Develop Reference

Excepting certain resources from security constraint in Tomcat 9

I have successfully applied an authentication constraint in conf/web.xml to all pages on my Tomcat 9 server using Kerberos, as follows:
<web-app>
...
<security-constraint>
<web-resource-collection>
<web-resource-name>Secure Content</web-resource-name>
<description>Authentication Required</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>SPNEGO</auth-method>
</login-config>
<security-role>
<role-name>USER_ROLE</role-name>
</security-role>
</web-app>
Everything is working as expected, including Kerberos.
Now I want to exclude all pages under /services from the security constraint so they can be accessed without any authentication. I would prefer to do it in conf/web.xml because there will be multiple applications deployed under /services and I would rather not configure each individually.
Based on other Stackoverflow answers, I added this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<description>No Authentication Required</description>
<url-pattern>/services/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Regardless of which order the security constraints are applied, I get a 401 error for the applications under /services when I test them using curl. If I remove the original security constraint, I can access the /services applications just fine.
The second security constraint is being ignored. Why would this be happening?

JAAS and Spring Integration

I have a Dynamic Web Project with JAAS, it has a LoginModule.
Now, I have a ROLE and I give to it a privileges like this:
<security-constraint>
<display-name>PRIVILEGES</display-name>
<web-resource-collection>
<web-resource-name>PRIVATE</web-resource-name>
<url-pattern>/usuario/*</url-pattern>
<url-pattern>/Data</url-pattern> <-- This is a Servlet. (JAAS Protect it)
<url-pattern>/getEstudent</url-pattern> <-- RequestMapping from Spring.(JAAS does not protect it)
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>USER1</role-name>
</auth-constraint>
I have integrated this with Spring. And I want to protect this url "getEstudiante". But the JAAS does not protect it.
How to do to protect a "requestmapping" from a Controller?, Thanks.

What is web-resource-name in web.xml?

The following are the tags I am using in my web.xml file.
What is web-resource-name?
<security-constraint>
<web-resource-collection>
<web-resource-name>profile</web-resource-name>
<url-pattern>/profile/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

I found a page in the Java EE 6 docs which seems to answer your question, and explains some other tags beside:
A web resource collection consists of the following subelements:
web-resource-name is the name you use for this resource. Its use is optional.

Java EE form login with load balancer transforming https to http

I have a problem and I believe it boils down to a misfit with our load-balancer, webserver(ihs), https configuration and Java EE form security with j_security_check.
I understand that when a client tries to hit a secure page, the server (websphere) sends a redirect with the url of the signin form, which is what we see in our dev & tst environment. However the production set up has a webserver (ihs), which consumes the https url, knocks out the s and forwards the http url to websphere (known as ssl offloading). When Websphere replies with the redirect it does that without https but with http://server-name/loginform
and I see a browser error that it can't access the http://server-name/loginform.
The relevant part of web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Whitelist</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>authenticated-users</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>login</web-resource-name>
<url-pattern>/keepalive</url-pattern>
<url-pattern>/signin</url-pattern>
<url-pattern>/signin/error</url-pattern>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-role>
<description>Any LDAP authenticated user</description>
<role-name>authenticated-users</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/signin</form-login-page>
<form-error-page>/signin/error</form-error-page>
</form-login-config>
</login-config>
I'm wondering whether that's a misconfiguration on the java side (my responsibility), I expect the url in form-login-page (/login) to be relative on the browser. But I also think that the load-balancer should automatically convert a http call to https call (someone else's responsibility). I hope someone has suggestions.

You should provide a bit more information in your question such as what load balancer are you using, is it going straight to WAS or via IHS, how your web application is configured (web.xml).
So here are some general hints that might be useful for you.
Redirecting to SSL in WebSphere
If you already have security configured and login form correctly being displayed in http, you just need to add the following to web.xml:
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This will ensure that WebSphere will generate redirect to https when client is trying to access protected pages.
SSL offloading
If your load balancer is configured to offload SSL and froward request to WebSphere using plain http, then you need to configure WebSphere to be aware of that. This is done by configuring httpsIndicatorHeader custom property, and adding custom header in load balancer.

basic authentication does not work even for correct credentials

I am trying to configure Tomcat 7 JDBC realm configuration.
I have followed this tutorial completely:
http://www.avajava.com/tutorials/lessons/how-do-i-use-a-jdbc-realm-with-tomcat-and-mysql.html
I get the basic authentication pop-up, but even if I enter correct credentials, user is not authenticated.
I don't get any error message.
Tutorial specifies Tomcat 5.5 but I am using Tomcat 7.
I have just changed the connectionPasword and connectionName and the name of dynamic web project.
Here is server.xml JDBC realm configuration
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="com.mysql.jdbc.Driver"
connectionURL="jdbc:mysql://localhost:3306/tomcat_realm"
connectionName="root"
connectionPassword="root"
userTable="tomcat_users"
userNameCol="user_name"
userCredCol="password"
userRoleTable="tomcat_users_roles"
roleNameCol="role_name" />
Here is web.xml
<servlet>
<servlet-name>TestServlet</servlet-name>
<servlet-class>test.TestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>TestServlet</servlet-name>
<url-pattern>/test</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>dude</role-name>
</auth-constraint>
<user-data-constraint>
<!-- transport-guarantee can be CONFIDENTIAL, INTEGRAL, or NONE -->
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
All I can see is, I get this message regarding security:
Security role name dude used in an <auth-constraint> without being defined in a <security-role>
Can you please help me sort this out? Is this issue related to Tomcat 7?

Per the Java Servlet Spec, you need to define the dude role as a security role. To do this, add the <security-role> element to your web.xml, as shown below:
<servlet>
<!-- ... -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Wildcard means whole app requires authentication</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>dude</role-name>
</auth-constraint>
<!-- ... -->
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>dude</role-name>
</security-role>
This would allow GET/POST requests to any user having the dude role.
I'll suggest you don't include the <http-method> elements as they don't work as you might expect. Including this element for GET and POST means that the security constrain applies only to these two methods; any other method is allowed. Here is what the Servlet Spec says:
The sub-element web-resource-collection identifies a subset of the resources and HTTP methods on those resources within a Web application to which a security constraint applies.
See this reference for details.