Tomcat security constraint question

Hi all,
we're using the following security constring for securing our servletts. Everything works fine so far.
<security-constraint>
<web-resource-collection>
<web-resource-name>Test</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>
Now the question: We've implemented some kind of password reminder which allows you to retrieve a new password, this servlett should be accessible by anybody.
Do we have to list all the url-mappings except the one for the password reminder or is there a special tag to exclude an url-pattern from the wildcard-rule which we haven't yet? Any hints would be appreciated...
Regards, Florian

Using: Tomcat 5.5.20 on Windows Server 2003
Couple Questions:
1. How do I prevent users from entering a double
quote in the INPUT field on the server side?use javascript
Also, is
it possible to replace the double quote with single
quote on the server side? If yes, How? I don't want
to use JavaScript because it can be disabled.yes,
yourVarString.replaceAll("\"","\'");
2. Where is the best place to ack Tomcat questions?http://tomcat.apache.org/findhelp.html
I
had some question on security-constraint. I have a
folder that has sercurity-constraint on it, so when
that folder is accessed tomcat asks for credentials.
Once user provides proper Username and Password, it
grants them the access. Now I want to know once the
access is granted, how come it doesn't display
index.jsp form that folder, It displays an image. I
don't understand why?
Please help....i have encountered that also on tomcat 3 intalled on linux machine.. the account that was being used to start the tomcat is root.. then the resolution was the owner account of the tomcat starts the server and it worked! hope that give you an idea

Similar Messages

Web.xml - security constraint question

I want to make a kind of inverted security constraint. I want to ALLOW access to one specific page over HTTP. All other pages should be HTTPS.
Is that possible???

Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
Bean code:
this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
        <security-role>
          <role-name>Local Admin Group</role-name>
     </security-role>
     <security-role>
          <role-name>DBA Group</role-name>
     </security-role>
    
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <security-role-ref>
              <role-name>admin</role-name>
              <role-link>DBA Group</role-link>
     </security-role-ref>
        <security-role-ref>
              <role-name>admin</role-name>
              <role-link>Local Admin Group</role-link>
     </security-role-ref>
    </servlet>

A security-constraint question - Hopefully to get answered.

I have a security-constraint that protects URLs with pattern "/test/*". Now, the login page is defined as /login.jsp.
Now if i directly access the url say "/test/1.jsp" , I am redirected to /login.jsp.
Now, what i want is to find out what was the originally requested URL on the login jsp. In other words, I want to put a S.O.P statement in login.jsp that the originally requested URI was /test/1.jsp .
I tried searching Java sites and stuff nothing has come up. None of the request object's methods allude to it also.
Thanks for your help
Nikhil

You can use the HTTP referrer header for this.String referrer = request.getHeader("referer"); // Yes, with the legendaric misspelling in it.Only keep in mind that the client has full control over what it sends with the request, so it could also spoof the referrer value. But if you only use this to redirect back to the desired page after login, those users (hackers) won't take benefit from it.

Security constraint in Web.xml of tomcat

Hi
I have a web-application running on tomcat . Inside the context folder i have several directories having some pre-defined configuration files . But the user is able to directly access them by typing the path including the fileName in the URL ( I have disabled the listings property however)
How can i prevent accessing the specific files .... I tried using
<security-constraint>
<display-name>Security constarint</display-name>
<web-resource-collection>
<web-resource-name>Java Application</web-resource-name>
<url-pattern>/folder/*</url-pattern>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</web-resource-collection>
<auth-constraint>
<role-name>tomcat</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>OnJava Application</realm-name>
</login-config>
This seems to be working fine , but when the user enters the wrong security info thrice , 401 error page is coming instead i want my custom page . Hence i configured an error page for 401 code which overwrited the earlier behavaiour ie.. that BASIC authentication popup is not coming
Can any one let me know how to go about this

Hi ,
I have tried adding the following into web.xml but the security feature just doesnt work and the user can go to any page without any restriction.
<security-constraint>
<web-resource-collection>
<web-resource-name>Declarative Security Test</web-resource-name>
<url-pattern>/SuperServlet</url-pattern>
<url-pattern>/*</url-pattern>
<http-method>post</http-method>
<http-method>get</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
<auth-constraint>
<role-name>guest</role-name>
<role-name>member</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>guest</role-name>
<role-name>member</role-name>
</security-role>
The roles mentioned above have been added correctly into tomcat-users.xml..The version of tomcat I am using is tomcat5.0.28.Please help.

