Web.xml - security constraint question
I want to make a kind of inverted security constraint. I want to ALLOW access to one specific page over HTTP. All other pages should be HTTPS.
Is that possible???
Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
Bean code:
this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
<security-role>
<role-name>Local Admin Group</role-name>
</security-role>
<security-role>
<role-name>DBA Group</role-name>
</security-role>
<!-- Faces Servlet -->
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<security-role-ref>
<role-name>admin</role-name>
<role-link>DBA Group</role-link>
</security-role-ref>
<security-role-ref>
<role-name>admin</role-name>
<role-link>Local Admin Group</role-link>
</security-role-ref>
</servlet>
Similar Messages
-
Web.xml: security-constraint [un]usable in JSF?
<security-constraint> in web.xml is a simple, effective and portable method of declaring a web application�s security policies.
It's been noted, however, in an earlier topic (http://forum.java.sun.com/thread.jspa?threadID=747919&messageID=4279347) that it has it�s limitations in the context of jsf.
A reasonable solution would be to consult <security-constraint> elements in one�s own web.xml when rendering <h:commandLink>'s on a page according to the security policy.
Unfortunately, there is no standard method of reading web.xml, other than what�s available from the ServletContext.
I found some container specific-implementations in the Cargo project from the http://cargo.codehaus.org,
but I�m looking for a portable solution. Any thoughts?
Thanks, y�all!Use the <security-role-ref> for the Faces Servlet to map the LDAP roles to the logical role names used by the managed bean to determine if links may be rendered.
Bean code:
this.isAdmin = context.getExternalContext().isUserInRole("admin");web.xml:
<security-role>
<role-name>Local Admin Group</role-name>
</security-role>
<security-role>
<role-name>DBA Group</role-name>
</security-role>
<!-- Faces Servlet -->
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<security-role-ref>
<role-name>admin</role-name>
<role-link>DBA Group</role-link>
</security-role-ref>
<security-role-ref>
<role-name>admin</role-name>
<role-link>Local Admin Group</role-link>
</security-role-ref>
</servlet> -
Web.xml security-constraint order matters?
After a long and frustrating debuggin session I've just discovered that the order in which <security-constraint>
entries are added to the web.xml file matters to OC4J.
That is if a more laxed rule is matched first the rest
(even though they might be more precise or even an
exact match won't be applied.
Is this normal behaviour?
EXAMPLE BELOW WORKS - INVERT ENTRIES AND IT WILL FAIL
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected</web-resource-name>
<url-pattern>/admin*.uix</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>DSMSuperUser</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>DSMUser</role-name>
</auth-constraint>
</security-constraint>Here is an excerpt from the servlet spec stating the proper behavior:
The container matches URL patterns defined in security constraints
using the same algorithm described in this specification for matching client
requests to servlets and static resources as described in SRV.11.1
SRV.11.1 Use of URL Paths
Upon receipt of a client request, the web container determines the web application
to which to forward it. The web application selected must have the the longest
context path that matches the start of the request URL. The matched part of the URL
is the context path when mapping to servlets.
The web container next must locate the servlet to process the request using the
path mapping procedure described below:
The path used for mapping to a servlet is the request URL from the request
object minus the context path. The URL path mapping rules below are used in
order. The first successful match is used with no further matches attempted:
1. The container will try to find an exact match of the path of the request to the
path of the servlet. A successful match selects the servlet.
2. The container will recursively try to match the longest path-prefix: This is done
by stepping down the path tree a directory at a time, using the ’/’ character as
a path separator. The longest match determines the servlet selected.
3. If the last segment in the URL path contains an extension (e.g. .jsp), the servlet
container will try to match a servlet that handles requests for the extension.
An extension is defined as the part of the last segment after the last ’.’ character.
4. If neither of the previous three rules result in a servlet match, the container will
attempt to serve content appropriate for the resource requested. If a "default"
servlet is defined for the application, it will be used.
The container must use case-sensitive string comparisons for matching.
So this is STILL an issue w/ 10.1.2.0.2...
