Solved

Setting security-constraint in web.xml

Posted on 2004-09-22
9
55,286 Views
Last Modified: 2013-12-10
I try to set the security-constraint in web.xml to retrict user from directly access to JSP files and force user to use SSL connection.

The following codes work fine in Tomcat, but there's no effect in WAS.
 
      <security-constraint>
            <web-resource-collection>
                  <web-resource-name>SecureConnection</web-resource-name>
                  <url-pattern>*</url-pattern>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint/>
            <user-data-constraint>
                  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
            </user-data-constraint>
      </security-constraint>
      <security-constraint>
            <web-resource-collection>
                  <web-resource-name>ProtectedFolder</web-resource-name>
                  <url-pattern>/jsp/*</url-pattern>
                  <http-method>DELETE</http-method>
                  <http-method>GET</http-method>
                  <http-method>POST</http-method>
                  <http-method>PUT</http-method>
            </web-resource-collection>
            <auth-constraint/>
      </security-constraint>

Am I missing some configuration? Im currently testing it on WSAD 5.0.
Thanks.
0
Comment
Question by:boonleng
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
9 Comments
 
LVL 7

Expert Comment

by:damonf
ID: 12123139
In WAS and WSAD, you have to turn on global security in order for security constraints to work.  Turning it on in WSAD can be problematic.  I was never able to get it to work myself.  It works fine in WAS however.

See this Q where another user had the same problem:

http://www.experts-exchange.com/Web/Application_Servers/Websphere/Q_21091334.html
0
 
LVL 23

Expert Comment

by:rama_krishna580
ID: 12129562
Hi,
 Look at this..

<security-constraint>    
<web-resource-collection>          
<web-resource-name>SecureOrdersEast</web-resource-name>          
<description> Security constraint for  resources in the orders/east directory  </description>          
<url-pattern>/orders/east/*</url-pattern>          
<http-method>POST</http-method>          
<http-method>GET</http-method>    
</web-resource-collection>    
<auth-constraint>          
<description>  constraint for east coast sales  </description>          
<role-name>east</role-name>          
<role-name>manager</role-name>    
</auth-constraint>
<user-data-constraint>          
<description>SSL not required</description>          
<transport-guarantee>NONE</transport-guarantee>    
</user-data-constraint></security-constraint>

And for more info refer here..
http://e-docs.bea.com/wls/docs81/security/thin_client.html#1046060

R.K
0
 
LVL 14

Author Comment

by:boonleng
ID: 12166872
damonf:

The security contraint is now working on my WAS, but is there a way that i can remove the popup window asking for user name and password when try to access the retricted area?
Thanks.
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 7

Expert Comment

by:damonf
ID: 12168717
Not sure what you mean by "remove" ... if you secure the site, then you have to authenticate.  It won't do it automatically.  However, if you would rather have a web page ask for the userid/pw as opposed to the "401 challenge" popup, just change the authentication type from "basic" to "form".  Then specify a JSP to present for the form auth.
0
 
LVL 14

Author Comment

by:boonleng
ID: 12176663
Currently all users access the site will check for authentication,
but for anonymous users who dont have the userid/password,
how can i direct them to use SSL connection without ask for userid/password?
or i have to set Redirect to https:// in httpd.conf when user using http://?
0
 
LVL 7

Expert Comment

by:damonf
ID: 12179178
Can you describe the mechanics of how an authenticated user comes to your application, and then do the same for unauthenticated?  That is, what URL do they hit, what do you expect the server to do next.

The reason I ask:  it seems to me you could have an UNsecured page that takes care of the redirect for you ... then secure/authenticate AFTER you redirect the user.  If you want the first https:// page to be "hittable" by unathenticated user, then don't secure that page.

But what is it that you want unauthenticated user to be able to do?
0
 
LVL 14

Author Comment

by:boonleng
ID: 12187200
This is my application senario:
Basically my site have 2 kinds of user authentication, one is through a login page which validate user againts user profile in database, and another way is access using digital certificate and validate in a remote server. I dont have any user or role sets in my web.xml.

Users are access through secure connection when they first go to the site, but i dont want the user change from https to http at the browser once they have autheticated. if the user switch back to unsecure connection after autheticate, the user will be redirect back to use secure connection.

Any suggestion?
0
 
LVL 7

Accepted Solution

by:
damonf earned 100 total points
ID: 12189205
Just disable the http:// transport in the WAS console if you aren't using it.  That is, go into web containers and look under transports.  Turn it off there.

Another suggestion:  since you aren't using any of the WAS authentication features, don't bother with the J2EE security.  On my apps, all access is anonymous but I have my own code that forces user to login and authenticate to my database.

0
 
LVL 14

Author Comment

by:boonleng
ID: 12189736
Thanks a lot :)
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Coldfusion upgrade question 1 80
questions about oracle weblogic cluster 4 185
constructor overloading 2 92
websphere 1 110
This exercise is about for the following scenario: Dmgr and One node with 2 application server. Each application server contains it owns application. Application server name as follows server1 contains app1 server2 contains app1 Prereq…
There are numerous questions about how to setup an IBM HTTP Server to be administered from WebSphere Application Server administrative console. I do hope this article will wrap things up and become a reference for this task. You need three things…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question