Form based authentication problem - security constraint in web.xml

Hi ,
I have j_security_check in my login page
<form name="loginForm" id="loginForm" method="post" action="j_security_check">
     <table id="login" align="center" cellspacing="0" cellpadding="0">
               <tr>
                    <td class="label">Name</td>
                    <td class="value"><input id="j_username" name="j_username" value="" type="text" ></td>
               </tr>
               <tr>
                    <td class="label">Password</td>
                    <td class="value"><input name="j_password" type="password"></td>
               </tr>
               <tr>
                    <td colspan="2" class="submit"><input type="submit" name="Submit" value="Log in >>"></td>
               </tr>
     </table>
     </form>
And my web.src consists the following
<security-constraint>
          <web-resource-collection>
               <web-resource-name>EP</web-resource-name>
               <url-pattern>/*</url-pattern>
          <http-method>GET</http-method>
          <http-method>POST</http-method>
</web-resource-collection>
          <auth-constraint>
               <role-name>EP</role-name>
          </auth-constraint>
          <user-data-constraint>
               <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
     </security-constraint>
<login-config>
          <auth-method>EPULSE</auth-method>
          <realm-name>AuditManager</realm-name>
          <form-login-config>
               <form-login-page>/login.jsp</form-login-page>
               <form-error-page>/error.jsp</form-error-page>
          </form-login-config>
     </login-config>
After I start the tomcat server I can go to the login page, however when I enter the username and password and press enter..
http://localhost:8443/au/j_security_check ...
Can you please advise me whether there is a problem in this?
Manisha

Please read the Servlet specification for details on how to specify url-patterns (see section 11.2). Your "index.*" is not a legal pattern. You can only end in "/*" or "*.foo". See Servlet spec.
If after fixing that you have more questions, please include the actual sequence of requests (and responses), preferably from a network snoop.

Security constraint in web.xml

Hi All
I want to set a security contraint to verfity my system user, I know I need to put the following section into the tomcat created web.xml. But I dont know where is the web.xml on my Tomcat 4.1.24, because i found many web.xml files in different directory.
Q1) Sorry I know this is a silly question, but can u tell me which web.xml is the one I need to edit in order to set my the security constraint?
Q2) Instead of editing the created Tomcat web.xml, can I create my own web.xml and put it in <Tomcat_Homw>/webapps/ROOT/WEB-INF. This is just only for the security constraint towards my system.
Many many thanks
Kelvin
<security-constraint>
<web-resource-collection>
<web-resource-name>Administration</web-resource-name>
<url-pattern>/admin</url-pattern>
<url-pattern>/users</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login</form-login-page>
<form-error-page>/login-error</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>administrator</role-name>
</security-role>

you need to do it for every web-app... thats why there is one web.xml file for each! There is a thing in CATALINA_HOME/conf/server.xml that u can uncomment to enable 'single-logon' which means u cna log on once and be authenticated for every web-app...
root isn't a web-app i don't think... so therefore u can't restrict access to it (someone correct me if wrong)... I don't know what u mean by restricting access to your 'system'

security-constraints

Hi All,

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>JSPs</web-resource-name>
            <url-pattern>/jsp/*</url-pattern>
        </web-resource-collection>
        <auth-constraint/>
    </security-constraint>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Admin Area</web-resource-name>
            <url-pattern>/User_input.action</url-pattern>
            <url-pattern>/User.action</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>User Basic Authentication</realm-name>
    </login-config>
    <security-role>
        <role-name>admin</role-name>
    </security-role>
    <error-page>
        <error-code>403</error-code>
        <location>/403.html</location>
    </error-page>Can any one please confirm my understanding is correct or not?
In my first constratint no one access my directly and in the second admin only can access the mentioned URL.
When the second URL accessed by admin user it will shows the dialog box mentioning the BASIC authentication and also force the users to input the username and password.
My question is, The username and password are mentioned in tomcat-user.xml file in the directory /conf/.
Is this the only way that i mention the username and password in the .xml file?
I also need to know that can i store the password based on the username?
-vignesh

In my first constratint no one access my directly and in the second admin only can access the mentioned URL.Sounds good to me.
Is this the only way that i mention the username and password in the .xml file?No it is not the only way. You can look them up from a database, use LDAP, or JAAS...
The relevant documentation for Tomcat is here
cheers,
evnafets

[svn] 1720: Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints .

Revision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

Revision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

[svn] 1053: Basic and custom security-constraint samples were added to the team app mainly for the doc team to have a reference .

Revision: 1053
Author: [email protected]
Date: 2008-04-01 11:35:28 -0700 (Tue, 01 Apr 2008)
Log Message:
Basic and custom security-constraint samples were added to the team app mainly for the doc team to have a reference. The custom authentication sample uses the new ChannelSet.login and ChannelSet.logout methods.
Modified Paths:
blazeds/branches/3.0.x/apps/team/WEB-INF/flex/remoting-config.xml
blazeds/branches/3.0.x/apps/team/WEB-INF/flex/services-config.xml
Added Paths:
blazeds/branches/3.0.x/apps/team/features/security-constraints/
blazeds/branches/3.0.x/apps/team/features/security-constraints/README.txt
blazeds/branches/3.0.x/apps/team/features/security-constraints/securityConstraint_Basic.m xml
blazeds/branches/3.0.x/apps/team/features/security-constraints/securityConstraint_Custom. mxml
Removed Paths:
blazeds/branches/3.0.x/apps/team/features/remoting/remoting_AMF_SecurityConstraint_Basic. mxml

Congrats to Carmelo!
Windows Phone and Windows Store Apps Technical Guru - February 2015
Carmelo La Monica
Windows Phone 8: control Nokia Maps (Part 3)
JH: "Part 3 of the series how to work with the Nokia maps control. As the previous articles this one contains a lot of code snippets and some pictures. Good work!"
Ed Price: "A great topic, a fantastic breakdown of sections with clear descriptions, and a nice mix of code formatting and helpful images! Another stellar article from Carmelo! Great job including the link back at the end to the portal
article!"
Ed Price, Azure & Power BI Customer Program Manager (Blog,
Small Basic,
Wiki Ninjas,
Wiki)
Answer an interesting question?
Create a wiki article about it!

Enforcing security constraints when forward is used

Hi,
I am using Tomcat 4.0.1, and I have specified security constraints in my web.xml. I find that when I try to forward to secure resource, I am able to do so without having to evaluate security constraints. If I request the secure resource directly, I do have to evaluate the security constraints.
Is this normal? I would expect that the security constraints should always be evaluated by the web container.
Thanks in advance,
Steve

Yes, its normal.
In fact, its an important capability to force people thru a "front door" and prevent direct access to protected resources (Model 2?).

Flex, FDS, Tomcat, security issues

Ok, I'm running FDS on Tomcat. I have BASIC security in
place. In my POJO I can access
FlexContext.getFlexSession().getUserPrincipal().getName()
no problem. But,
FlexContext.getFlexSession().isUserInRole()
is failing! I can't determine the role of the user in Java
code in a RO call.
Since
FlexContext.getFlexSession().getUserPrincipal().getName() does
work, I am assuming the proper session id is being sent to the
server side from the Flex UI.
Note that I can drop a test JSP page in and can see the roles
via request.isUserInRole().
Any ideas?
DK

I also have problems using security with destination. I
secured the /messagebroker/* url in the web.xml with basic
authentication. When I access a DataService destination, I get a
popup for credentials.
After the user is authenticated, I get a 'unhandled failure
on server' message on the client. After enabling all logging on the
server, I finally figured out the problem is caused by a
NullPointerException in Flex's LoginManager.checkRoles() method.
When I put security constraints in the
data-management-config.xml, the error occurs directly. My Assembler
is not used.
If I remove the security constraints from the
data-management-config.xml and put this code in my Assembler class
FlexSession fs = FlexContext.getFlexSession();
Principal p = fs.getUserPrincipal();
boolean inRole = fs.isUserInRole("role1");
.. I see the FlexSession is retrieved succesfully. The
principal can also be retrieved. But the check if the user is in a
role also caused a NullPointerException in
LoginManager.checkRoles()
I tried this on both Tomcat 5.5 and JBoss 4.0.5 GA and have
the same problem on both servers.
What is the cause and how to fix it ?
I need a solution fast !