EXAMPLE BELOW WORKS - INVERT ENTRIES AND IT WILL FAIL
<security-constraint>
<web-resource-collection>
<web-resource-name>oemAdmin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>OEM_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>allOem</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>OEM_USER</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
If I don't find a SR for this issue I'll open one b/c this is not acceptable. -
Hi,
Anybody has any idea about this one:
In web.xml I have:
<security-constraint>
<web-resource-collection>
<web-resource-name>members</web-resource-name>
<url-pattern>/members/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>REGISTERED_USERS</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL is required</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
when using the above one, every time when i click any link in /members, the weblogic
first treat the user as guest at the beginning, then change to the real logined
user.
After I changed it to :
<security-constraint>
<web-resource-collection>
<web-resource-name>members</web-resource-name>
<url-pattern>/members/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>REGISTERED_USERS</role-name>
</auth-constraint>
<user-data-constraint>
<description>SSL is required</description>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
i click the links in /members, the weblogic treat the user as the real logined
user.
Any idea what is the * 's meaning or any clue where this difference is mentioned
in weblogic or SUN's documentation?
BTW: I am using weblogic 5.1 with sp11.
Thx,
dliuHi,
Please provide a "WEB-INF/weblogic.xml" file as well like following:
*"weblogic.xml"*
<?xml version='1.0' encoding='UTF-8'?>
<weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<security-role-assignment>
<role-name>BMOUser</role-name>
<principal-name>BMOUser</principal-name>
</security-role-assignment>
</weblogic-web-app>
Thanks
Jay SenSharma
http://weblogic-wonders.com (WebLogic Wonders Are here) -
Help! web.xml security without using WAR files
I'm currently using the RDBMSRealm and URL ACL security for my app. I would like to use the web.xml descriptor for security so that I can specify login pages and such. We currently are not using WAR files. I've been having alot of trouble setting this up. Is there a way to use the RDBMS realm along with the web.xml security? It looks like it should work, but I can't seem to get it to function. How do I specify the regular document root as a webapp? I'm currently running WLS 5.1 with SP4. Thanks.
The RDBMSRealm is just the authentication mechanism underneath WLS versus the
web.xml of the WebApplication which describes all the access control for that WebApp.
the later being scoped only to that WebApp.
you don't need to deploy in a war file, you can expand the archive into an identical
directory structure and then just point us towards the top level of that structure.
see: http://www.weblogic.com/docs51/classdocs/webappguide.html
.paul
chris wrote:
I'm currently using the RDBMSRealm and URL ACL security for my app. I would like to use the web.xml descriptor for security so that I can specify login pages and such. We currently are not using WAR files. I've been having alot of trouble setting this up. Is there a way to use the RDBMS realm along with the web.xml security? It looks like it should work, but I can't seem to get it to function. How do I specify the regular document root as a webapp? I'm currently running WLS 5.1 with SP4. Thanks. -
Web.xml security configuration (struts)
Hi all
i want to restrict the access for the following URL:
http://localhost:8080/InventoryManager/Usermanagement/addUser.do?methodToCall=addInvUser
But if i define it like that in web.xml it doesn't work:
<security-constraint>
<display-name>User</display-name>
<web-resource-collection>
<web-resource-name>user creation</web-resource-name>
<url-pattern>/Usermanagement/addUser.do?methodToCall=addInvUser*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>create_user</role-name>
</auth-constraint>
</security-constraint>
All other restrictions i created to far are working, but mostly this is restricted for a URL and not a struts action like above.
Could somebody tell me how i can restrict the access to the method addInvUser or the action mapping addUser.do ?
Thanks
AngelaPerhaps it's not possible (to use HTTP params) as a restricted URL.
But you can always chek user role programmatically.
best regards,
Maris Orbidans
SCJP SCWCD SCBCD -
Let�s say that I have 2 main groups, group USER and group ADMIN.
Now let�s say that I have 3 other groups, groups A, B, and C.
The structure in OCS would look something like this.
group USER has members group A, group B, group C and group ADMIN
group ADMIN has members that are just users, no groups
From our application to perform a isUserInRole(group B) would group B have to appear in the web.xml file or should I only have to have group USER in the web.xml file?Hi,
the web.xml file contains all groups that you reference in URL constraints in teh web.xml or call via isUserInRole(). Note that you also can use different names in isUserInRole() but then you need to use the role-ref element to map it to a role that exists in web.xml.
