0

I have a created a project, i wish to make sure the user is logged in and authenticated with my ldap server, how would i go about this, 

 |-- META-INF
 |-- WEB-INF
 |-- resources
 |    |-- css
 |    |    `-- style.css
 |
 |-- upload
 |    |-- uploadText.xhtml
 |
 |-- index.xhtml
 |-- SubmittedText.xhtml
 |-- etc.xhtml

i want to protect everything apart from the resources folder

this is my current web.xml

      <?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee         http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    <filter>
        <filter-name>Upload Filter</filter-name>
        <filter-class>richard.fileupload.UploadFilter</filter-class>
        <init-param>
            <param-name>sizeThreshold</param-name>
            <param-value>1024</param-value>
        </init-param>
    </filter>
    <filter-mapping>
        <filter-name>Upload Filter</filter-name>
        <url-pattern>/upload/*</url-pattern>
    </filter-mapping>
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>
    <welcome-file-list>
        <welcome-file>index.xhtml</welcome-file>
    </welcome-file-list>
    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value>Development</param-value>
    </context-param>
    <context-param>
        <param-name>facelets.LIBRARIES</param-name>
        <param-value>/WEB-INF/corejsf.taglib.xml</param-value>
    </context-param>
    <context-param>
        <param-name>javax.faces.INTERPRET_EMPTY_STRING_SUBMITTED_VALUES_AS_NULL</param-name>
        <param-value>true</param-value>
    </context-param>
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>LDAP</realm-name>
        <form-login-config>
            <form-login-page>/login.xhtml</form-login-page>
            <form-error-page>/login-failed.xhtml</form-error-page>
        </form-login-config>
    </login-config>
    <security-role>
        <role-name>*</role-name>
    </security-role>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Restircted resources</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint> 
    </security-constraint>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Allowed resources</web-resource-name>
            <url-pattern>/javax.faces.resource/*</url-pattern>
            <!--  <http-method>GETLIB</http-method>
            <http-method>COPY</http-method>
            <http-method>MOVE</http-method>
            <http-method>DELETE</http-method>
            <http-method>PROPFIND</http-method>
            <http-method>GET</http-method>
            <http-method>HEAD</http-method>
            <http-method>PUT</http-method>
            <http-method>MKCOL</http-method>
            <http-method>PROPPATCH</http-method>
            <http-method>LOCK</http-method>
            <http-method>UNLOCK</http-method>
            <http-method>VERSION-CONTROL</http-method>
            <http-method>CHECKIN</http-method>
            <http-method>CHECKOUT</http-method>
            <http-method>UNCHECKOUT</http-method>
            <http-method>REPORT</http-method>
            <http-method>UPDATE</http-method>
            <http-method>CANCELUPLOAD</http-method>-->
        </web-resource-collection>
        <!-- No Auth Contraint! -->
    </security-constraint>
</web-app>
user1924104
  • 891
  • 2
  • 16
  • 38

1 Answers1

2

Your <security-constraint> is missing the <auth-constraint>. A security constraint without an authentication constraint is basically a public resource. As an example, if you'd like to restrict all roles, then you should put the following authentication constraint within the security constraint.

<auth-constraint>
    <role-name>*</role-name>
</auth-constraint>

All with all, if you want to restrict everything /* expect of /javax.faces.resource/*, then you should have the following security constraints, exactly in this order in web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Restircted resources</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint> 
</security-constraint>
<security-constraint>
    <web-resource-collection>
        <web-resource-name>Allowed resources</web-resource-name>
        <url-pattern>/javax.faces.resource/*</url-pattern>
    </web-resource-collection>
    <!-- No Auth Contraint! -->
</security-constraint>

Your list of HTTP method restrictions is somewhat ridiculous, just omit it. It by default already applies on every single HTTP method.

