My web application has security configuration in web.xml. It runs on Wildfly and uses ActiveDirectory for sign-on.
I want some ipaddress to bypass this security constraints. Is it possible?
For instance any request from 100.35.6.124 and 100.35.6.122 will bypass the login.
<security-constraint>
<web-resource-collection>
<web-resource-name>Unauthenticated Resources</web-resource-name>
<url-pattern>/version</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>All Resources</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ActiveDirectoryRealm</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/login.html</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
Related
Installed Solr5.3.0 on Windows and imported data. Can somebody guide me how to secure mydomain/ip:8983/solr from public.
I want to secure all page of solr except the query & select. I want keep them publically.
http://localhost:8983/solr/core/query?
http://localhost:8983/solr/core/select?
This my config example/etc/webdefault.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr authenticated application</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>core1-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
When auth-constraint is specified in AppEngine Development server web.xml file. The User injected to endpoint and User received from UserService.getCurrentUser() in HttpServlet are different.
The user Id for endpoint user is zero and for HttpServlet it is a fixed number. When the auth-constraint tag is removed from web.xml file, both user ids are zero. But this tag is required for production server.
How to get a single user for development server?
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
I am trying to disable http methods like PUT, DELETE, TRACE, OPTIONS and PROPFIND. I have made the few changes in my web.xml file of my application but the methods are still enabled. Following is the code snippet:
<security-constraint>
<display-name>Restrict raw XHTML Documents</display-name>
<web-resource-collection>
<web-resource-name>XHTML</web-resource-name>
<url-pattern>*.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint />
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Restricted Methods</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
</security-constraint>
I try to secure my Solr instance but i cant getting it to work. I do everything in the way i saw it in many many tutorials but it seems like solr is ignoring my web.xml.
My Steps:
1: Editing tomcat-users.xml
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>
<role rolename="solr-role"/>
<user username="test" password="test" roles="solr-role"/>
</tomcat-users>
2: Editing web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Solr Lockdown</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>solr-role</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Solr</realm-name>
</login-config>
3: Restart tomcat7
After that i try to access http://xxx.xxx.xxx.xxx:8080/solr/ and i get access without any password prompt.
What is my fault?
Thank you very much!
Adding the following lines to web.xml secures the admin pages of solr (at least for solr 4.2.1, but that should also work for 4.5.1)
<security-constraint>
<!-- This protects your admin interface and grants access to role admin -->
<web-resource-collection>
<web-resource-name>Solr admin</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<url-pattern>/admin.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>solr</role-name>
</auth-constraint>
<security-role>
<role-name>solr</role-name>
</security-role>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>SOLR Realm</realm-name>
</login-config>
I dont know why but i used the wrong web.xml.
I uses the file stored under /var/lib/tomcat7/webapps/solr/WEB_INF/web.xml but i have to use the file under /etc/tomcat7/web.xml.
I am on a google app engine project now. In my application I have to allow only https protocol. And I have to restrict other protocols. It should allow https only. I have added the below code in web.xml.
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
But after deploying it works on both the protocols(http and https). How to restrict http?
It is possible to configure the individual handlers to require HTTPS in the app.yaml file in the WEB-INF folder as described here: Java Application Configuration Using app.yaml - Google App Engine.
You just have to add these two words to your app.yaml file under the appropriate url entry:
secure: always
For example:
- url: .*
script: main.app
secure: always
Then if a user tries to access the URL with HTTP she will be automatically redirected to HTTPS. Pretty cool.
If you want to stick with "web.xml" rather than using the "app.yaml" option (which will overwrite your web.xml & appengine-web.xml files at deploy time), you can add in:
<security-constraint>
<web-resource-collection>
<web-resource-name>everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Reference:
https://cloud.google.com/appengine/docs/java/config/webxml#Security_and_Authentication
Are you using your own domain? At present, GAE supports SSL for *.appspot.com domains only. They have been promising SSL support for non-appspot domains for some time now and we're all waiting for news on that front.
This is for future folks !!!
In java adding the code below in my web.xml file worked for me
<security-constraint>
<web-resource-collection>
<web-resource-name>HTTPS redirect</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
For other project add secure: always under all urls in app.yaml file
Add this to your web.xml file
<security-constraint>
<web-resource-collection>
<web-resource-name>all</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>