Note that J2EE doesn't support RBAC in the web.xml, which means that there is no role that is a member of a role. OC4J supports this from the security provider site, but still this isn't the case for J2EE itself.
Frank -
Tomcat security constraint question
Hi all,
we're using the following security constring for securing our servletts. Everything works fine so far.
<security-constraint>
<web-resource-collection>
<web-resource-name>Test</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
</security-constraint>
Now the question: We've implemented some kind of password reminder which allows you to retrieve a new password, this servlett should be accessible by anybody.
Do we have to list all the url-mappings except the one for the password reminder or is there a special tag to exclude an url-pattern from the wildcard-rule which we haven't yet? Any hints would be appreciated...
Regards, FlorianUsing: Tomcat 5.5.20 on Windows Server 2003
Couple Questions:
1. How do I prevent users from entering a double
quote in the INPUT field on the server side?use javascript
Also, is
it possible to replace the double quote with single
quote on the server side? If yes, How? I don't want
to use JavaScript because it can be disabled.yes,
yourVarString.replaceAll("\"","\'");
2. Where is the best place to ack Tomcat questions?http://tomcat.apache.org/findhelp.html
I
had some question on security-constraint. I have a
folder that has sercurity-constraint on it, so when
that folder is accessed tomcat asks for credentials.
Once user provides proper Username and Password, it
grants them the access. Now I want to know once the
access is granted, how come it doesn't display
index.jsp form that folder, It displays an image. I
don't understand why?
Please help....i have encountered that also on tomcat 3 intalled on linux machine.. the account that was being used to start the tomcat is root.. then the resolution was the owner account of the tomcat starts the server and it worked! hope that give you an idea -
Without restart/reload - web.xmlupdate security constraints, is it possible
Is there a way to make use of the 9ias/j2ee security framework, where add/modify security constrains; change roles and url-patterns etc, in web.xml without having to restart/reload the webapp. Doesn�t Restart/reload remove existing user sessions from the container?.
Any thoughts or code pointers would be appreciated.
-Mohammad AbedHandlers are java-classes so I would say yes.
Classes (including BC4J View and Entity objects) must
be recompiled and your server should be restarted.
Anything XML-related (including UIX) does not immediately
force you to restart OC4J, although the MVC Framework
descriptor-xml should be reloaded by for instance re-
entering the service you changed. This is where those
home-page services become handy.
Note that setting existing BC4J-attributes to (in)visible
or wider/smaller mostly just changes the BC4J Jheadstart
metadata and generates new UIX, so it doesn't change
anything in the java-classes. -
Web.xml Security LoginPage / LoginTF does not work
Hi Guys,
In JDev 11.1.1.5, using the WebCenter extension we get some strange behaviour I cannot explain.
I have a feeling I am missing some small step, but I cannot see what step, so I thought to ask :).
Here are the steps we took:
We use:
- JDeveloper 11.1.1.5
- WebCenter extension
Steps we took, within an WebCenter Portal application:
1. Create an index.html which is the default start point of the application.
2. index.html redirects to faces/pages_home.
3. In pages.xml our home is an landingPage.
4. This landingPage is configured for authenticated-role only in pages.xml.
5. Configure a custom login-TF with .jspx loginPage on it.
6. In the web.xml on the security tab, we configure Form-Based Authentication with our custom login-TF as Login Page.
7. In the jazn-data.xml we configure this TF and grant the anonymous-role.
8. Run the application, we get an 404.
I would expect the following:
1. Application tries to reach the home page.
2. The home page is only available for authenticated users.
3. The login mechanism (from the web.xml) starts to work.
4. The TF/page configured in the web.xml gets launched.
Some how, as said we get a 404 instead of our loginTF/Page.
In an Jdevelloper 11.1.1.2 application, this seems to work fine with the same configuration, but now in 11.1.1.5 we get a 404 error.
Did we miss a configuration / Overlook some setting?
Why does this not work?
If anybody has any tips on where to look or what to do, this would be helpful :)
I have a test case in which I can reproduce this problem, both within an WCP application as in a pure ADF application.
