myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zohner, Michael" <Michael.Zoh...@dkib.com>
Subject RE: Security - protect JSF pages (.xhtml) via security in web.xml -> DOES NOT WORK ? -> THE WEB.XML !
Date Thu, 19 Apr 2007 09:39:08 GMT
None of the variants work.

/rule/* does also not work.

My faces navigation xml looks like this:

	<navigation-rule>
		<from-view-id>/rule/ruleGroupList.xhtml</from-view-id>
		<navigation-case>
			<from-outcome>GROUP_EDIT</from-outcome>
			<to-view-id>/rule/editRuleGroup.xhtml</to-view-id>
			<redirect/>
		</navigation-case>
		<navigation-case>
			<from-outcome>RULE_LIST</from-outcome>
			<to-view-id>/rule/ruleList.xhtml</to-view-id>
			<redirect/>
		</navigation-case>
	</navigation-rule>
 
BTW:
I am using the JSCookMenu and standard commandButtons/commandLinks. And I want to protect
the pages, when user click on severral links of this menu...

-----Original Message-----
From: David Delbecq [mailto:delbd+jakarta@oma.be] 
Sent: 19 April 2007 11:23
To: MyFaces Discussion
Subject: Re: Security - protect JSF pages (.xhtml) via security in web.xml -> DOES NOT
WORK ? -> THE WEB.XML !

