What is web-resource-name in web.xml? - web.xml

The following are the tags I am using in my web.xml file.
What is web-resource-name?
<security-constraint>
<web-resource-collection>
<web-resource-name>profile</web-resource-name>
<url-pattern>/profile/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

I found a page in the Java EE 6 docs which seems to answer your question, and explains some other tags beside:
A web resource collection consists of the following subelements:
web-resource-name is the name you use for this resource. Its use is optional.

Related

Excepting certain resources from security constraint in Tomcat 9

I have successfully applied an authentication constraint in conf/web.xml to all pages on my Tomcat 9 server using Kerberos, as follows:
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Content</web-resource-name>
<description>Authentication Required</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
<security-role>
<role-name>USER_ROLE</role-name>
</security-role>
</web-app>
Everything is working as expected, including Kerberos.
Now I want to exclude all pages under /services from the security constraint so they can be accessed without any authentication. I would prefer to do it in conf/web.xml because there will be multiple applications deployed under /services and I would rather not configure each individually.
Based on other Stackoverflow answers, I added this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<description>No Authentication Required</description>
<url-pattern>/services/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Regardless of which order the security constraints are applied, I get a 401 error for the applications under /services when I test them using curl. If I remove the original security constraint, I can access the /services applications just fine.
The second security constraint is being ignored. Why would this be happening?

JAAS and Spring Integration

I have a Dynamic Web Project with JAAS, it has a LoginModule.
Now, I have a ROLE and I give to it a privileges like this:
<security-constraint>
<display-name>PRIVILEGES</display-name>
<web-resource-collection>
<web-resource-name>PRIVATE</web-resource-name>
<url-pattern>/usuario/*</url-pattern>
<url-pattern>/Data</url-pattern> <-- This is a Servlet. (JAAS Protect it)
<url-pattern>/getEstudent</url-pattern> <-- RequestMapping from Spring.(JAAS does not protect it)
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>USER1</role-name>
</auth-constraint>
I have integrated this with Spring. And I want to protect this url "getEstudiante". But the JAAS does not protect it.
How to do to protect a "requestmapping" from a Controller?, Thanks.

basic authentication does not work even for correct credentials

I am trying to configure Tomcat 7 JDBC realm configuration.
I have followed this tutorial completely:
http://www.avajava.com/tutorials/lessons/how-do-i-use-a-jdbc-realm-with-tomcat-and-mysql.html
I get the basic authentication pop-up, but even if I enter correct credentials, user is not authenticated.
I don't get any error message.
Tutorial specifies Tomcat 5.5 but I am using Tomcat 7.
I have just changed the connectionPasword and connectionName and the name of dynamic web project.
Here is server.xml JDBC realm configuration
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://localhost:3306/tomcat_realm"
connectionName="root"
connectionPassword="root"
userTable="tomcat_users"
userNameCol="user_name"
userCredCol="password"
userRoleTable="tomcat_users_roles"
roleNameCol="role_name" />
Here is web.xml
<servlet>
<servlet-name>TestServlet</servlet-name>
<servlet-class>test.TestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TestServlet</servlet-name>
<url-pattern>/test</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>dude</role-name>
</auth-constraint>
<user-data-constraint>
<!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
All I can see is, I get this message regarding security:
Security role name dude used in an <auth-constraint> without being defined in a <security-role>
Can you please help me sort this out? Is this issue related to Tomcat 7?
Per the Java Servlet Spec, you need to define the dude role as a security role. To do this, add the <security-role> element to your web.xml, as shown below:
<servlet>
<!-- ... -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>dude</role-name>
</auth-constraint>
<!-- ... -->
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>dude</role-name>
</security-role>
This would allow GET/POST requests to any user having the dude role.
I'll suggest you don't include the <http-method> elements as they don't work as you might expect. Including this element for GET and POST means that the security constrain applies only to these two methods; any other method is allowed. Here is what the Servlet Spec says:
The sub-element web-resource-collection identifies a subset of the resources and HTTP methods on those resources within a Web application to which a security constraint applies.
See this reference for details.

Weblogic session replication

I can't seem to get Weblogic's session replication to work.
I have set-up in my web.xml such that all requests require Admin credentials:
<security-constraint>
<web-resource-collection>
<web-resource-name>redirect</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myrealm</realm-name>
<form-login-config>
<form-login-page>
/login.jsp
</form-login-page>
<form-error-page>
/login.jsp
</form-error-page>
</form-login-config>
</login-config>
In my weblogic.xml, I have setup:
<session-descriptor>
<persistent-store-type>replicated_if_clustered</persistent-store-type>
</session-descriptor>
My test case is with two managed servers.
Navigate to my webpage.
Bring down one managed server. (The one that I am currently connected to)
Failover occurs and I am asked for my credentials.
I expect failover to occur seemlessly, without having me to relog in.
Try to enable session replication option in Weblogic admin console...
Logon to admin
console -> goto cluster -> goto advanced -> tick Session replication.
Note : It's not a good practise to touch .xml files to change any property....

Tiles 2 And No mapping found for HTTP request with URI - Spring-MVC

I want to use Spring-Tiles intergration. Here you can see how my app looks like.
So my question is: why Spring-MVC dispatcher Servlet can not resolve my Target page ???
The problem is that you use <url-pattern>/*</url-pattern> in servlet mapping, so all requests are processed by DispatcherServlet, including request to *.jsp tiles. The most versatile way to solve it (but to keep restful urls without prefixes) is to use a UrlRewriteFilter.
I think you're missing a critical ViewResolver. I checked the post you mentioned in SpringSource but I didn't see the following ViewResolver:
org.springframework.web.servlet.view.tiles2.TilesViewResolver
Try adding that ViewResolver and see if that would help. I use Spring and Tiles as well. I just have to declare that and the TilesConfigurer.
Check out these references:
Add TilesViewResolver to enable fallback if tiles definition does not exist
TilesViewResolver
It's a common issue using Spring and it's due to the fact that the view (jsp) goes through the DispatcherServlet.
Try to modify your web.xml using
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/app/*</url-pattern>
</servlet-mapping>
and then add to your urlrewrite.xml something like:
<urlrewrite default-match-type="wildcard">
<rule>
<from>/</from>
<to>/app/</to>
</rule>
<rule>
<from>/**</from>
<to>/app/$1</to>
</rule>
<outbound-rule>
<from>/app/**</from>
<to>/$1</to>
</outbound-rule>
I'm assuming you're using urlrewrite, if you're not import the jar and add the filter mapping in your web.xml such as:
<filter>
<filter-name>urlRewriteFilter</filter-name>
<filter-class>org.tuckey.web.filters.urlrewrite.UrlRewriteFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>urlRewriteFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Resources