I can provide this if anyone is interested :)
Regards,
Richard OlrichsHmmm, apparently you have to put “/faces/adf.task-flow?adf.tfId=login-TF&adf.tfDoc=/” in front of the TF, which results in the following web.xml tag:
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/faces/adf.task-flow?adf.tfId=login-TF&adf.tfDoc=/WEB-INF/login-TF.xml</form-login-page>
<form-error-page>/WEB-INF/error.html</form-error-page>
</form-login-config>
</login-config>
I don't know why, but now it redirects correctly to our custom login-TF.
Can someone explain this behaviour?
Anyhow, help is not needed anymore :P
Cheers,
Richard
Edited by: Richard Olrichs on Feb 21, 2012 8:41 AM -
Web.xml servlet redirection question
Hi everyone;
As you know web.xml file allows you to enter something like this
<servlet-mapping>
<servlet-name>application1</servlet-name>
<url-pattern>/application1</url-pattern>
</servlet-mapping>
so you can find your application.
As you know it is case sensitive so if a user enters /Application1 it wouldn't be found. I was wondering if i could put a node in there that would redirect requests from Application1 to application.
Any ideas ?
Stevoh i wasn't aware that i could put multiple nodes in there like this
<servlet-mapping>
<servlet-name>application1</servlet-name>
<url-pattern>/application1</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>application1</servlet-name>
<url-pattern>/Application1</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>application1</servlet-name>
<url-pattern>/APplication1</url-pattern>
</servlet-mapping>
is there a way to simply make this case insensitive and all requests get translated to the lowercase versioN?
Stev -
A security-constraint question - Hopefully to get answered.
I have a security-constraint that protects URLs with pattern "/test/*". Now, the login page is defined as /login.jsp.
Now if i directly access the url say "/test/1.jsp" , I am redirected to /login.jsp.
Now, what i want is to find out what was the originally requested URL on the login jsp. In other words, I want to put a S.O.P statement in login.jsp that the originally requested URI was /test/1.jsp .
I tried searching Java sites and stuff nothing has come up. None of the request object's methods allude to it also.
Thanks for your help
NikhilYou can use the HTTP referrer header for this.String referrer = request.getHeader("referer"); // Yes, with the legendaric misspelling in it.Only keep in mind that the client has full control over what it sends with the request, so it could also spoof the referrer value. But if you only use this to redirect back to the desired page after login, those users (hackers) won't take benefit from it.
-
Security constaint in Oracle 10.1.2 - Web.xml
hi,
I can access my URL in both http and https .
1) http://myURL.com
2) https://myURL.com:4444
But I want this logic to be contained in Web.xml where in only for some resource , I need to use https. I put the following in Web.xml ...But it is not working . As soons as i hit welcome.jsp , IE is trying to download the page to my Harddrive.( ???) .
following is code in web.xml
========
<security-constraint>
<web-resource-collection>
<web-resource-name>
test
</web-resource-name>
<url-pattern>/Welcome.jsp</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
====
what is wrong with this code ?
PLUS I cannot access the site as https://myURL.com with out port number . I always have to append 4444 . Is there any way to autmatically add the port .
Thanks
Message was edited by:
user526264Hi,
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
doesn't redirect to SSL but shows an http error if access is not with SSL
Frank -
Setting security constraint for web App
Hai all!
I am new to bea and i am trying to set up security constraints for my webaplication..
I want user to be authenticated before he access any of the pages in browser..
All i did was adding following entries to web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>
webresources
</web-resource-name>
<url-pattern>
</url-pattern>
</web-resource-collection>
<login-config>
<auth-method>
BASIC
</auth-method>
</login-config>
</security-constraint>
But no such thing is happening,,
I know i am doing wrong but donno where exactly i am wrong..
Pls guide me in sequnece of steps regarding what to do to accomplish what i want..
Thanks and Regards
ManoharI guess you need to set the role that is allowed to log into your application.
try this in web.xml:
<security-constraint>
<display-name>Whatever</display-name>
<web-resource-collection>
<web-resource-name>resource</web-resource-name>
<description>Desc</description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>desc</description>
<role-name>MyRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<description>desc</description>
<role-name>MyRole</role-name>
</security-role>
and map the role with a group/user in weblogic.xml:
<security-role-assignment>
<role-name>MyRole</role-name>
<principal-name>MyGroupOfUsers</principal-name>
</security-role-assignment>
Hope this helps.
Xavi
"Manohar" <[email protected]> wrote:
>
Hai all!