En l'instant précis du 19/04/07 11:17, Zohner, Michael s'exprimait en ces termes:
> How to do that ?
>   
Obviously by having more appropriate <url-pattern/> in your <web-resource-collection/>
> It would be also ok to protect the whole directory (so, then it is independent, which
suffix the pages have).
>
> But who can I get this working ? 
>
> -----Original Message-----
> From: David Delbecq [mailto:delbd+jakarta@oma.be]
> Sent: 19 April 2007 11:17
> To: MyFaces Discussion
> Subject: Re: Security - protect JSF pages (.xhtml) via security in web.xml -> DOES
NOT WORK ? -> THE WEB.XML !
>
> your security constraint's url pattern  
> <url-pattern>/rule/ruleList.xhtml</url-pattern>
>
> Only prevent unauthorized users from pointing their browser at 
> http://server/yourWebapp//rule/ruleList.xhtml
>
> It does not prevent them from pointing browser to 
> http://server/yourWebapp/rule/ruleList.faces or 
> http://server/yourWebapp/rule/ruleList.jsf
>
> you probably want to have url pattern for .faces and .jsf instead of 
> .xhtml
>
>
> En l'instant précis du 19/04/07 10:52, Zohner, Michael s'exprimait en ces termes:
>   
>> Hi,
>>
>> I dont know if I really understood Martins proposal.
>>
>> We have to use the scurity constraint I think.
>>
>> Here is the web.xml:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>>
>> <web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee"
>>  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
>> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
>> http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
>>  <description>Data Staging area for Static data</description> 
>> <display-name>App</display-name>
>>
>>  <filter>
>>   <display-name>Ajax4jsf Filter</display-name>
>>   <filter-name>ajax4jsf</filter-name>
>>   <filter-class>org.ajax4jsf.FastFilter</filter-class>
>>  </filter>
>>
>>  <!-- Tomahawk stuff -->
>>  <filter>
>>   <filter-name>extensionsFilter</filter-name>
>>   <!-- Old: org.apache.myfaces.component.html.util.ExtensionsFilter -->
>>   <filter-class>org.apache.myfaces.webapp.filter.ExtensionsFilter</filter-class>
>>   <init-param>
>>    <description></description>
>>    <param-name>maxFileSize</param-name>
>>    <param-value>2m</param-value>
>>   </init-param>
>>   <init-param>
>>    <param-name>uploadThresholdSize</param-name>
>>    <param-value>100k</param-value>
>>   </init-param>
>>  </filter>
>>
>>
>>  <filter-mapping>
>>   <filter-name>ajax4jsf</filter-name>
>>   <servlet-name>faces</servlet-name>
>>   <dispatcher>REQUEST</dispatcher>
>>   <dispatcher>FORWARD</dispatcher>
>>   <dispatcher>INCLUDE</dispatcher>
>>  </filter-mapping>
>>  <filter-mapping>
>>   <filter-name>extensionsFilter</filter-name>
>>   <servlet-name>faces</servlet-name>
>>  </filter-mapping>
>>  <filter-mapping>
>>   <filter-name>extensionsFilter</filter-name>
>>   <url-pattern>/faces/myFacesExtensionResource/*</url-pattern>
>>  </filter-mapping>
>>
>>  <context-param>
>>     <description></description>
>>     <param-name>javax.faces.CONFIG_FILES</param-name>
>>     <param-value>
>>         /WEB-INF/faces-beans.xml,/WEB-INF/faces-nav.xml
>>     </param-value>
>>  </context-param>
>>
>>  <context-param>
>>   <description></description>
>>   <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
>>   <param-value>server</param-value>
>>  </context-param>
>>
>>  <!-- IMPORTANT for ajax4jsf -->
>>  <context-param>
>>   <param-name>org.ajax4jsf.VIEW_HANDLERS</param-name>
>>   <param-value>com.sun.facelets.FaceletViewHandler</param-value>
>>  </context-param>
>>
>>   <!-- Use Documents Saved as *.xhtml -->  <context-param>
>>   <param-name>javax.faces.DEFAULT_SUFFIX</param-name>
>>   <param-value>.xhtml</param-value>
>>  </context-param>
>>
>>   <context-param>
>>   <param-name>facelets.REFRESH_PERIOD</param-name>
>>   <param-value>2</param-value>
>>  </context-param>
>>
>>  <context-param>
>>   <param-name>facelets.DEVELOPMENT</param-name>
>>   <param-value>true</param-value>
>>  </context-param>
>>
>>  <context-param>
>>     <param-name>com.sun.faces.validateXml</param-name>
>>     <param-value>true</param-value>
>>  </context-param>
>>
>>  <context-param>
>>     <param-name>com.sun.faces.verifyObjects</param-name>
>>     <param-value>true</param-value>
>>  </context-param>
>>
>>  <context-param>
>>     <param-name>org.ajax4jsf.SKIN</param-name>
>>     <param-value>dkib</param-value>
>>  </context-param>
>>
>>  <context-param>
>>   <param-name>facelets.LIBRARIES</param-name>
>>   <param-value>
>>      /WEB-INF/taglib/tomahawk.taglib.xml;/WEB-INF/taglib/facestrace.taglib.xml
>>   </param-value>
>>  </context-param>
