Solved

Setting security-constraint in web.xml

Posted on 2004-09-22
9
55,247 Views
Last Modified: 2013-12-10
I try to set the security-constraint in web.xml to retrict user from directly access to JSP files and force user to use SSL connection.

The following codes work fine in Tomcat, but there's no effect in WAS.
 
      <security-constraint>
            <web-resource-collection>
                  <web-resource-name>SecureConnection</web-resource-name>
                  <url-pattern>*</url-pattern>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint/>
            <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
      </security-constraint>
      <security-constraint>
            <web-resource-collection>
                  <web-resource-name>ProtectedFolder</web-resource-name>
                  <url-pattern>/jsp/*</url-pattern>
                  <http-method>DELETE</http-method>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
                  <http-method>PUT</http-method>
            </web-resource-collection>
            <auth-constraint/>
      </security-constraint>

Am I missing some configuration? Im currently testing it on WSAD 5.0.
Thanks.
0
Comment
Question by:boonleng
  • 4
  • 4
9 Comments
 
LVL 7

Expert Comment

by:damonf
ID: 12123139
In WAS and WSAD, you have to turn on global security in order for security constraints to work.  Turning it on in WSAD can be problematic.  I was never able to get it to work myself.  It works fine in WAS however.

See this Q where another user had the same problem:

http://www.experts-exchange.com/Web/Application_Servers/Websphere/Q_21091334.html
0
 
LVL 23

Expert Comment

by:rama_krishna580
ID: 12129562
Hi,
 Look at this..

<security-constraint>    
<web-resource-collection>          
<web-resource-name>SecureOrdersEast</web-resource-name>          
<description> Security constraint for  resources in the orders/east directory  </description>          
<url-pattern>/orders/east/*</url-pattern>          
<http-method>POST</http-method>          
<http-method>GET</http-method>    
</web-resource-collection>    
<auth-constraint>          
<description>  constraint for east coast sales  </description>          
<role-name>east</role-name>          
<role-name>manager</role-name>    
</auth-constraint>
<user-data-constraint>          
<description>SSL not required</description>          
<transport-guarantee>NONE</transport-guarantee>    
</user-data-constraint></security-constraint>

And for more info refer here..
http://e-docs.bea.com/wls/docs81/security/thin_client.html#1046060

R.K
0
 
LVL 14

Author Comment

by:boonleng
ID: 12166872
damonf:

The security contraint is now working on my WAS, but is there a way that i can remove the popup window asking for user name and password when try to access the retricted area?
Thanks.
0
 
LVL 7

Expert Comment

by:damonf
ID: 12168717
Not sure what you mean by "remove" ... if you secure the site, then you have to authenticate.  It won't do it automatically.  However, if you would rather have a web page ask for the userid/pw as opposed to the "401 challenge" popup, just change the authentication type from "basic" to "form".  Then specify a JSP to present for the form auth.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 14

Author Comment

by:boonleng
ID: 12176663
Currently all users access the site will check for authentication,
but for anonymous users who dont have the userid/password,
how can i direct them to use SSL connection without ask for userid/password?
or i have to set Redirect to https:// in httpd.conf when user using http://?
0
 
LVL 7

Expert Comment

by:damonf
ID: 12179178
Can you describe the mechanics of how an authenticated user comes to your application, and then do the same for unauthenticated?  That is, what URL do they hit, what do you expect the server to do next.

The reason I ask:  it seems to me you could have an UNsecured page that takes care of the redirect for you ... then secure/authenticate AFTER you redirect the user.  If you want the first https:// page to be "hittable" by unathenticated user, then don't secure that page.

But what is it that you want unauthenticated user to be able to do?
0
 
LVL 14

Author Comment

by:boonleng
ID: 12187200
This is my application senario:
Basically my site have 2 kinds of user authentication, one is through a login page which validate user againts user profile in database, and another way is access using digital certificate and validate in a remote server. I dont have any user or role sets in my web.xml.

Users are access through secure connection when they first go to the site, but i dont want the user change from https to http at the browser once they have autheticated. if the user switch back to unsecure connection after autheticate, the user will be redirect back to use secure connection.

Any suggestion?
0
 
LVL 7

Accepted Solution

by:
damonf earned 100 total points
ID: 12189205
Just disable the http:// transport in the WAS console if you aren't using it.  That is, go into web containers and look under transports.  Turn it off there.

Another suggestion:  since you aren't using any of the WAS authentication features, don't bother with the J2EE security.  On my apps, all access is anonymous but I have my own code that forces user to login and authenticate to my database.

0
 
LVL 14

Author Comment

by:boonleng
ID: 12189736
Thanks a lot :)
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Verbose logging is used to diagnose garbage collector problems. By default, -verbose:gc output is written to either native_stderr.log or native_stdout.log.   It is also possible to redirect the logs to a user-specified file. This article will de…
This exercise is about for the following scenario: Dmgr and One node with 2 application server. Each application server contains it owns application. Application server name as follows server1 contains app1 server2 contains app1 Prereq…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now