3

I have been trying to secure my project. I have a log in page that authenticates with an LDAP server and if not right it pulls up an error page etc. I have now just added 

<auth-constraint> <!-- Currently causing a 403, looks like stoping .css files --> 
    <role-name>*</role-name>
</auth-constraint>

to my web.xml, to make sure the users are authenticated before they can view any page, however it seems to be blocking my .css file, Ithink as now the log in page does not display any css at all, and is just white basic, and when I press submit I get:

with this error:

HTTP Status 403 - Access to the requested resource has been denied

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

GlassFish Server Open Source Edition 3.1.2.2

This is my web.xml:

<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee         http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    <filter>
        <filter-name>Upload Filter</filter-name>
        <filter-class>richard.fileupload.UploadFilter</filter-class>
        <init-param>
            <param-name>sizeThreshold</param-name>
            <param-value>1024</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>Upload Filter</filter-name>
        <url-pattern>/upload/*</url-pattern>
    </filter-mapping>
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
        <welcome-file>index.xhtml</welcome-file>
    </welcome-file-list>
    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value>Development</param-value>
    </context-param>
    <context-param>
        <param-name>facelets.LIBRARIES</param-name>
        <param-value>/WEB-INF/corejsf.taglib.xml</param-value>
    </context-param>
    <context-param>
        <param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>
        <param-value>true</param-value>
    </context-param>

    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>LDAP</realm-name>
        <form-login-config>
            <form-login-page>/login.xhtml</form-login-page>
            <form-error-page>/login-failed.xhtml</form-error-page>
        </form-login-config>
    </login-config>
    <security-role>
        <role-name>user</role-name>
    </security-role>
    <security-constraint> 
        <web-resource-collection>
            <web-resource-name>Allowed resources</web-resource-name>
            <url-pattern>/javax.faces.resources/*</url-pattern>
        </web-resource-collection>   
        <!-- web resources that are protected -->
        <web-resource-collection>
            <web-resource-name>All Resources</web-resource-name>
            <url-pattern>/*</url-pattern>
            <!-- this is currently causing a 404 -->
            <http-method>GETLIB</http-method>
            <http-method>COPY</http-method>
            <http-method>MOVE</http-method>
            <http-method>DELETE</http-method>
            <http-method>PROPFIND</http-method>
            <http-method>GET</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>MKCOL</http-method>
            <http-method>PROPPATCH</http-method>
            <http-method>LOCK</http-method>
            <http-method>UNLOCK</http-method>
            <http-method>VERSION-CONTROL</http-method>
            <http-method>CHECKIN</http-method>
            <http-method>CHECKOUT</http-method>
            <http-method>UNCHECKOUT</http-method>
            <http-method>REPORT</http-method>
            <http-method>UPDATE</http-method>
            <http-method>CANCELUPLOAD</http-method>
        </web-resource-collection>
        <auth-constraint> <!-- Currently causing a 403, looks like stoping .css files --> 
            <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>
</web-app>

Basically, what is stopping my css file and how can I allow it?

Jens Piegsa
  • 7,399
  • 5
  • 58
  • 106
user1924104
  • 891
  • 2
  • 16
  • 38
  • Does your .css need to be protected as well? The simplest solution would be to put it in a "public" place. Not sure if that is viable - but it's quick. – Floris Jan 23 '13 at 16:22
  • Nope the css can be public, but where would public be as currently i have the css file with all the although files that are protected and can't think of anywhere to put it as it cant go up a level as it where – user1924104 Jan 23 '13 at 16:26
  • Without knowing your directory structure I can't really comment - but if you had the root of you website, you could have one directory, `/protectedDir`, where the sensitive code goes, and another, `/css`, where the css goes. Then you reference the css files as `../css/myfile.css` in the source code, and it should access no problem. – Floris Jan 23 '13 at 16:30

1 Answers1

8

Your security constraint is also blocking requests on CSS files (basically, it is blocking everything which matches the specified URL pattern of /* expect of the specified login page). You need to add another security constraint which should allow requests on JSF resources. The key is to omit the auth constraint to make those resources accessible by everyone.

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Allowed resources</web-resource-name>
        <url-pattern>/javax.faces.resource/*</url-pattern>
    </web-resource-collection>
    <!-- No Auth Contraint! -->
</security-constraint>
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Thanks a lot, i have added the above code, and have followed you example on how to structure my project, i have put the css file in resources/css and have updated my web.xml above, but it is still blocking my css :S any ideas? – user1924104 Jan 23 '13 at 20:43
  • You need to move the `` for allowed resources below the `` for the restricted resources. – BalusC Jan 23 '13 at 20:55
  • Thanks, do you have an example to show of how i can require authentication on any page apart from the css files ? sorry to sound thick but im really confused at this part ! – user1924104 Jan 23 '13 at 21:03
  • You mean, conditionally render content depending on currently logged-in user? Then see http://stackoverflow.com/questions/8374368/how-to-check-if-is-user-logged-in/8375301#8375301 For future unrelated questions, please press `Ask Question` :) – BalusC Jan 23 '13 at 21:06
  • Late comment but I had a similar problem the issue was that the `/javax.faces.resource` was not the correct mapping I had to use `/faces/javax.faces.resource` – Namphibian Sep 17 '13 at 05:53
  • 1
    @Namphibian: that is indeed needed if you're still using the old JSF 1.0 style `/faces/*` pattern for some reason. The asker of the current question is properly using `*.xhtml` pattern for JSF 2.0 and therefore my answer is absolutely valid. – BalusC Sep 17 '13 at 12:43
  • Hmmm so do you have a tutorial on the difference between the two? I would love to read it. – Namphibian Sep 17 '13 at 21:04
  • @Namphibian: http://stackoverflow.com/questions/3008395/jsf-facelets-sometimes-i-see-the-url-is-jsf-and-sometimes-xhtml-why/ – BalusC Sep 17 '13 at 21:11
  • @BalusC you still dont sleep much! – Namphibian Sep 17 '13 at 21:43
  • 1
    @Namphibian: it's currently only 19:52 for me. – BalusC Sep 17 '13 at 23:52