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • Thank you, i have removed the HTTP method restrictions, i can not however test it now, as i can access our LDAP server off campus, but it seems to be working perfect ! – user1924104 Jan 23 '13 at 22:56
  • I have just tested it, while it does pull up the log in page, when a user presses log in it comes up with a 403 error : `HTTP Status 403 - Access to the requested resource has been denied` – user1924104 Jan 24 '13 at 12:44
  • 403 just means that the user is not allowed to view a folder. You need to let the URL point to a file. Alternatively, you need to provide a `` pointing to a file in the folder which should be served when a folder is requestred. This has been explained several times in your previous questions as well. E.g. http://stackoverflow.com/questions/14481457/when-set-login-xhtml-as-my-homepage-it-does-not-work#comment20178619_14482254 – BalusC Jan 24 '13 at 12:51
  • ok thanks, i am just trying to access root, once the user is authenticated, i have not set up any folders i have just placed the web pages in root, as above shows, my `welcome-file` points to index.xhtml which is in root, the same place as the login page and the other files, or do i need to edit something else ? – user1924104 Jan 24 '13 at 15:07
  • The "root" `/` in URL **is** a folder :) If you didn't have the ``, then you should have typed `/index.xhtml` in URL instead. So far, with the welcome file properly set, it should work fine. Does it? – BalusC Jan 24 '13 at 15:09
  • Thank you, i have set the `welcome-file` to ` /index.xhtml ` but i still get a 403 error after login :( – user1924104 Jan 24 '13 at 15:12
  • The welcome file must be a filename, not an URL. Use `index.xhtml`. The welcome file represents the filename of the file which the server should serve up when a folder in URL is been requested like so `/`, `/foo/`, `/bar/`, etc. Don't forget to save, rebuild, redeploy and restart after editing. – BalusC Jan 24 '13 at 15:15
  • Thank you, i have changed it back to `index.xhtml` closed netbeans and chrome restarted it all but still getting the 403 :(, link to my directory http://i1081.photobucket.com/albums/j348/west-wot/DirectoryCurrent_zpsfe94e998.png – user1924104 Jan 24 '13 at 15:18
  • Ok, then it's likely a role problem. I wonder that as the role is restricted to `*`. What if you use `user` instead? – BalusC Jan 24 '13 at 15:21
  • Ok thanks, i have changed the * to users for the role, but the same issue, this is my first time at trying anything like this – user1924104 Jan 24 '13 at 15:24
  • But you have specified a role of `user`. Is it now `user` or `users`? This could be as good caused by a wrong role name in ``. Note that the login went successful (otherwise you'd have a 401). – BalusC Jan 24 '13 at 15:24
  • I am sorry i don't understand, what do i need to put if i want anyone to view the pages once logged in ? i did have ` user ` and ` user ` but it is still not working :(, the user is successfully logged in against our ldap on login however – user1924104 Jan 24 '13 at 15:27
  • Apparently the logged-in user does not have a role of `user`. If you are actually not using roles, then you should actually have used `*` inside `` (and change that of the security auth constraint as well). – BalusC Jan 24 '13 at 15:28
  • Have done that, update the original question with my current .xml but still getting the 403 :( – user1924104 Jan 24 '13 at 15:34
  • What if you open the restriced page directly instead of a folder? E.g. `http://localhost:8080/context/index.xhtml` instead of `http://localhost:8080/context/`. – BalusC Jan 24 '13 at 15:36
  • then i get the login page, once logged in i get the 403, if i directly open the page i still get the 403 – user1924104 Jan 24 '13 at 15:38
  • Well, you're successfully logged-in, but the role is not right. Sorry, LDAP is beyond me. The web part is fine. Your best bet is to ask the LDAP admin for the right role name so that you can specify exactly this role name in ``. – BalusC Jan 24 '13 at 15:41
  • is there a way not to have any roles ? as they are not needed for this project ? – user1924104 Jan 24 '13 at 15:42
  • Just spoken to them and there are no roles in the LDAP directory – user1924104 Jan 24 '13 at 15:50
  • i also get this error now in glassfish `WARNING: No Principals mapped to Role [*].` – user1924104 Jan 24 '13 at 15:55
  • Oh that's actually helpful. Have you enabled principal to role mapping in Glassfish realm config? See also this related Q&A: http://stackoverflow.com/questions/6728164/glassfish-3-1-default-principal-to-role-mapping – BalusC Jan 24 '13 at 16:02
  • i will look now, i don't think i have enabled that as i am not sure what it is or does – user1924104 Jan 24 '13 at 16:17
  • From the linked question: *"Then on the glassfish console I need to tick the options in: Configuration -> server-config -> security -> Default Principal To Role Mapping"* – BalusC Jan 24 '13 at 16:18
  • Thanks i have doen that, no longer getting that error now in glassfish but still getting a 403 error :( – user1924104 Jan 24 '13 at 17:32
  • also get this error in the console `WARNING: Cannot create update center Image for C:\Program Files\glassfish-3.1.2.2; Update Center functionality will not be available in Admin Console` – user1924104 Jan 24 '13 at 18:03
  • The issue was no roles was declared in glassfish server, so just added a role and things seem to be ok now ! – user1924104 Jan 28 '13 at 10:45