When I do a http get on my websphere liberty profile v8.5.5 (let's assume http://my.domain.com) I'm presented with a nice page that says amongs other things
"Welcome to the WebSphere Application Server V8.5 Liberty Profile"
It looks like this http://rdt1.demos.ibm.com/
How do I configure my server to not display this page and perhaps redirect my request to a login page on https?
Is this a configuration related to a new context root of a new app to be installed? Like this answer below?
How to make "HTTPS redirect" work on WebSphere Application Server Liberty Profile?
I feel like this should be something configured on server.xml but I can't find any reference to this.
Thanks in advance!
You can turn that page off by adding the following to your server.xml file:
<httpDispatcher enableWelcomePage="false" />
http://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSRTLW_9.0.0/com.ibm.websphere.wlp.nd.multiplatform.doc/autodita/rwlp_metatype_4ic.html#mtFile119
edit:
I should clarify, the other answer is also correct. If you install an application with "/" as the context root, it will be used instead of the main page.
If you add something like the following to that application's web.xml:
<security-constraint>
<display-name>Some constraint</display-name>
<web-resource-collection>
<web-resource-name>All</web-resource-name>
<description>All URLs</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>All users</description>
<role-name>User</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
You will get the https redirect that you're asking for.
Additional edit (per comment), the following is a more complete example of how to set up the redirect:
How to make "HTTPS redirect" work on WebSphere Application Server Liberty Profile?
Just create your application and in the server.xml specify context root as follows:
<webApplication id="MyApp" location="MyApp.war" name="MyApp" contextRoot="/"/>
If you want to redirect to login page and ssl, then you will need to do all steps in the post you quoted and of course provide login page in your application.
If you want just to disable the welcome page, add to server.xml fragment provided by ebullient or even extend it by adding some javascript code which would make the redirect:
<httpDispatcher enableWelcomePage="false" appOrContextRootMissingMessage='<script>document.location.href="/MyApp/";</script>'></httpDispatcher>
Related
I followed this article and created simplest websocket echo application. Although article is about Glassfish, I successfully run my app under Jetty 9, as they are using standard javax.websocket API in article.
It works just fine, but now I want to secure websocket connection. I googled around and found most examples are written as standalone Java application (with public static void main() method). They create new ConnectionFactory and starts server from their code (like here for example).
But I want to run my app under Jetty as a container, so I want to just specify some options in web.xml or something, to secure my connection. So I found this article and modified my web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected resource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<!-- https -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
The problem is it doesn't work. Probably because article is about Glassfish again.
How it is does NOT work:
My IDE (IDEA) shows red all tags inside <security-constraint>, that means schema validation is failed and these tags can not be contained inside <security-constraint>
When I try to open index.html over HTTPS I get error ssl_error_rx_record_too_long in browser and also there are two errors in Jetty output:
Illegal character 0x16 in state=START for buffer HeapByteBuffer
and
badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp
So.. What I am doing wrong? How to make secured websocket via Jetty or application configuration?
The security constraint tag you described is mostly used for specify BASIC authentication mode in application server.
I guess you want to enable HTTPS and not authentication. For enabling HTTPS you may follow this article: https://wiki.eclipse.org/Jetty/Howto/Configure_SSL
I have a problem and I believe it boils down to a misfit with our load-balancer, webserver(ihs), https configuration and Java EE form security with j_security_check.
I understand that when a client tries to hit a secure page, the server (websphere) sends a redirect with the url of the signin form, which is what we see in our dev & tst environment. However the production set up has a webserver (ihs), which consumes the https url, knocks out the s and forwards the http url to websphere (known as ssl offloading). When Websphere replies with the redirect it does that without https but with http://server-name/loginform
and I see a browser error that it can't access the http://server-name/loginform.
The relevant part of web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Whitelist</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>authenticated-users</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>login</web-resource-name>
<url-pattern>/keepalive</url-pattern>
<url-pattern>/signin</url-pattern>
<url-pattern>/signin/error</url-pattern>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-role>
<description>Any LDAP authenticated user</description>
<role-name>authenticated-users</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/signin</form-login-page>
<form-error-page>/signin/error</form-error-page>
</form-login-config>
</login-config>
I'm wondering whether that's a misconfiguration on the java side (my responsibility), I expect the url in form-login-page (/login) to be relative on the browser. But I also think that the load-balancer should automatically convert a http call to https call (someone else's responsibility). I hope someone has suggestions.
You should provide a bit more information in your question such as what load balancer are you using, is it going straight to WAS or via IHS, how your web application is configured (web.xml).
