown Source)
       at java.lang.Class.newInstance(Unknown Source)
       at sun.applet.AppletPanel.createApplet(Unknown Source)
       at sun.plugin.AppletViewer.createApplet(Unknown Source)
       at sun.applet.AppletPanel.runLoader(Unknown Source)
       at sun.applet.AppletPanel.run(Unknown Source)
       at java.lang.Thread.run(Unknown Source)I know it cannot find the class, but I'm not sure how to configure it.
  I have the following call to applet:
  <Applet WIDTH = 26 HEIGHT = 26  codebase="http://tetra:80/AMECR" code = "com.inmedius.mentor.support.amecr.JavaHelpApplet.class" archive="AMECR.war">
       <PARAM NAME = HELPSETURL VALUE ="AMECR/GAPIHelp.hs">
       <PARAM NAME = HELPSETNAME VALUE ="GAPIHelp">
  </Applet>Also, since applet approach is not that much favored, do you know if any other way to include this tool within web applications or any other tool that would do the same thing?
  Any input is greatly appreciated.
  Thanks,

  Yes, as long as you conform to what the HelpSet specifies you can use Servlets / JSPs.

• Problems with "save for web" app low quality messed up images

  Please help I have never had a problem with the "save for web" application before (over three years) I am currently running A.I. cs3 on windows vista. in the past whenever I save anything this way the images were always clean. as of yesterday everything I try to save through the save for web app the images are very low quality all the vector has jagged edges, it is very low rez looking and the file sizes are very small, half the size they normaly would be. What did I do to change the settings or better yet how can I get it back to the way it was.

  Thank you for your help I moved the folder but it still did not fix this problem. it is also not just the jpg option under the save for web app but all the setting ie. gif, png, ect. ect. Also the the files sizes are much less, example I exported a design as a jpg with the quality setting about 6 the file size was 374kb when I exported the same design through the save for web app the file size was only 45 kb on the quilty setting of 100. further more in the preview screen of "save for web" the original images as well as the optimized both look messed up. The "save for web" app has always worked for me in the past never a problem and I use this app alot so it is very important.

• Custom module templates for Web Apps

  Just wanting to see if there's anyone out there who knows if the custom module templates from the September release are available for Web Apps?  I can't seem to get them to work.
  When placing {module_webapps,8168,a template=”/custom/wap-contract.tpl”} I get a "No Items Found" response. I would appreciate help as this would be very useful in building Web Apps and I can't find documentation on it
  Thanks

  They do work with Web Apps, I've been able to use it successfully. Here is the only documentation I can find on it so far:
  http://helpx.adobe.com/business-catalyst/partner/using-custom-templates-modules.html
  Curious though, when  you get "No items found" that means there are no web app items to show. So we don't really know if your custom template worked or not. If you can get some items to show up and they use the default layout, then we know something is wrong.
  Hope this helps,
  Chad Smith | http://bcgurus.com/Business-Catalyst-Templates for only $7

• HT1920 I forgot my security answers for the App Store apps.

  I forgot my security answers for the App Store apps.
  How can I get my security answers back
  Thank you

  Welcome to the Apple Community.
  If you have forgotten the answers, contact Apple through iTunes Store Support

• Set Disable or Expiry Date for web app item via Edit form

  I have a user that wants to delete a web app item from a secure zone edit form, but they are not the owner of that web app item.  All items in the web app were imported via a csv file and hence do not have a 'submitted by' user id assigned.
  Is it possible to Disable a web app item using a web app Edit form?  or alternatively, is it possible to set the Expiry Date of a web app item using a web app Edit form?
  Thanks
  Dave

  Sorry Brian, but I'm not sure that answers my question.
  Sure, I can create a single web app item for every single client of my customer, manually.
  Sure, I can create and 'allocate' that single web app item to each customer manually.
  I pray the customer doesn't have hundreds of clients. And I would have to teach my customer how to do this convoluted process for every new client.
  But the one thing this doesn't do is answer the question of updating the value of units held.
  It seems the order module remains the closes to what I am looking for in that it allows an equation, and is automatically customer specific.
  However, I am looking for a way to achieve a single daily update by the customer as to the value of the units held by each client. This can be done via the product module - update price. But this does not update existing orders. Exisitng orders are fixed at the price on the day. The customer wants to update the value once, in one place, and have that amend all existing 'orders' to reflect the new total value of units held by each individual client, and to have this show in each client's member area.
  If you can think of a way of doing this in webapps or via the order module, this is what I am looking for. Anyone?

