Solved

Setting security-constraint in web.xml

Posted on 2004-09-22
9
55,260 Views
Last Modified: 2013-12-10
I try to set the security-constraint in web.xml to retrict user from directly access to JSP files and force user to use SSL connection.

The following codes work fine in Tomcat, but there's no effect in WAS.
 
      <security-constraint>
            <web-resource-collection>
                  <web-resource-name>SecureConnection</web-resource-name>
                  <url-pattern>*</url-pattern>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint/>
            <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
      </security-constraint>
      <security-constraint>
            <web-resource-collection>
                  <web-resource-name>ProtectedFolder</web-resource-name>
                  <url-pattern>/jsp/*</url-pattern>
                  <http-method>DELETE</http-method>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
                  <http-method>PUT</http-method>
            </web-resource-collection>
            <auth-constraint/>
      </security-constraint>

Am I missing some configuration? Im currently testing it on WSAD 5.0.
Thanks.
0
Comment
Question by:boonleng
  • 4
  • 4
9 Comments
 
LVL 7

Expert Comment

by:damonf
ID: 12123139
In WAS and WSAD, you have to turn on global security in order for security constraints to work.  Turning it on in WSAD can be problematic.  I was never able to get it to work myself.  It works fine in WAS however.

See this Q where another user had the same problem:

http://www.experts-exchange.com/Web/Application_Servers/Websphere/Q_21091334.html
0
 
LVL 23

Expert Comment

by:rama_krishna580
ID: 12129562
Hi,
 Look at this..

<security-constraint>    
<web-resource-collection>          
<web-resource-name>SecureOrdersEast</web-resource-name>          
<description> Security constraint for  resources in the orders/east directory  </description>          
<url-pattern>/orders/east/*</url-pattern>          
<http-method>POST</http-method>          
<http-method>GET</http-method>    
</web-resource-collection>    
<auth-constraint>          
<description>  constraint for east coast sales  </description>          
<role-name>east</role-name>          
<role-name>manager</role-name>    
</auth-constraint>
<user-data-constraint>          
<description>SSL not required</description>          
<transport-guarantee>NONE</transport-guarantee>    
</user-data-constraint></security-constraint>

And for more info refer here..
http://e-docs.bea.com/wls/docs81/security/thin_client.html#1046060

R.K
0
 
LVL 14

Author Comment

by:boonleng
ID: 12166872
damonf:

The security contraint is now working on my WAS, but is there a way that i can remove the popup window asking for user name and password when try to access the retricted area?
Thanks.
0
 
LVL 7

Expert Comment

by:damonf
ID: 12168717
Not sure what you mean by "remove" ... if you secure the site, then you have to authenticate.  It won't do it automatically.  However, if you would rather have a web page ask for the userid/pw as opposed to the "401 challenge" popup, just change the authentication type from "basic" to "form".  Then specify a JSP to present for the form auth.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 14

Author Comment

by:boonleng
ID: 12176663
Currently all users access the site will check for authentication,
but for anonymous users who dont have the userid/password,
how can i direct them to use SSL connection without ask for userid/password?
or i have to set Redirect to https:// in httpd.conf when user using http://?
0
 
LVL 7

Expert Comment

by:damonf
ID: 12179178
Can you describe the mechanics of how an authenticated user comes to your application, and then do the same for unauthenticated?  That is, what URL do they hit, what do you expect the server to do next.

The reason I ask:  it seems to me you could have an UNsecured page that takes care of the redirect for you ... then secure/authenticate AFTER you redirect the user.  If you want the first https:// page to be "hittable" by unathenticated user, then don't secure that page.

But what is it that you want unauthenticated user to be able to do?
0
 
LVL 14

Author Comment

by:boonleng
ID: 12187200
This is my application senario:
Basically my site have 2 kinds of user authentication, one is through a login page which validate user againts user profile in database, and another way is access using digital certificate and validate in a remote server. I dont have any user or role sets in my web.xml.

Users are access through secure connection when they first go to the site, but i dont want the user change from https to http at the browser once they have autheticated. if the user switch back to unsecure connection after autheticate, the user will be redirect back to use secure connection.

Any suggestion?
0
 
LVL 7

Accepted Solution

by:
damonf earned 100 total points
ID: 12189205
Just disable the http:// transport in the WAS console if you aren't using it.  That is, go into web containers and look under transports.  Turn it off there.

Another suggestion:  since you aren't using any of the WAS authentication features, don't bother with the J2EE security.  On my apps, all access is anonymous but I have my own code that forces user to login and authenticate to my database.

0
 
LVL 14

Author Comment

by:boonleng
ID: 12189736
Thanks a lot :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Configure Web Service (server application) I. Configure security for Web Services methods First, we need to protect Session bean which implements the service: 1. Open EJB deployment descriptor (ejb-jar.xml) in the EJB project that contains you…
This article is about some of the basic and important steps to be used to improve the performance in web-sphere commerce application development. 1) Always leverage the Dyna-caching facility provided by the product 2) Remove the unwanted code …
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now