I am new to bea and i am trying to set up security constraints for my
webaplication..
I want user to be authenticated before he access any of the pages in
browser..
All i did was adding following entries to web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>
webresources
</web-resource-name>
<url-pattern>
</url-pattern>
</web-resource-collection>
<login-config>
<auth-method>
BASIC
</auth-method>
</login-config>
</security-constraint>
But no such thing is happening,,
I know i am doing wrong but donno where exactly i am wrong..
Pls guide me in sequnece of steps regarding what to do to accomplish
what i want..
Thanks and Regards
Manohar -
Hi there,
on our projects web pages we use struts, to combine the html of our pages with the java code behind. To enable SSL I added a security constraint to the web.xml:
<security-constraint>
<display-name>SSL Constraint</display-name>
<web-resource-collection>
<web-resource-name>secured login resource</web-resource-name>
<description></description>
<url-pattern>/index.html</url-pattern>
<url-pattern>*.do</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>authenticatedUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint> Some of our web pages need to use no SSL. So I added (for first testing) a second security constraint to the web.xml and defined which pages should be without SSL:
<security-constraint>
<display-name>No-SSL Constraint</display-name>
<web-resource-collection>
<web-resource-name>businesstransaction resource</web-resource-name>
<description></description>
<url-pattern>*.go</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description></description>
<role-name>authenticatedUser</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>As you can see, I exchanged *.do with *.go for testing. I simply defined all actions I want to be used without SSL with a .go instead of a .do in the struts.config.
In principle it works, but there is a problem: The default behaviour for struts seems to be that the name of the new action is posted in the url at the end of the standard starting url.
Our url starts with https://localhost:9443/client-web/, and whatever action I start, this url text in the browser window never changes, regardless of wether the next action would be protected or not.
First I thought my url pattern would be wrong, or the user or whatever. But then I found out, that when changing the url in the browser window by hand to http://localhost:9080/client-web/ it works. The web page then is without SSL active. And when I manually change the url while viewing a page that is meant to be SSL protected, the browser automatically changes to the SSL adress.
But then again, moving to a page without SSL does not enforce the browser to change its adress to the no SSL String. So again, SSL is active though a non secure access would be allowed.
Anybody has any idea how to change this default behaviour? It would be important to not only tell the server that non secure would be ok, but to actually USE non secure connection automatically.
The internet explorer is not able to upload files in SSL mode (though any other browser is able to), and our customer insists on using IE. And to tell the users "oh, just edit the line there in the window manually and reload the page will help ... or use Firefox" will not be a suitable solution.
Regards, Rommie.There is a plugin called sslext which will do most of what you need.
http://sslext.sourceforge.net/
I think the last time I used it I made some changes to the plugin source so that I could force non-ssl to be the default behavour unless SSL was explictily stated in struts.config, but can't remember for sure. Bottom line is it will do most of what you need and can probably be modified to do the rest without too much trouble.
Maybe you are looking for
-
How to connect a PowerMac G3 (VGA) to a Cinema Display (DVI)
Hi, I've just bought a used PowerMac G3 on ebay. I already have a Cinema Display 20'' with DVI input only. So the problem is that the G3 only has VGA output. I now bought an adapter which totally fits: So I now can connect the G3 with the Cinema Disp
-
URGENT Help needed re: Sample rates
Hi all, I am working on a TV project and the delivery deadline is looking. My music projects are all set to record at 44Khz in logic but the client wants the files delivered 48Khz and 16bit audio. I have recorded a lot of guitars and so would like to
-
How to output back to Prem pro
Help, I am new to SG and can't seem to get an output file that works. Not helped by the fact I have not got my head round the pro/cons of different file formats. (hey I only got this prog about a week ago ..) I have benn asked by a client to produc
-
Facebook and Twitter - can't log in!!
I just downloaded these two apps. But I have been unable to log in. For Facebook I get the message - "We cannot reach the Facebook server at this time. Please try again later". And for Twitter - "Twitter services are currently unavailable" For the re
-
Wait for Image created with Toolkit.createImage()
I try to create a new image using Toolkit.createImage(byte[]). When I try to proccess this image afterwards with an ImageObserver Container.prepareImage() I get an error returned from Container.checkImage(). It looks like Toolkit.createImage(byte[])