>>
>>  <context-param>
>>   <description></description>
>>   <param-name>org.apache.myfaces.ALLOW_JAVASCRIPT</param-name>
>>   <param-value>true</param-value>
>>  </context-param>
>>
>>  <context-param>
>>   <param-name>org.apache.myfaces.DETECT_JAVASCRIPT</param-name>
>>   <param-value>false</param-value>
>>  </context-param>
>>
>>  <context-param>
>>   <description></description>
>>   <param-name>org.apache.myfaces.PRETTY_HTML</param-name>
>>   <param-value>true</param-value>
>>  </context-param>
>>
>>  <context-param>
>>   <description></description>
>>   <param-name>org.apache.myfaces.AUTO_SCROLL</param-name>
>>   <param-value>true</param-value>
>>  </context-param>
>>
>>  <context-param>
>>   <param-name>org.apache.myfaces.COMPRESS_STATE_IN_SESSION</param-name>
>>   <param-value>false</param-value>
>>  </context-param>
>>
>>  <context-param>
>>   <param-name>org.apache.myfaces.CHECK_EXTENSIONS_FILTER</param-name>
>>   <param-value>false</param-value>
>>  </context-param>
>>
>>
>>     <servlet>
>>         <servlet-name>faces</servlet-name>
>>         <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
>>         <load-on-startup>1</load-on-startup>
>>     </servlet>
>>
>> 	<servlet>
>> 		<servlet-name>jsp</servlet-name>
>> 		<servlet-class>
>> 			org.apache.jasper.servlet.JspServlet
>> 		</servlet-class>
>> 		<init-param>
>> 			<param-name>keepgenerated</param-name>
>> 			<param-value>true</param-value>
>> 		</init-param>
>> 		<init-param>
>> 			<param-name>logVerbosityLevel</param-name>
>> 			<param-value>FATAL</param-value>
>> 		</init-param>
>> 		<init-param>
>> 			<param-name>classdebuginfo</param-name>
>> 			<param-value>true</param-value>
>> 		</init-param>
>> 		<init-param>
>> 			<param-name>enablePooling</param-name>
>> 			<param-value>false</param-value>
>> 		</init-param>
>> 		<load-on-startup>0</load-on-startup>
>> 	</servlet>
>>
>>  <servlet>
>>   <servlet-name>JspRedirector</servlet-name>
>>   <jsp-file>/test/jspRedirector.jsp</jsp-file>
>>  </servlet>
>>
>>  <!-- Faces Servlet Mapping extension mapping -->  <servlet-mapping>
>>   <servlet-name>faces</servlet-name>
>>   <url-pattern>*.jsf</url-pattern>
>>  </servlet-mapping>
>>
>>  <servlet-mapping>
>>   <servlet-name>faces</servlet-name>
>>   <url-pattern>*.faces</url-pattern>
>>  </servlet-mapping>
>>
>>  <servlet-mapping>
>>   <servlet-name>JspRedirector</servlet-name>
>>   <url-pattern>/JspRedirector</url-pattern>
>>  </servlet-mapping>
>>
>>  <servlet-mapping>
>>   <servlet-name>jsp</servlet-name>
>>   <url-pattern>*.jsp</url-pattern>
>>  </servlet-mapping>
>>
>>  <servlet-mapping>
>>   <servlet-name>jsp</servlet-name>
>>   <url-pattern>*.jspf</url-pattern>
>>  </servlet-mapping>
>>
>>  <session-config>
>>   <session-timeout>600</session-timeout>
>>  </session-config>
>>
>>  <!-- Welcome files -->
>>  <welcome-file-list>
>>   <welcome-file>index.html</welcome-file>
>>   <welcome-file>index.jsp</welcome-file>
>>   <welcome-file>/jsf/index.jsf</welcome-file>
>>  </welcome-file-list>
>>  <error-page>
>>   <error-code>401</error-code>
>>   <location>/Http401Unauthorized</location>
>>  </error-page>
>>  <error-page>
>>   <exception-type>java.lang.Throwable</exception-type>
>>   <location>/ErrorCtrl</location>
>>  </error-page>
>>  
>>  <jsp-config>
>>   <taglib>
>>    <taglib-uri>jstl-sql-rt.tld</taglib-uri>
>>    <taglib-location>/WEB-INF/taglib/jstl-sql-rt.tld</taglib-location>
>>   </taglib>
>>   <taglib>
>>    <taglib-uri>jstl-fmt.tld</taglib-uri>
>>    <taglib-location>/WEB-INF/taglib/jstl-fmt.tld</taglib-location>
>>   </taglib>
>>   <taglib>
>>    <taglib-uri>jstl-core.tld</taglib-uri>
>>    <taglib-location>/WEB-INF/taglib/jstl-core.tld</taglib-location>
>>   </taglib>
>>  </jsp-config>
>>
>>  <security-constraint>
>>   <web-resource-collection>
>>    <web-resource-name>SSL Scheduler Pages</web-resource-name>
>>    <description />
>>    <url-pattern>/scheduler/schedulerManager.xhtml</url-pattern>
>>    <http-method>GET</http-method>
>>    <http-method>PUT</http-method>
>>    <http-method>POST</http-method>
>>   </web-resource-collection>
>>     <auth-constraint>
>>      <description />
>>      <role-name>RDSstaticdatadeveloper</role-name>
>>     </auth-constraint>
>> 	<user-data-constraint>
>> 	 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> 	</user-data-constraint>
>>  </security-constraint>
>>
>>  <security-constraint>
>>   <web-resource-collection>
>>    <web-resource-name>SSL Rule Pages</web-resource-name>
>>    <description />
>>    <url-pattern>/rule/ruleList.xhtml</url-pattern>
>>    <http-method>GET</http-method>
>>    <http-method>PUT</http-method>