• Using security-constraint in web.xml; not recognizing url-pattern tag

  I am creating a very simple jsp application within JDeveloper 10.1.3.1. I have 2 jsp files...a readData.jsp and a maintainData.jsp. I would like to deploy this application to Oracle Application Server 10.1.2.2. I would like to use Oracle Internet Directory with Single Sign on enabled. The deployment to OAS works fine. For the security, I would like an administrator user to get to both pages...and a user to only be able to see the readData.jsp. I used the security constraints on the properties of the web.xml file within JDeveloper. Here is my web.xml file:
  <?xml version = '1.0' encoding = 'windows-1252'?>
  <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
  <web-app>
  <description>Empty web.xml file for Web Application</description>
  <session-config>
  <session-timeout>35</session-timeout>
  </session-config>
  <mime-mapping>
  <extension>html</extension>
  <mime-type>text/html</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>txt</extension>
  <mime-type>text/plain</mime-type>
  </mime-mapping>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adm_full_access</web-resource-name>
  <url-pattern>*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>adm_all</role-name>
  </auth-constraint>
  </security-constraint>
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>usr_access</web-resource-name>
  <url-pattern>readData.jsp</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>usr_all</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  </login-config>
  <security-role>
  <role-name>usr_all</role-name>
  </security-role>
  <security-role>
  <role-name>adm_all</role-name>
  </security-role>
  </web-app>
  When I deploy to OAS I added an OID account to the adm_all role...this works fine I can log on as that user and get to both jsps. But, when I add my user to the usr_all role within OAS I try to log on to the app...I then enter my SSO username and password and I get Access Denied errors from my browser when trying to access either page. I am confused about the <url-pattern> tag...is that relative to a directory within my deployment? Most of the examples I have seen use servlets...so I was wondering if I can even use the <url-pattern> tag to restrict/allow access to individual jsps? If someone could point me to some documentation on this set-up I would appreciate it!
  Thank you.

  I was able to get this to work. By doing the following:
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>adm_full_access</web-resource-name>
  <url-pattern>*</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>adm_all</role-name>
  </auth-constraint>
  </security-constraint>
  I was restricting access to all other groups by uisng <url-pattern>*</url-pattern>. Any other security-constraints set-up after that will not work. So saying * requires usr_all will restrict ALL webpages to ONLY adm_all, regardless of what future constraints say. So, my first security-constraints lists all directories or pages that every user can access. My next security-constraint then list resources that only my admins (adm_all) can acess. Any other security constraints then are set-up for each user role that I have...if adm_all should have access to these then the <role-name>adm_all</role-name> is added to each security constraint.

• Security constraint in web.xml

  Hi All
  I want to set a security contraint to verfity my system user, I know I need to put the following section into the tomcat created web.xml. But I dont know where is the web.xml on my Tomcat 4.1.24, because i found many web.xml files in different directory.
  Q1) Sorry I know this is a silly question, but can u tell me which web.xml is the one I need to edit in order to set my the security constraint?
  Q2) Instead of editing the created Tomcat web.xml, can I create my own web.xml and put it in <Tomcat_Homw>/webapps/ROOT/WEB-INF. This is just only for the security constraint towards my system.
  Many many thanks
  Kelvin
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Administration</web-resource-name>
  <url-pattern>/admin</url-pattern>
  <url-pattern>/users</url-pattern>
  </web-resource-collection>
  <auth-constraint>
  <role-name>administrator</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>FORM</auth-method>
  <form-login-config>
  <form-login-page>/login</form-login-page>
  <form-error-page>/login-error</form-error-page>
  </form-login-config>
  </login-config>
  <security-role>
  <role-name>administrator</role-name>
  </security-role>

  you need to do it for every web-app... thats why there is one web.xml file for each! There is a thing in CATALINA_HOME/conf/server.xml that u can uncomment to enable 'single-logon' which means u cna log on once and be authenticated for every web-app...
  root isn't a web-app i don't think... so therefore u can't restrict access to it (someone correct me if wrong)... I don't know what u mean by restricting access to your 'system'

