I'm working with ZK and spring.
I downloaded 2 different project that now I try to merge. My problem is in this part of code:
<html:form action="j_spring_security_check" method="POST" xmlns:html="native">
that is in the file login.zul. I found these lines in web.xml:
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
I saw that if I change /* with /login.zul it happened that in my url becomes: localhost:8080/myProject/j_spring_security_check and I saw error 404.
If I didn't change my url is localhost:8080/myProject/ and the page index.zul works correctely.
But index.zul is in the same folder as login.zul.
I saw the same error also if I set /index.zul in state of "/*".
How can I decide another url in stead of /*?
Thanks!
The above URL pattern /* declares that you want to protect all your pages. It has nothing to with the fact, which page do you want to load after the successfull login.
The title is also missleading, j_spring_security_check is just the default URL for Spring Security login form submission: SpringSec will start his authentication module (that is username/password checking) when a request to this URL comes. You do not want to change it. You may change it if you for example do not want to tell the world that you uses Spring Security, or you do not want to change your existing login form that uses an other action attribute.
You may have a configuration XML for Spring Security like spring-security.xml or an equivalent Java based configuration) - with a tag in it. You need to set the default-target-url attribute of that tag as
<form-login login-page="/some_dir/login.zul" default-target-url="/some_other_dir/panel.zul"
You should use relative URLs inside your webapp.
You may have an authentication-success-handler-ref instead of default-target-urlin a more complicated situation, but you should not mix them .
Related
This is the most bizarre tomcat configuration problem I've ever seen. I have the following entry in web.xml:
<filter>
<filter-name>httpHeaderSecurity</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<async-supported>true</async-supported>
<hstsEnabled>true</hstsEnabled>
<hstsMaxAgeSeconds>631</hstsMaxAgeSeconds>
<hstsIncludeSubDomains>true</hstsIncludeSubDomains>
<hstsPreload>true</hstsPreload>
</filter>
I intentionally put in a weird value for max-age so that it would be easy to see if the configuration is active or not.
And it's activated:
<filter-mapping>
<filter-name>httpHeaderSecurity</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
</filter-mapping>
But it doesn't do what it should do. The resulting headers are always:
strict-transport-security: max-age=0
which is almost exactly what I don't want.
Any ideas on this? I can't even understand how this could be happening and it certainly goes against all the documentation. This is all with Tomcat 9.0.29, JDK 13. It seems like it should "just work" and seems like a very simple configuration.
To be clear, this is in the Tomcat web.xml (in $CATALINA/conf/web.xml), not in an application-specific web.xml. HSTS preload is for the entire domain (including subdomains which might be on other servers), not for any set of URIs within the domain, so it only makes sense to set preload in the server-wide web.xml.
EDIT: This is with a Spring Boot application. It seems that Spring Boot might be controlling this header and overriding whatever is being set in web.xml. This is unfortunate because Spring Boot is for a specific application in a specific context, whereas this header really applies to the entire domain, or even to sub-domains, and so is beyond any specific web application in a specific context. I think I need to figure out how to get Spring Boot to do nothing to HSTS headers and let Tomcat handle it all.
I am learning about filters. So I have the following code in my web.xml:
<filter>
<filter-name>asyncFilter</filter-name>
<filter-class>el.test.AnyRequestFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>asyncFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>ASYNC</dispatcher>
</filter-mapping>
When I write is is autocompletes me ASYNC, but after that it becomes in red colour and IntelliJ show me that the error is that is is unknown enum.
Why is that?
Thanks for your attention.
P.S. I have problems with following code too:
<error-page>
<location>/WEB-INF/jsp/view/badRequest.jsp</location>
<error-code>404</error-code>
</error-page>
on <error-code> it is written no child element expected at this point, but the code is working(I can run it).
from https://docs.oracle.com/cd/E19879-01/819-3669/bnagf/index.html
4.In the Add Filter Mapping dialog, select one of the following dispatcher types:
REQUEST: Only when the request comes directly from the client
FORWARD: Only when the request has been forwarded to a component (see Transferring Control to Another Web Component)
INCLUDE: Only when the request is being processed by a component that has been included (see Including Other Resources in the Response)
ERROR: Only when the request is being processed with the error page mechanism (see Handling Servlet Errors)
So ASYNC is not a valid value.
Edit : it seems it was added in javaee 6 : http://docs.oracle.com/javaee/6/tutorial/doc/bnagb.html
So maybe you have some configuration problem of JRE/JDK version with your project and IDE.
I have a Grails application running that uses an external CAS login method and uses a local user list for authorization. I am using the spring-security and spring-security-cas plugins and everything is working great.
