Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Whitelist security constraint in web.xml

Tags:

java

tomcat

web.xml

struts2

security-constraint

I'm using Tomcat for my Struts2 application. The web.xml has certain entries as shown below:

<security-constraint>     <web-resource-collection>         <web-resource-name>restricted methods</web-resource-name>         <url-pattern>/*</url-pattern>         <http-method>PUT</http-method>         <http-method>DELETE</http-method>         <http-method>TRACE</http-method>     </web-resource-collection>     <auth-constraint /> </security-constraint> <security-constraint>    <web-resource-collection>        <web-resource-name>no_access</web-resource-name>        <url-pattern>/jsp/*</url-pattern>    </web-resource-collection>    <auth-constraint/> </security-constraint>     <security-constraint>    <web-resource-collection>        <web-resource-name>no_access</web-resource-name>        <url-pattern>/myrrunner/*</url-pattern>    </web-resource-collection>    <auth-constraint/> </security-constraint>

How can I change above blacklisted parts to use only whitelisting part... For example, instead of blacklisting PUT, DELTE http methods, I need to whitelist other methods but I'm not sure the syntax of whitelisting them & what methods to whitelist them.

For my above web.xml snippet, I'll appreciate if some one can provide me whitelisitng counter part for above xml.

EDIT: Also, how would I really verify whether the solution works or not?

Thanks

like image 225
Mike Avatar asked Nov 09 '11 18:11

Mike

People also ask

What is security constraint in web XML?

A security constraint is used to define the access privileges to a collection of resources using their URL mapping. If your web application uses a servlet, you can express the security constraint information by using annotations.

1 Answers

I would try the following:

<security-constraint>     <web-resource-collection>         <url-pattern>/*</url-pattern>         <http-method>GET</http-method>         <http-method>POST</http-method>     </web-resource-collection>     <!-- no auth-constraint tag here --> </security-constraint>  <security-constraint>     <web-resource-collection>         <web-resource-name>restricted methods</web-resource-name>         <url-pattern>/*</url-pattern>     </web-resource-collection>    <auth-constraint/> </security-constraint>

The first security-constraint does not have any auth-constraint, so the GET and POST methods are available to anyone without login. The second restricts other http methods for everybody. (I haven't tried it.)

like image 176
palacsint Avatar answered Oct 01 '22 13:10

palacsint
Sign in to Comment

Related questions

maven: (use -source 5 or higher to enable static import declarations)
How to fetch parameters when using the Apache Commons CLI library
List of Classes in Java
Simultaneously run java programs run on same JVM?
Set log4j log level
Compiling only selected files in Maven
Servlet: java.lang.ClassNotFoundException: org.json.simple.parser.ParseException
static import only from classes and interfaces
Java Interface Naming Conventions [closed]
ButterKnife onclick is not working
How to configure log4j 2.x purely programmatically?
Android Key Store - Name of Organizational Unit
Spring Boot : Getting @Scheduled cron value from database
Spring AOP works without @EnableAspectJAutoProxy?
How to disable (or hide) the close (x) button on a JFrame?
Java Statement Object Reuse?
Java 3D plot library? [closed]
Check if Java bytecode contains debug symbols
Passing string from Java into JNI
How to create a modular JSF 2.0 application?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!