Re: [newbie] Container Managed Security - preventing direct access to .jsp
I get what you are trying to do. I could be wrong, but the spec seems written more towards protecting data from unauthorized users rather than protecting jsp files from direct client access. Here are some suggestions I thought of: - Precompile the jsp source to .class files. Then remove the jsp source from the binary dist. - Introduce a token that's created in the controller servlet and removed in the jsp. If it doesn't exist when the jsp starts processing, the client made a direct access and the jsp can then do an internal forward to the controller or error page. - Write a filter to watch for direct jsp access and handle it. - Have the jsp analyze the request to determine whether it was called directly or via the internal forward mechanism and then do something about it. The first one is a must if you are worried about the client getting the jsp source somehow. The remaining three would help take care of the case where the jsp needs some data from the controller and will die a horrible death without it. I don't have code to share for these suggestions -- just trying to give you some ideas to work with. --David Robert Taylor wrote: I'm not trying to re-invent anything. I'm just trying to leverage the specification to secure resources. Personally I prefer WEB-INF to contain web application configuration and information resources instead of content and other non-configuration resources. IMHO, its intuitive that way. For anyone else that may even be remotely interested in this topic, some further googling produced some interesting results. I searched using the string: preventing direct access to .jsp files It appears that there is no standard way to do this even though it's implied in the spec. Here's a good example: http://forums.bea.com/bea/message.jspa?messageID=202433201 Oh well... /robert -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 5:55 PM To: Tomcat Users List Subject: Re: [newbie] Container Managed Security - preventing direct access to .jsp Robert Taylor wrote: Does this not imply that I can do what I am trying to do? I suppose; I'm just baffled why you want to reinvent this particular built-in wheel, but don't let that stop you :-) -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
Ping... Please let me know if this questions is just too obvious and I'll gladly RTFM...even more. And yes, I know this list is not here just to serve _my_ interests. It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Thanks again. /robert -Original Message- From: Robert Taylor [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 8:59 PM To: [EMAIL PROTECTED] Subject: [newbie] Container Managed Security - preventing direct access to .jsp Greetings, I'm new to Tomcat and this mailing list, and have a question regarding configuring Tomcat to simply disallow access to .jsp pages which I have been protected via the security-constraint/ in my web app web.xml file. From what I understand, the following should do the trick and cause a 403 error to be sent to the browser by the container. I would like to trap that error code and display a user friendly page (I chose any page so I would know it's working). I've simply modified the Tomcat jsp-examples web app. Here's a snippet of the necessary artifacts in the web.xml file. error-page error-code403/error-code location/dates/date.jsp/location /error-page security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/security/protected/*/url-pattern /web-resource-collection /security-constraint I believe the constraint is working, but I don't think the error-page/ is catching the 403 status code. This is probably because a 403 status code is not returned, but rather a 200 (I verified this by looking at the response headers). Anyhow, the content of the returned page is below within the content/: content You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86 No user principal could be identified. To check whether your username has been granted a particular role, enter it here: If you have configured this app for form-based authentication, you can log off by clicking here. This should cause you to be returned to the logon page after the redirect that is performed. /content I'm sure this has happened to someone else, I just cannot find where. I googled and didn't come up with much. I searched the archives using You are logged in as remote user null in session and no matches were found. Any help would be greatly appreciated. /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
Filters are portable. On Tue, 2004-12-14 at 12:32, Robert Taylor wrote: Ping... Please let me know if this questions is just too obvious and I'll gladly RTFM...even more. And yes, I know this list is not here just to serve _my_ interests. It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Thanks again. /robert -Original Message- From: Robert Taylor [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 8:59 PM To: [EMAIL PROTECTED] Subject: [newbie] Container Managed Security - preventing direct access to .jsp Greetings, I'm new to Tomcat and this mailing list, and have a question regarding configuring Tomcat to simply disallow access to .jsp pages which I have been protected via the security-constraint/ in my web app web.xml file. From what I understand, the following should do the trick and cause a 403 error to be sent to the browser by the container. I would like to trap that error code and display a user friendly page (I chose any page so I would know it's working). I've simply modified the Tomcat jsp-examples web app. Here's a snippet of the necessary artifacts in the web.xml file. error-page error-code403/error-code location/dates/date.jsp/location /error-page security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/security/protected/*/url-pattern /web-resource-collection /security-constraint I believe the constraint is working, but I don't think the error-page/ is catching the 403 status code. This is probably because a 403 status code is not returned, but rather a 200 (I verified this by looking at the response headers). Anyhow, the content of the returned page is below within the content/: content You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86 No user principal could be identified. To check whether your username has been granted a particular role, enter it here: If you have configured this app for form-based authentication, you can log off by clicking here. This should cause you to be returned to the logon page after the redirect that is performed. /content I'm sure this has happened to someone else, I just cannot find where. I googled and didn't come up with much. I searched the archives using You are logged in as remote user null in session and no matches were found. Any help would be greatly appreciated. /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [newbie] Container Managed Security - preventing direct access to .jsp