So here are some general hints that might be useful for you.
Redirecting to SSL in WebSphere
If you already have security configured and login form correctly being displayed in http, you just need to add the following to web.xml:
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This will ensure that WebSphere will generate redirect to https when client is trying to access protected pages.
SSL offloading
If your load balancer is configured to offload SSL and froward request to WebSphere using plain http, then you need to configure WebSphere to be aware of that. This is done by configuring httpsIndicatorHeader custom property, and adding custom header in load balancer.
I have following configuration in web.xml in tomcat 7. I am wondering if I can add any configurable parameter here, so that if user tries to do any operation post 30 minutes, I redirect the user to our home page.
<session-config>
<session-timeout>30</session-timeout>
<cookie-config>
<domain>mydomain.mycompany.com</domain>
<http-only>true</http-only>
<secure>false</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
This is probably not possible by configuration only. You will have to add a filter aswell. One way of doing that is described here: https://stackoverflow.com/a/1027592/3417638
If you would like to configure the redirect in web.xml, this can be done by using a context-parameter, see: https://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Context_Parameters
I'd like to know if there is a way to provide login support fora all web application content. I mean when user tries to access some site (also static content - html), and he isn't logged or session expires he should be redirected to login site.
Html filter in web.xml for logging is almost what I need, but I also need authentication of html pages.
<filter>
<filter-name>AuthenticationFilter</filter-name>
<filter-class>example.AuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>AuthenticationFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
This doesn't work with html pages, only servlet requests.
This should be generic mechanism, not like i.e. writing in every servlet session checking.
Thanks for all resopnes.
There are standard web.xml configuration options for defining this.
You shouldn't have to define a custom filter.
See http://download.oracle.com/docs/cd/B31017_01/web.1013/b28967/adding_security003.htm
If your application contains pages that require a user to be authenticated against a data store in order to be accessed, you must declare the following in the web.xml configuration file:
<security-role> defines valid roles in the security context.
<login-config> defines the protocol for authentication, for example form-based or HTTPS.
<security-constraint> defines the resources specified by URL patterns and HTTP methods that can be accessed only by authorized users or roles.
<servlet> defines the servlet that provides authentication.
<servlet-mapping> maps the servlet to a URL pattern.
defines the filter used to transform the content of the authentication request.
<filter-mapping> maps the filter to the file extensions used by the application. For details about the ADF binding filter, see Configuring the ADF Binding Filter.
I'm building a Spring MVC application, and the frontController servlet is mapped in "/" intercepting all requests, I'd to be able to serve the static contents (.js,.css,.png...) from tomcat and not by Spring.
My app structure is
-webapp/
styles/
images/
WEB-INF/
views/
By default, because the frontController is mapped on the context root of my app its handles all requests but don't serve any static resource.
The mvc configurarion for static resources is follow.
<mvc:resources mapping="/resources/**" location="/"/>
And the page's code is:
<img src="resources/images/logo.png" />
I need to configure Tomcat to serve the static resources with no spring interaction.
Any suggestion?
You can remap tomcats default servlet (which handles static content), e.g.
<servlet-mapping>
<servlet-name>default</servlet-name>
<url-pattern>/images/*</url-pattern>
</servlet-mapping>
Have a look at this mailing list thread and see if that does what you're looking for.
Another potential solution - Just add the following to your Spring DispatcherServlet.xml (Spring Docs)
<mvc:default-servlet-handler/>
This tag allows for mapping the DispatcherServlet to "/" (thus overriding the mapping of the container's default Servlet), while still allowing static resource requests to be handled by the container's default Servlet. It configures a DefaultServletHttpRequestHandler with a URL mapping (given a lowest precedence order) of "/**". This handler will forward all requests to the default Servlet.
Pros (as compared to #nos's solution)
The URL remapping solution behaves differently depending upon your container. Jetty/Tomcat 6 take that to mean 'map URL/images/* to WEBAPP/images/'. Tomcat < 6 (and maybe others) take that to mean 'map URL/images/ to WEBAPP/*', which is a BIG security breach.
If you want to serve a favicon.ico, robots.txt etc. from your site, then you'll have
to create additional url-mappings for them.
Cons
Spring is in the loop, which is definitely something that is unnecessary.
Additionally, irrespective of the solution that one prefers, I'd suggest adding the following to your web.xml to prevent directory listings (on, say URL/images)
<servlet>
<servlet-name>default</servlet-name>
<init-param>
<param-name>dirAllowed</param-name>
<param-value>false</param-value>
</init-param>
</servlet>