Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Setting security-constraint in web.xml

Posted on 2004-09-22
9
Medium Priority
?
55,351 Views
Last Modified: 2013-12-10
I try to set the security-constraint in web.xml to retrict user from directly access to JSP files and force user to use SSL connection.

The following codes work fine in Tomcat, but there's no effect in WAS.
 
      <security-constraint>
            <web-resource-collection>
                  <web-resource-name>SecureConnection</web-resource-name>
                  <url-pattern>*</url-pattern>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint/>
            <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
      </security-constraint>
      <security-constraint>
            <web-resource-collection>
                  <web-resource-name>ProtectedFolder</web-resource-name>
                  <url-pattern>/jsp/*</url-pattern>
                  <http-method>DELETE</http-method>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
                  <http-method>PUT</http-method>
            </web-resource-collection>
            <auth-constraint/>
      </security-constraint>

Am I missing some configuration? Im currently testing it on WSAD 5.0.
Thanks.
0
Comment
Question by:boonleng
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 7

Expert Comment

by:damonf
ID: 12123139
In WAS and WSAD, you have to turn on global security in order for security constraints to work.  Turning it on in WSAD can be problematic.  I was never able to get it to work myself.  It works fine in WAS however.

See this Q where another user had the same problem:

http://www.experts-exchange.com/Web/Application_Servers/Websphere/Q_21091334.html
0
 
LVL 23

Expert Comment

by:rama_krishna580
ID: 12129562
Hi,
 Look at this..

<security-constraint>    
<web-resource-collection>          
<web-resource-name>SecureOrdersEast</web-resource-name>          
<description> Security constraint for  resources in the orders/east directory  </description>          
<url-pattern>/orders/east/*</url-pattern>          
<http-method>POST</http-method>          
<http-method>GET</http-method>    
</web-resource-collection>    
<auth-constraint>          
<description>  constraint for east coast sales  </description>          
<role-name>east</role-name>          
<role-name>manager</role-name>    
</auth-constraint>
<user-data-constraint>          
<description>SSL not required</description>          
<transport-guarantee>NONE</transport-guarantee>    
</user-data-constraint></security-constraint>

And for more info refer here..
http://e-docs.bea.com/wls/docs81/security/thin_client.html#1046060

R.K
0
 
LVL 14

Author Comment

by:boonleng
ID: 12166872
damonf:

The security contraint is now working on my WAS, but is there a way that i can remove the popup window asking for user name and password when try to access the retricted area?
Thanks.
0
Supports up to 4K resolution!

The VS192 2-Port 4K DisplayPort Splitter is perfect for anyone who needs to send one source of DisplayPort high definition video to two or four DisplayPort displays. The VS192 can split and also expand DisplayPort audio/video signal on two or four DisplayPort monitors.

 
LVL 7

Expert Comment

by:damonf
ID: 12168717
Not sure what you mean by "remove" ... if you secure the site, then you have to authenticate.  It won't do it automatically.  However, if you would rather have a web page ask for the userid/pw as opposed to the "401 challenge" popup, just change the authentication type from "basic" to "form".  Then specify a JSP to present for the form auth.
0
 
LVL 14

Author Comment

by:boonleng
ID: 12176663
Currently all users access the site will check for authentication,
but for anonymous users who dont have the userid/password,
how can i direct them to use SSL connection without ask for userid/password?
or i have to set Redirect to https:// in httpd.conf when user using http://?
0
 
LVL 7

Expert Comment

by:damonf
ID: 12179178
Can you describe the mechanics of how an authenticated user comes to your application, and then do the same for unauthenticated?  That is, what URL do they hit, what do you expect the server to do next.

The reason I ask:  it seems to me you could have an UNsecured page that takes care of the redirect for you ... then secure/authenticate AFTER you redirect the user.  If you want the first https:// page to be "hittable" by unathenticated user, then don't secure that page.

But what is it that you want unauthenticated user to be able to do?
0
 
LVL 14

Author Comment

by:boonleng
ID: 12187200
This is my application senario:
Basically my site have 2 kinds of user authentication, one is through a login page which validate user againts user profile in database, and another way is access using digital certificate and validate in a remote server. I dont have any user or role sets in my web.xml.

Users are access through secure connection when they first go to the site, but i dont want the user change from https to http at the browser once they have autheticated. if the user switch back to unsecure connection after autheticate, the user will be redirect back to use secure connection.

Any suggestion?
0
 
LVL 7

Accepted Solution

by:
damonf earned 400 total points
ID: 12189205
Just disable the http:// transport in the WAS console if you aren't using it.  That is, go into web containers and look under transports.  Turn it off there.

Another suggestion:  since you aren't using any of the WAS authentication features, don't bother with the J2EE security.  On my apps, all access is anonymous but I have my own code that forces user to login and authenticate to my database.

0
 
LVL 14

Author Comment

by:boonleng
ID: 12189736
Thanks a lot :)
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

-Xmx and -Xms are the two JVM options often used to tune JVM heap size.   Here are some common mistakes made when using them:   Assume BigApp is a java class file for the below examples. 1.         Missing m, M, g or G at the end …
Configure Web Service (server application) I. Configure security for Web Services methods First, we need to protect Session bean which implements the service: 1. Open EJB deployment descriptor (ejb-jar.xml) in the EJB project that contains you…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question