wood burning stoves*
The moose likes Servlets and the fly likes Multiple security-constraints, form_authentication and http-methods Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Java » Servlets
Bookmark "Multiple security-constraints, form_authentication and http-methods" Watch "Multiple security-constraints, form_authentication and http-methods" New topic
Author

Multiple security-constraints, form_authentication and http-methods

manikandan jayakumar
Ranch Hand

Joined: Aug 20, 2011
Posts: 41

Dear Ranchers,

I am testing the following case, but im not getting the expected result!

Here is the case:

1. Form-authentication(for all *.do)
2. security-constraint to disable Http methods(for all urls)

1. For Form-authenticator



2. To disable Http methods



Result of the above code :

HEAD :

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 05:30:00 IST
Set-Cookie: JSESSIONID=6C0B0EDCA6CCD35B1CC12ADB59B212A2; Path=/; HttpOnly
Content-Type: text/html;charset=UTF-8
Content-Length: 1424
Date: Fri, 08 Feb 2013 15:57:21 GMT
Connection: close

TRACE :

HTTP/1.1 405 Method Not Allowed
Server: Apache-Coyote/1.1
Allow: GET, OPTIONS, HEAD
Content-Length: 0
Date: Fri, 08 Feb 2013 15:58:24 GMT
Connection: close

OPTIONS :

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 05:30:00 IST
Allow: GET, HEAD, POST, TRACE, OPTIONS
Date: Fri, 08 Feb 2013 15:58:50 GMT
Connection: close



and the request is not passing through the AUTHENTICATOR


If i made any mistake in the post please mention it, sorry for my English too.
shivam singhal
Ranch Hand

Joined: Jul 15, 2012
Posts: 223

yeah,,
FIRSTLY :: your mistake is in line 17 that is "<auth-method>AuthName</auth-method>" .

For your knowledge i would like to tell you that we have four authentication methods available
1. BASIC
2. DIGEST
3.FORM
4. CLIENT-CERT

here you'r using Form based authentication.. so <auth-method> should be "<auth-method>FORM</auth-method>"

SECONDLY :: in <web-resource-collection> you should have a http-method like <http-method>POST</http-method> by which your client can visit your resource. Now, by this only roles inside <auth-constraint> can visit your resource via that above defined http-method. Remaining other roles are blocked to view your resource via this method. like post method in above case..
BUT other roles can view your resource via other http-method. so, better don't override any other methods inside your servlet..

soory, after viewing your question again, i found that i wrote too much..
IGNORE the extra part..


manikandan jayakumar
Ranch Hand

Joined: Aug 20, 2011
Posts: 41

Greeting shivam singhal, thanks for your response.

Here is the details i have tried,

1. FORM based authenticator - have extended FormAuthenticator and named it as "AuthName"(it works fine if i use this alone).

2. Http-Methods - my requirement is no one should access(should throw 405 method not allowed) the OPTIONS, TRACE, HEAD methods on the root directory of my application.

for this i have added the below code.



and the results are 403 for HEAD and OPTIONS whereas 405 for TRACE method. And the request is not passing through AuthForm.

Expected result 405 for HEAD,OPTIONS,TRACE( for /*, all users) and the request should pass through the "AuthForm"(*.do).
shivam singhal
Ranch Hand

Joined: Jul 15, 2012
Posts: 223

which method you are using for sending request to your resource?

i think if above condition is correct, then try by mentioning different url pattren AuthForm.do in your app..
manikandan jayakumar
Ranch Hand

Joined: Aug 20, 2011
Posts: 41

If i use /authForm.do then it works fine but my case is i should use *.do for AuthForm and /*(all urls) for http-methods.

/* overrides *.do, is it the behavior or we have any other configuration to achieve this
shivam singhal
Ranch Hand

Joined: Jul 15, 2012
Posts: 223

which method you are using for sending request to your resource?
manikandan jayakumar
Ranch Hand

Joined: Aug 20, 2011
Posts: 41

I have tried both with POST and GET,
shivam singhal
Ranch Hand

Joined: Jul 15, 2012
Posts: 223

sorry unable to understand your query..
Don't Woory,, please explain what do you want to do,, for you i will write the security constraint accrodingly..

With Regards
SHIVAM SINGHAL
OCPJP - 82%
OCPJWCD - 97%
manikandan jayakumar
Ranch Hand

Joined: Aug 20, 2011
Posts: 41

Ok Dude,

Here is my case.

1. I have a custom form authenticator, in which all the *.do requests should pass through(Here i will authenticate or check for authentication). I also have some *.cc requests and these need not to pass through this authenticator.

2. Need to disable or restrict accessing the Http-Methods(HEAD,OPTIONS,TRACE) to all the users for all app root directory(/*).

Hope this is a bit clear.
 
jQuery in Action, 2nd edition
 
subject: Multiple security-constraints, form_authentication and http-methods
 
Similar Threads
Help in Adding two security constraint in web.xml
Display JSP after authentication
Keep having to login with container based authentaction.
Problem with JDBCRealm configuration
WEB9102: Web Login Failed