• Compiler Options for Web App

  I am working on a training course that deploys a web application to a web server of my choice. I have Tomcat setup and I also have used the embedded server in JDeveloper 10g. There are several exercises that I have partial code written. When I try to deploy the app to test one of the exercises I get compiler errors on other parts of the web app.
  Is there any way I can tell the compiler to only compile those things that have changed or still deploy with errors? I was able to get it to deploy by commenting out several pieces of code, but this is not my optimal solution.
  Thanks

  yes, mod_plsql for Apache (the core of Oracle 9iAS) allows you to make PL/SQL calls from a browser environment and return HTML. the entire Oracle Portal product is written using this mechanism.
  learning JSP from scratch, and learning how to manage security, database connections and record sets would be a daunting task. if you want to learn Java, great. it's my favority web language. however, if you have PL/SQL experience and a need to get information to the web, use mod_plsql and generate dynamic content via PL/SQL and the database.
  good luck,
  rich

• Login prompt appears for web app when sql db is not on same server as WebAp

  Hi,
  I am deploying a VS2005 web application on a server (which has crytalReportsviewer); lets call that server A. The database the crystal reports access are on a different server, server B. In this scenario, when I run the web application, and try to bring up the reports on the web page, I get login prompt. Even if I provide valid login credentials (I have set up a user for this purpose the behavior is erratic; for some reports the report is displayed and for others it errors out with 'unknown error' message.
  If I put the sql db on the same server, it works fine.
  I use the crystal reports application to update the database source. When I do this, I use Ole db connection and set the 'integrated security' to true. But setting the integrated security to true does not bypass the login screen on the web app.
  My question is, how do I set up the report database parameters (connection string etc) so that the user of the web application does not have to go through the login screen when the web application and the sql db does not reside on the same server.
  Thanks.

  That sound like a [Double-Hop|http://blogs.msdn.com/knowledgecast/archive/2007/01/31/the-double-hop-problem.aspx] issue.
  You'd install and configure Kerberos to hop over the credentials - see post: SQL Server 2005 integrated security.
  Sincerely,
  Ted Ueda

• Default auth method for web app

  Hi,
  I have a web app that in web.xml it defines the security-constraint and roles in auth-constraint, but it doesn't have login-config. In this case, what's the auth method? How can the user do authentication? My app is actually a web service, how the client pass the user/password? Thanks

  Hi
  If you haven't figure out yet, you should look at Web Service Security: [WSIT Tutorial|http://java.sun.com/webservices/reference/tutorials/wsit/doc/WSITTutorial.pdf] . If you work with NetBeans and glassfish, it is very easy to set up user and authentificate with web services.