Robert Taylor wrote: Please let me know if this questions is just too obvious and I'll gladly RTFM... See below :-) It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Given that the Java Servlet Specification Version 2.4, page 70 sez: A special directory exists within the application hierarchy named WEB-INF. This directory contains all things related to the application that aren't in the document root of the application. The WEB-INF node is not part of the public document tree of the application. No file contained in the WEB-INF directory may be served directly to a client by the container. I don't know how much more portable you want it to be :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
Thanks Hassan. I didn't realize that was added to the 2.4 spec. Thanks for pointing that out. Even so, it would be nice to know how to use CMS to achieve this. Maybe a better way to form the question would be how do I use CMS to protect .jsp pages from direct access and return a user friendly page/message when a .jsp page is requested without going through the controller? /robert -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 2:21 PM To: Tomcat Users List Subject: Re: [newbie] Container Managed Security - preventing direct access to .jsp Robert Taylor wrote: Please let me know if this questions is just too obvious and I'll gladly RTFM... See below :-) It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Given that the Java Servlet Specification Version 2.4, page 70 sez: A special directory exists within the application hierarchy named WEB-INF. This directory contains all things related to the application that aren't in the document root of the application. The WEB-INF node is not part of the public document tree of the application. No file contained in the WEB-INF directory may be served directly to a client by the container. I don't know how much more portable you want it to be :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [newbie] Container Managed Security - preventing direct access to .jsp
I have not run into that kind of problem before... typically if you hit a JSP without hitting its controller first you will just get nothing (an HTML screen with no data). when it gets routed back to the controller, it will then register a failure due to lack of data. Problem solved. [EMAIL PROTECTED] 12-14-2004 12:20 Robert Taylor wrote: Please let me know if this questions is just too obvious and I'll gladly RTFM... See below :-) It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Given that the Java Servlet Specification Version 2.4, page 70 sez: A special directory exists within the application hierarchy named WEB-INF. This directory contains all things related to the application that aren't in the document root of the application. The WEB-INF node is not part of the public document tree of the application. No file contained in the WEB-INF directory may be served directly to a client by the container. I don't know how much more portable you want it to be :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
Fair enough. When I mention Container Managed Security, I am refering to using security constraints defined in web.xml to prevent direct access to resources. More specifically in Section 12.8 of the 2.4 specification: Security constraints are a declarative way of defining the protection of web content. A security constraint associates authorization and or user data constraints with HTTP operations on web resources. A security constraint, which is represented by security-constraint in deployment descriptor, consists of the following elements: web resource collection (web-resource-collection in deployment descriptor) authorization constraint (auth-constraint in deployment descriptor) user data constraint (user-data-constraint in deployment descriptor) The HTTP operations and web resources to which a security constraint applies (i.e. the constrained requests) are identified by one or more web resource collections. A web resource collection consists of the following elements: URL patterns (url-pattern in deployment descriptor) HTTP methods (http-method in deployment descriptor) An authorization constraint establishes a requirement for authentication and names the authorization roles permitted to perform the constrained requests. A user must be a member of at least one of the named roles to be permitted to perform the constrained requests. The special role name * is a shorthand for all role names defined in the deployment descriptor. An authorization constraint that names no roles indicates that access to the constrained requests must not be permitted under any circumstances. Does this not imply that I can do what I am trying to do? /robert -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 5:07 PM To: Tomcat Users List Subject: Re: [newbie] Container Managed Security - preventing direct access to .jsp Robert Taylor wrote: I didn't realize that was added to the 2.4 spec. It was in 2.3, too. I'd guess it was in the spec from the get-go, but don't have an older copy to hand to confirm. Even so, it would be nice to know how to use CMS to achieve this. What is your definition of Container Managed Security, then, if not this? The container prevents direct access to the resources placed within WEB-INF, without you having to do anything else. Maybe a better way to form the question would be how do I use CMS to protect .jsp pages from direct access as above. and return a user friendly page/message when a .jsp page is requested without going through the controller? A custom 404 page should take care of it. And you can get as fancy with that as you like :-) FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [newbie] Container Managed Security - preventing direct access to .jsp
Robert Taylor wrote: Does this not imply that I can do what I am trying to do? I suppose; I'm just baffled why you want to reinvent this particular built-in wheel, but don't let that stop you :-) -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
