July 9, 2008 09:05am pdt

1. HonorGod 81,495
2. shivaspk 6,000
3. Waswiz 5,900
4. girionis 5,500
5. omarfarid 4,000
6. pkwan 3,500
6. objects 3,500
8. CEHJ 3,000
8. stevenro... 3,000
10. bpmurray 2,400
11. SirCrofty 2,000
11. mwecompu... 2,000
11. marklorenz 2,000
11. melchkis... 2,000
11. momi_sabag 2,000
11. mhunts 2,000
11. asanga_su 2,000
11. mrcoffee365 2,000

1. HonorGod 166,633
2. damonf 80,560
3. rama_kri... 76,786
4. Waswiz 46,168
5. Morientes 31,427
6. pkwan 27,580
7. schleus 21,627
8. boonleng 16,264
9. pluim 16,080
10. jerelw 14,805
11. yuseungkim 14,350
12. avinthm 11,720
13. mmurugan... 11,300
14. dyanet 10,325
15. shivaspk 9,000

09.22.2004 at 02:04AM PDT, ID: 21140315

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

7.6

Setting security-constraint in web.xml

Zone: IBM Websphere Application Server

Tags: security

I try to set the security-constraint in web.xml to retrict user from directly access to JSP files and force user to use SSL connection.

The following codes work fine in Tomcat, but there's no effect in WAS.

      <security-constraint>
            <web-resource-collection>
                  <web-resource-name>SecureConnection</web-resource-name>
                  <url-pattern>*</url-pattern>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint/>
            <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
      </security-constraint>
      <security-constraint>
            <web-resource-collection>
                  <web-resource-name>ProtectedFolder</web-resource-name>
                  <url-pattern>/jsp/*</url-pattern>
                  <http-method>DELETE</http-method>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
                  <http-method>PUT</http-method>
            </web-resource-collection>
            <auth-constraint/>
      </security-constraint>

Am I missing some configuration? Im currently testing it on WSAD 5.0.
Thanks.

Start your free trial to view this solution

Question Stats

Zone: Software

Question Asked By: boonleng

Solution Provided By: damonf

Participating Experts: 2

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

09.22.2004 at 07:11AM PDT, ID: 12123139

Rank: Master

damonf:

In WAS and WSAD, you have to turn on global security in order for security constraints to work. Turning it on in WSAD can be problematic. I was never able to get it to work myself. It works fine in WAS however.

See this Q where another user had the same problem:

http://www.experts-exchange.com/Web/Application_Servers/Websphere/Q_21091334.html

09.22.2004 at 06:55PM PDT, ID: 12129562

Rank: Master

rama_krishna580:

Hi,
Look at this..

<security-constraint>
<web-resource-collection>
<web-resource-name>SecureOrdersEast</web-resource-name>
<description> Security constraint for resources in the orders/east directory </description>
/orders/east/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description> constraint for east coast sales </description>
<role-name>east</role-name>
<role-name>manager</role-name>
</auth-constraint>

<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint></security-constraint>

And for more info refer here..
http://e-docs.bea.com/wls/docs81/security/thin_client.html#1046060

R.K

09.27.2004 at 11:13PM PDT, ID: 12166872

boonleng:

damonf:

The security contraint is now working on my WAS, but is there a way that i can remove the popup window asking for user name and password when try to access the retricted area?
Thanks.

09.28.2004 at 05:27AM PDT, ID: 12168717

Rank: Master

damonf:

Not sure what you mean by "remove" ... if you secure the site, then you have to authenticate. It won't do it automatically. However, if you would rather have a web page ask for the userid/pw as opposed to the "401 challenge" popup, just change the authentication type from "basic" to "form". Then specify a JSP to present for the form auth.

09.28.2004 at 09:03PM PDT, ID: 12176663

boonleng:

Currently all users access the site will check for authentication,
but for anonymous users who dont have the userid/password,
how can i direct them to use SSL connection without ask for userid/password?
or i have to set Redirect to https:// in httpd.conf when user using http://?

09.29.2004 at 05:52AM PDT, ID: 12179178

Rank: Master

damonf:

Can you describe the mechanics of how an authenticated user comes to your application, and then do the same for unauthenticated? That is, what URL do they hit, what do you expect the server to do next.

The reason I ask: it seems to me you could have an UNsecured page that takes care of the redirect for you ... then secure/authenticate AFTER you redirect the user. If you want the first https:// page to be "hittable" by unathenticated user, then don't secure that page.

But what is it that you want unauthenticated user to be able to do?

09.29.2004 at 10:45PM PDT, ID: 12187200

boonleng:

This is my application senario:
Basically my site have 2 kinds of user authentication, one is through a login page which validate user againts user profile in database, and another way is access using digital certificate and validate in a remote server. I dont have any user or role sets in my web.xml.

Users are access through secure connection when they first go to the site, but i dont want the user change from https to http at the browser once they have autheticated. if the user switch back to unsecure connection after autheticate, the user will be redirect back to use secure connection.

Any suggestion?

09.30.2004 at 05:33AM PDT, ID: 12189205

Rank: Master

damonf:

Just disable the http:// transport in the WAS console if you aren't using it. That is, go into web containers and look under transports. Turn it off there.

Another suggestion: since you aren't using any of the WAS authentication features, don't bother with the J2EE security. On my apps, all access is anonymous but I have my own code that forces user to login and authenticate to my database.

Accepted Solution

09.30.2004 at 06:37AM PDT, ID: 12189736

boonleng:

Thanks a lot :)

20080236-EE-VQP-29