• Form based authentication problem - security constraint in web.xml

  Hi ,
  I have j_security_check in my login page
  <form name="loginForm" id="loginForm" method="post" action="j_security_check">
       <table id="login" align="center" cellspacing="0" cellpadding="0">
                 <tr>
                      <td class="label">Name</td>
                      <td class="value"><input id="j_username" name="j_username" value="" type="text" ></td>
                 </tr>
                 <tr>
                      <td class="label">Password</td>
                      <td class="value"><input name="j_password" type="password"></td>
                 </tr>               
                 <tr>
                      <td colspan="2" class="submit"><input type="submit" name="Submit" value="Log in >>"></td>
                 </tr>
       </table>
       </form>
  And my web.src consists the following
  <security-constraint>
            <web-resource-collection>
                 <web-resource-name>EP</web-resource-name>
                 <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
  </web-resource-collection>
            <auth-constraint>
                 <role-name>EP</role-name>
            </auth-constraint>
            <user-data-constraint>
                 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
       </security-constraint>
  <login-config>
            <auth-method>EPULSE</auth-method>
            <realm-name>AuditManager</realm-name>
            <form-login-config>
                 <form-login-page>/login.jsp</form-login-page>
                 <form-error-page>/error.jsp</form-error-page>
            </form-login-config>
       </login-config>
  After I start the tomcat server I can go to the login page, however when I enter the username and password and press enter..
  http://localhost:8443/au/j_security_check ...
  Can you please advise me whether there is a problem in this?
  Manisha

  Please read the Servlet specification for details on how to specify url-patterns (see section 11.2). Your "index.*" is not a legal pattern. You can only end in "/*" or "*.foo". See Servlet spec.
  If after fixing that you have more questions, please include the actual sequence of requests (and responses), preferably from a network snoop.

• Query string in security constraint in web.xml

  Hi All
  I want to portect following URL in securit-constraint tag of web.xml
  /appmanager/website/portal?_nfpb=true&_pageLabel=myaccount
  but when i write :
  <security-constraint>
  <display-name>FormProtectedPages</display-name>
  <web-resource-collection>
  <web-resource-name>Constraint-0</web-resource-name>
  <url-pattern/appmanager/website/portal?_nfpb=true&_pageLabel=myaccount</url-pattern> //line 1
  </web-resource-collection>
  <auth-constraint>
       <role-name>MyRole</role-name>
  </auth-constraint>
  <user-data-constraint>
       <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
  </security-constraint>
  It gives me error in line 1 that
  "the reference to entity "_pagelabel" must end with ";" delimiter."
  What could be the reason for this. Cant i portect URLs of this kind in my web.xml?
  Any suggestions would be helpful.
  Thanks

  Shabd wrote:
  It gives me error in line 1 that
  "the reference to entity "_pagelabel" must end with ";" delimiter."
  What gives you an error?

• Security constraint in Web.xml of tomcat

  Hi
  I have a web-application running on tomcat . Inside the context folder i have several directories having some pre-defined configuration files . But the user is able to directly access them by typing the path including the fileName in the URL ( I have disabled the listings property however)
  How can i prevent accessing the specific files .... I tried using
  <security-constraint>
  <display-name>Security constarint</display-name>
  <web-resource-collection>
  <web-resource-name>Java Application</web-resource-name>
  <url-pattern>/folder/*</url-pattern>
  <auth-constraint>
  <role-name>tomcat</role-name>
  </auth-constraint>
  </web-resource-collection>
  <auth-constraint>
  <role-name>tomcat</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  <realm-name>OnJava Application</realm-name>
  </login-config>
  This seems to be working fine , but when the user enters the wrong security info thrice , 401 error page is coming instead i want my custom page . Hence i configured an error page for 401 code which overwrited the earlier behavaiour ie.. that BASIC authentication popup is not coming
  Can any one let me know how to go about this

  Hi ,
  I have tried adding the following into web.xml but the security feature just doesnt work and the user can go to any page without any restriction.
  <security-constraint>
  <web-resource-collection>
  <web-resource-name>Declarative Security Test</web-resource-name>
  <url-pattern>/SuperServlet</url-pattern>
  <url-pattern>/*</url-pattern>
  <http-method>post</http-method>
  <http-method>get</http-method>
  </web-resource-collection>
  <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
  <auth-constraint>
  <role-name>guest</role-name>
  <role-name>member</role-name>
  </auth-constraint>
  </security-constraint>
  <login-config>
  <auth-method>BASIC</auth-method>
  </login-config>
  <security-role>
  <role-name>guest</role-name>
  <role-name>member</role-name>
  </security-role>
  The roles mentioned above have been added correctly into tomcat-users.xml..The version of tomcat I am using is tomcat5.0.28.Please help.