Disabling http methods in web.xml of application - http-method

I am trying to disable http methods like PUT, DELETE, TRACE, OPTIONS and PROPFIND. I have made the few changes in my web.xml file of my application but the methods are still enabled. Following is the code snippet:
<security-constraint>
<display-name>Restrict raw XHTML Documents</display-name>
<web-resource-collection>
<web-resource-name>XHTML</web-resource-name>
<url-pattern>*.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>

Related

Secure page admin Solr

Installed Solr5.3.0 on Windows and imported data. Can somebody guide me how to secure mydomain/ip:8983/solr from public.
I want to secure all page of solr except the query & select. I want keep them publically.
http://localhost:8983/solr/core/query?
http://localhost:8983/solr/core/select?
This my config example/etc/webdefault.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>core1-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>

AppEngine Multiple User Credentials in Development Server

When auth-constraint is specified in AppEngine Development server web.xml file. The User injected to endpoint and User received from UserService.getCurrentUser() in HttpServlet are different.
The user Id for endpoint user is zero and for HttpServlet it is a fixed number. When the auth-constraint tag is removed from web.xml file, both user ids are zero. But this tag is required for production server.
How to get a single user for development server?
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

How to bypass security constraints for specific IP addresses

My web application has security configuration in web.xml. It runs on Wildfly and uses ActiveDirectory for sign-on.
I want some ipaddress to bypass this security constraints. Is it possible?
For instance any request from 100.35.6.124 and 100.35.6.122 will bypass the login.
<security-constraint>
<web-resource-collection>
<web-resource-name>Unauthenticated Resources</web-resource-name>
<url-pattern>/version</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>All Resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ActiveDirectoryRealm</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>

Require user login in GWT with web.xml

I develop an application with GAE and GWT where the user has to be logged in with his Google Account when he access the site. So I defined the following in the web.xml file...
<security-constraint>
<web-resource-collection>
<url-pattern>/index.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
When I'm running the local dev server I get promted with the test login-screen when I open the app the first time, but when I deploy it, I directly come to my application without any authentication.
First I thought, that could be, because I'm already logged in to other Google services, but I tried it in other browsers and in incognito mode too.
I would suggest trying one is to use the URL pattern to * so that all your resources are secure and secondly addind web-resource-name tag to "all" value, as shown in code snippet below.
And I am assuming you already have servlet mapping to service etc
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>

https only in google app engine

I am on a google app engine project now. In my application I have to allow only https protocol. And I have to restrict other protocols. It should allow https only. I have added the below code in web.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
But after deploying it works on both the protocols(http and https). How to restrict http?
It is possible to configure the individual handlers to require HTTPS in the app.yaml file in the WEB-INF folder as described here: Java Application Configuration Using app.yaml - Google App Engine.
You just have to add these two words to your app.yaml file under the appropriate url entry:
secure: always
For example:
- url: .*
script: main.app
secure: always
Then if a user tries to access the URL with HTTP she will be automatically redirected to HTTPS. Pretty cool.
If you want to stick with "web.xml" rather than using the "app.yaml" option (which will overwrite your web.xml & appengine-web.xml files at deploy time), you can add in:
<security-constraint>
<web-resource-collection>
<web-resource-name>everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Reference:
https://cloud.google.com/appengine/docs/java/config/webxml#Security_and_Authentication
Are you using your own domain? At present, GAE supports SSL for *.appspot.com domains only. They have been promising SSL support for non-appspot domains for some time now and we're all waiting for news on that front.
This is for future folks !!!
In java adding the code below in my web.xml file worked for me
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPS redirect</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
For other project add secure: always under all urls in app.yaml file
Add this to your web.xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Resources