>>    <http-method>POST</http-method>
>>   </web-resource-collection>
>>     <auth-constraint>
>>      <description />
>>      <role-name>RDSstaticdatarulesrw</role-name>
>>     </auth-constraint>
>> 	<user-data-constraint>
>> 	 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> 	</user-data-constraint>
>>  </security-constraint>
>>
>>  <login-config>
>>   <auth-method>CLIENT-CERT</auth-method>
>>   <realm-name>gds</realm-name>
>>  </login-config>
>>
>>  <security-role>
>>   <description>developer role - access to developer areas</description>
>>   <role-name>RDSstaticdatadeveloper</role-name>
>>  </security-role>
>>
>>  <security-role>
>>   <description>user who have permissions to maintain the rule defintions</description>
>>   <role-name>RDSstaticdatarulesrw</role-name>
>>  </security-role>
>>
>> </web-app>
>>
>> Thanks a lot ! 
>>
>> -----Original Message-----
>> From: David Delbecq [mailto:delbd+jakarta@oma.be]
>> Sent: 19 April 2007 10:49
>> To: MyFaces Discussion
>> Subject: Re: Security - protect JSF pages (.xhtml) via security in web.xml ->
DOES NOT WORK ?
>>
>> One of those
>> <url-pattern>/rule/ruleList.faces</url-pattern>
>> <url-pattern>/faces/rule/ruleList.xhtml</url-pattern>
>> <url-pattern>/faces/rule/*</url-pattern>
>> will most probably work better, depending on how you mapped your 
>> facelets context. If not, please provide full web.xml so we can see 
>> where problem is :)
>>
>> PS: security contraints apply to url submitted by browser, not internal forwards
that may appear as a result of JSF navigation rule.
>>
>>
>> En l'instant précis du 19/04/07 10:14, Zohner, Michael s'exprimait en ces termes:
>>   
>>     
>>> Sorry, there was a small mistake:
>>>
>>> WRONG:
>>> So, when I become an "RDSstaticdatarulesrw" user, I can see the page.
>>> It has no effect.
>>>
>>> RIGHT:
>>> So, when I become ANOTHER USER than "RDSstaticdatarulesrw" user, I 
>>> can see the page.
>>> So, all that has no effect.
>>>
>>>
>>> Regards
>>> Michael
>>>
>>>
>>> -----Original Message-----
>>> From: Zohner, Michael
>>> Sent: 19 April 2007 10:10
>>> To: MyFaces Discussion
>>> Subject: Security - protect JSF pages (.xhtml) via security in 
>>> web.xml
>>> -> DOES NOT WORK ?
>>>
>>> Hi,
>>>
>>> I am trying to protect several pages in our jsf application 
>>> (myFaces, facelets, richfaces).
>>>
>>> We have a security server where our users have specific roles.
>>>
>>> Its an https application.
>>>
>>> This is in my web.xml:
>>>
>>>  <security-constraint>
>>>   <web-resource-collection>
>>>    <web-resource-name>SSL Rule Pages</web-resource-name>
>>>    <description />
>>>    <url-pattern>/rule/ruleList.xhtml</url-pattern>
>>>    <http-method>GET</http-method>
>>>    <http-method>PUT</http-method>
>>>    <http-method>POST</http-method>
>>>   </web-resource-collection>
>>>     <auth-constraint>
>>>      <description />
>>>      <role-name>RDSstaticdatarulesrw</role-name>
>>>     </auth-constraint>
>>> 	<user-data-constraint>
>>> 	 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>>> 	</user-data-constraint>
>>>  </security-constraint>
>>>
>>> So, when I become an "RDSstaticdatarulesrw" user, I can see the page.
>>> It has no effect.
>>>
>>> When I write <url-pattern>/rule/*</url-pattern> instead of 
>>> <url-pattern>/rule/ruleList.xhtml</url-pattern>, I cannot see ANY
pages.
>>> Also not the pages which are NOT in directory "rule".
>>>
>>> So, HOW can I get this working ?
>>>
>>> The best would be to protect whole dirs and single pages.
>>>
>>> Best regards
>>> Michael
>>>
>>>
>>> ________________
>>> Dresdner Bank AG
>>> Sitz/Registered Office: Frankfurt am Main, 
>>> Handelsregister/Commercial
>>> Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 
>>> Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board:
>>> Michael Diekmann Vorstand/Board of Managing Directors: Herbert 
>>> Walter (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, 
>>> Wulf Meier, Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, 
>>> Friedrich Woebking
>>>
>>> This e-mail is confidential and the information contained in it may 
>>> be privileged.  It should not be read, copied or used by anyone 
>>> other than the intended recipient.  If you have received it in 
>>> error, please contact the sender immediately by telephoning +44 
>>> (0)20 7623 8000 or by return email, and delete the e-mail and do not 
>>> disclose its contents to any person.  We believe, but do not 
>>> warrant, that this e-mail and any attachments are virus free, but 
>>> you must take full responsibility for virus checking.  Please refer 