I am now implementing a RESTful API under a sub-domain of the application (/api) and want to provide security for that as well. I have read that setting up HTTP basic AuthN is easy with Grails, but have found nothing on using 2 security paradigms within one application. Aside from separating the API to a separate application, is there a way to implement a separate authentication method for just the /api sub-domain on my application?
Any feedback would be greatly appreciated. Thanks!
I found no simple way to accomplish this, so I ended up using IP-based access control for the API (since only a few people will be using it). I did this by editing the web.xml file in my grails app and adding a Remote Address Filter:
<filter>
<filter-name>Remote Address Filter</filter-name>
<filter-class>org.apache.catalina.filters.RemoteAddrFilter</filter-class>
<init-param>
<param-name>allow</param-name>
<param-value>**IP ADDRESSES HERE**</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Remote Address Filter</filter-name>
<url-pattern>/api/*</url-pattern>
</filter-mapping>
I also had to disable CAS authentication for the api, which I accomplished by adding permissions in the interceptUrlMap in Config.groovy:
'/api/**': ['IS_AUTHENTICATED_REMEMBERED', 'IS_AUTHENTICATED_ANONYMOUSLY']
I have a WAR file that defines a filter to run on all URLs:
<!DOCTYPE web-app PUBLIC
"-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
...
<filter>
<filter-name>OurRedirectServletFilter</filter-name>
<filter-class>com.mycompany.RedirectServletFilter</filter-class>
</filter>
...
<filter-mapping>
<filter-name>OurRedirectServletFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The filter is designed to perform some redirects from 'convenience' URLs to a corresponding 'actual' URL, but I don't think that's really relevant to the problem.
On WebSphere 7.0, this filter doesn't run for requests to the root URL, e.g. /ctxroot or /ctxroot/; instead I just get a 404 response. It does run for /ctxroot/blah, whether blah is a valid or invalid path.
I've tried adding additional filter mappings for URL patterns <url-pattern>/</url-pattern> and <url-pattern></url-pattern>, but I get the same behavior.
I've tested on base WAS 7.0.0.0, and with the latest fix pack applied, i.e. WAS 7.0.0.27.
The filter works as expected on WAS 8.5 and I'm pretty sure on WAS 8.0, as well as on every version of WebLogic, JBoss, and Tomcat that I've tried. This then seems to be a bug with WAS 7.0, but I'd still like to find a workaround. Anybody know of one?
I eventually looked at the body of the 404 error response and saw error code SRVE0190E, which led me to this helpful page. The issue is that filters aren't called by default for URLs that correspond to resources that don't exist (though I swear I tested that for a URL other than the context root, and my filter was called).
It's possible to configure WebSphere to call filters in this situation by setting a custom property as further described in the linked page:
com.ibm.ws.webcontainer.invokefilterscompatibility=true
I also found that for the case of the context root URL, setting a welcome-file entry in web.xml that maps to an existing resource causes the filter to be called:
<welcome-file-list>
<welcome-file>fakehome.html</welcome-file>
</welcome-file-list>
As described here: http://wikis.sun.com/display/Jersey/WADL
I'm using Jersey 1.4 in Tomcat 6.
I have tried every possible URI with a "/application.wadl" and all I get is a 404 (not available). I'm obviously not understanding something, but every blog I read makes it sound like this is "out of the box" functionality. I'm using Tomcat 6..should this matter?
I was able to use Pavel's example on using the WadlResource object here, but it seems I shouldn't need to do this: http://markmail.org/message/lbeaw5vyr4qergdd#query:+page:1+mid:fo4dt7tbd6rb3gvi+state:results
thanks.
I think that ChrisO most likely has the answer in that your wadl would be available at http://localhost:{port}/{warname}/application.wadl
I had the same problem, and found out that default application.wadl was only working when configured at the root of the app
My conf included several url patterns like the following
<filter-mapping>
<filter-name>jersey-spring</filter-name>
<url-pattern>/admin/rest/*</url-pattern>
</filter-mapping>
And I had to add this to make it work :
<filter-mapping>
<filter-name>jersey-spring</filter-name>
<url-pattern>/application.wadl</url-pattern>
</filter-mapping>
Hope it helps
If you are using Jersey, the WADL will be given automatically when you suffix the application.wadl to your url.
Here all the /rest/ is the <url-pattern> for the <servlet-mapping>
http: // yourmacine:8080 / RESTfulExample/rest/application.wadl
You need to specify the display-name and url-pattern of the sevlet mapping(if any) before application.wadl