JSF - Tomcat security...what is the best choice for a high activity site

JSF - Tomcat security...what is the best choice for a high activity site
The JDBCRealm is not multithreaded so what are options for high activity site??
I would like to have Apache as front end doing load balancing, Tomcat as server and JSF.
All ideals and suggestions please.
Thanks
Phil

One more question.
Since Tomcat has this setup.
create table users (
user_name varchar(15) not null primary key,
user_pass varchar(15) not null
create table user_roles (
user_name varchar(15) not null,
role_name varchar(15) not null,
primary key (user_name, role_name)
It seems like a huge pain to keep a user with every role. What happens when you have 500,000 users???
Also, the authentications on every page....would it be easier to login once and setup a session bean check that on with the page header ??
Thanks
Phil

security-constraint related

Hi all.
I am using jdev embedded OC4J to testing and debugging my JSPs.
Can anybody tell me how (and in which conf file actually) can i define "users" and "user groups" for the embedded OC4J that will be associated with the ones in <security-constraint> and <security-role> clauses in the web.xml file? Tomcat uses a "tomcat-users.xml" file to store those user information, and I want to know the counterpart of jdev.
thanks

hi
The file orion-application.xml should contain something like:
<security-role-mapping name="sr_authenticated_user">
     <group name="ug_authenticated_users" />
     <group name="ug_administrators" />
</security-role-mapping>
<security-role-mapping name="sr_administrator">
     <group name="ug_administrators" />
</security-role-mapping>
<principals path="principals.xml" />While the file principals.xml should contain something like:
<principals>
     <groups>
          <group name="ug_authenticated_users"/>
          <group name="ug_administrators"/>
     </groups>
     <users>
          <user username="asterix" password="obelix">
               <group-membership group="ug_authenticated_users" />
          </user>
          <user username="garfield" password="pussy">
               <group-membership group="ug_administrators" />
          </user>
     </users>
</principals>Check more information in chapter 8 "Security" of the "Oracle9iAS Containers for J2EE Users's Guide".
http://tahiti.oracle.com/
"Click here for Oracle9iAS documentation, Release 9.0.2."
"list of all books"
"OC4J User's Guide"success
-Jan

How to avoid the Security Constraint framework's user validating.

The problem is I have set up a security constraint in web.xml. If I link to that mapping tomcat will throw a window for user to input the username and password.
I expect that i could set a URL to redirect to this mapping which is constrainted by web.xml and jump over the step of input window.
I prefer the way like logon FTP, setting the URL like this: ftp://username:[email protected] (of course the way http://username:password@host:port/file was fail) or anyother ways to implement that.
thanks!!

in your form tag specify method=post, that'll hide the values from being displayed in the url
eg:
<form action="someAction" method="post">

Web service proxy and security constraint

I've placed a security constraint on my web service and set the login-config auth-method as BASIC. When I run the Workshop test and the (Test View) browser begins to appear I am prompted for my username and password since it is protected --- great, it's working.
Here's my problem, when I create the Java Proxy and try to access the web service using the proxy in another application I am never prompted for my username and password and thus the request fails. Anyway to fix this so I can be promted using the proxy??
thanks in advance,
Steve Touw

Hi Shay Shmeltzer,
Thanks for the reply.
I tried in HTTP Analyzer in JDeveloper and there also it is not working. My concern is :-
There are many other web services deployed on the same SOA server in same partition and they are working fine in HTTP analyzer and I am able to create and use the web service proxy as well. So as per my understanding there is nothing like network issues between SOA server and jDeveloper.
1 more thing When I am creating the proxy for this web service and requesting from the proxy's main method SOA is getting proper input (which I am providing in the main method) and SOA is returning proper output I have checked the SOA instance in em. So there is no problem in SOA side. The problem is jDeveloper is not able to get back that response which SOA is returning.
Please Help.
-- NavinK

Tomcat security constraint question

Similar Messages

Maybe you are looking for