>>> to http://www.dresdnerkleinwort.com/disc/email/ and read our e-mail 
>>> disclaimer statement and monitoring policy.
>>> ________________
>>>
>>>
>>> ________________
>>> Dresdner Bank AG
>>> Sitz/Registered Office: Frankfurt am Main, 
>>> Handelsregister/Commercial
>>> Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 
>>> Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board:
>>> Michael Diekmann Vorstand/Board of Managing Directors: Herbert 
>>> Walter (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, 
>>> Wulf Meier, Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, 
>>> Friedrich Woebking
>>>
>>> This e-mail is confidential and the information contained in it may be privileged.
 It should not be read, copied or used by anyone other than the intended recipient.  If you
have received it in error, please contact the sender immediately by telephoning +44 (0)20
7623 8000 or by return email, and delete the e-mail and do not disclose its contents to any
person.  We believe, but do not warrant, that this e-mail and any attachments are virus free,
but you must take full responsibility for virus checking.  Please refer to http://www.dresdnerkleinwort.com/disc/email/
and read our e-mail disclaimer statement and monitoring policy.
>>> ________________
>>>
>>>   
>>>     
>>>       
>> ________________
>> Dresdner Bank AG
>> Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial
>> Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 
>> Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board:
>> Michael Diekmann Vorstand/Board of Managing Directors: Herbert Walter 
>> (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, Wulf Meier, 
>> Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, Friedrich Woebking
>>
>> This e-mail is confidential and the information contained in it may be privileged.
 It should not be read, copied or used by anyone other than the intended recipient.  If you
have received it in error, please contact the sender immediately by telephoning +44 (0)20
7623 8000 or by return email, and delete the e-mail and do not disclose its contents to any
person.  We believe, but do not warrant, that this e-mail and any attachments are virus free,
but you must take full responsibility for virus checking.  Please refer to http://www.dresdnerkleinwort.com/disc/email/
and read our e-mail disclaimer statement and monitoring policy.
>> ________________
>>
>>   
>>     
>
>
> ________________
> Dresdner Bank AG
> Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial 
> Register: Amtsgericht/Local Court, Frankfurt am Main, HRB 14000 
> Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: 
> Michael Diekmann Vorstand/Board of Managing Directors: Herbert Walter 
> (Vorsitzender/Chairman), Andreas Georgi, Stefan Jentzsch, Wulf Meier, 
> Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, Friedrich Woebking
>
> This e-mail is confidential and the information contained in it may be privileged.  It
should not be read, copied or used by anyone other than the intended recipient.  If you have
received it in error, please contact the sender immediately by telephoning +44 (0)20 7623
8000 or by return email, and delete the e-mail and do not disclose its contents to any person.
 We believe, but do not warrant, that this e-mail and any attachments are virus free, but
you must take full responsibility for virus checking.  Please refer to http://www.dresdnerkleinwort.com/disc/email/
and read our e-mail disclaimer statement and monitoring policy.
> ________________
>
>   


________________
Dresdner Bank AG
Sitz/Registered Office: Frankfurt am Main, Handelsregister/Commercial Register: Amtsgericht/Local
Court, Frankfurt am Main, HRB 14000 
Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Michael Diekmann 
Vorstand/Board of Managing Directors: Herbert Walter (Vorsitzender/Chairman), Andreas Georgi,
Stefan Jentzsch, Wulf Meier, Andree Moschner, Klaus Rosenfeld, Otto Steinmetz, Friedrich Woebking


This e-mail is confidential and the information contained in it may be privileged.  It should
not be read, copied or used by anyone other than the intended recipient.  If you have received
it in error, please contact the sender immediately by telephoning +44 (0)20 7623 8000 or by
return email, and delete the e-mail and do not disclose its contents to any person.  We believe,
but do not warrant, that this e-mail and any attachments are virus free, but you must take
full responsibility for virus checking.  Please refer to http://www.dresdnerkleinwort.com/disc/email/
and read our e-mail disclaimer statement and monitoring policy.
________________


Mime
View raw message