I'm not trying to re-invent anything. I'm just trying to leverage the specification to secure resources. Personally I prefer WEB-INF to contain web application configuration and information resources instead of content and other non-configuration resources. IMHO, its intuitive that way. For anyone else that may even be remotely interested in this topic, some further googling produced some interesting results. I searched using the string: preventing direct access to .jsp files It appears that there is no standard way to do this even though it's implied in the spec. Here's a good example: http://forums.bea.com/bea/message.jspa?messageID=202433201 Oh well... /robert -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 5:55 PM To: Tomcat Users List Subject: Re: [newbie] Container Managed Security - preventing direct access to .jsp Robert Taylor wrote: Does this not imply that I can do what I am trying to do? I suppose; I'm just baffled why you want to reinvent this particular built-in wheel, but don't let that stop you :-) -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [newbie] Container Managed Security - preventing direct access to .jsp
Have you tried writing a session bean??? if not just write a session bean and import it as a header in all you *.jsp pages. The sessions will controll the flow of the application. ex: %@ include file=Secrity_stuff.jsp % This is common in writing applications. Robert Taylor wrote: Thanks Hassan. I didn't realize that was added to the 2.4 spec. Thanks for pointing that out. Even so, it would be nice to know how to use CMS to achieve this. Maybe a better way to form the question would be how do I use CMS to protect .jsp pages from direct access and return a user friendly page/message when a .jsp page is requested without going through the controller? /robert -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 14, 2004 2:21 PM To: Tomcat Users List Subject: Re: [newbie] Container Managed Security - preventing direct access to .jsp Robert Taylor wrote: Please let me know if this questions is just too obvious and I'll gladly RTFM... See below :-) It just seems like a common idiom to provide a portable mechanism for protecting direct access to .jsp so as to enforce access through some controller. I have in the past placed .jsp files behind WEB-INF, but I don't believe that is portable and would like to use CMS to achieve this. Given that the Java Servlet Specification Version 2.4, page 70 sez: A special directory exists within the application hierarchy named WEB-INF. This directory contains all things related to the application that aren't in the document root of the application. The WEB-INF node is not part of the public document tree of the application. No file contained in the WEB-INF directory may be served directly to a client by the container. I don't know how much more portable you want it to be :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Dwayne A. Ghant Application Developer Temple University 215.204. [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [newbie] Container Managed Security - preventing direct access to .jsp
Robert Taylor wrote: I didn't realize that was added to the 2.4 spec. It was in 2.3, too. I'd guess it was in the spec from the get-go, but don't have an older copy to hand to confirm. Even so, it would be nice to know how to use CMS to achieve this. What is your definition of Container Managed Security, then, if not this? The container prevents direct access to the resources placed within WEB-INF, without you having to do anything else. Maybe a better way to form the question would be how do I use CMS to protect .jsp pages from direct access as above. and return a user friendly page/message when a .jsp page is requested without going through the controller? A custom 404 page should take care of it. And you can get as fancy with that as you like :-) FWIW! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [newbie] Container Managed Security - preventing direct access to .jsp
From: Hassan Schroeder [EMAIL PROTECTED] Given that the Java Servlet Specification Version 2.4, page 70 sez: A special directory exists within the application hierarchy named WEB-INF. This directory contains all things related to the application that aren't in the document root of the application. The WEB-INF node is not part of the public document tree of the application. No file contained in the WEB-INF directory may be served directly to a client by the container. I don't know how much more portable you want it to be :-) Except that I think at least one commercial Servlet container interpreted it more strictly and refused to serve anything under WEB-INF, even with a forward. IOW, the specification says the container MAY NOT serve anything under WEB-INF directly, but it doesn't say that the container MUST serve those things INdirectly. No idea which one that was, I just remember being warned when I put things under WEB-INF, that it wouldn't work everywhere. Since I never plan to use anything but Tomcat, it wasn't a problem. -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
It appears that there is no standard way to do this even though it's implied in the spec. I don't know how standard this is but it works. The trick is in the auth-constraint node (note the commented out role-name). Since it is exclusive. Not declaring a role-name for the protected resource denies access to everyone. You then catch the 403 error with an error page mapping and you're good to go. The JSPs can still be accessed from the request dispatcher so you can reach them through the MVC pattern. I suppose a simpler solution would be simply to create a servelet-mapping with a url pattern of *.jsp and map it to an error servlet. If you want to test this out quickly grab the SimpleMVC.war from http://simple.souther.us and replace the web.xml file with this one. You'd have to create your own no-jsp-4-u.html page. Hope it helps -Ben ?xml version=1.0 encoding=ISO-8859-1? web-app xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd; version=2.4 servlet servlet-name ControllerServlet /servlet-name servlet-class us.souther.simple.mvc.ControllerServlet/servlet-class /servlet servlet-mapping servlet-nameControllerServlet/servlet-name url-pattern/simple-mvc/url-pattern /servlet-mapping security-constraint web-resource-collection web-resource-name off-limits /web-resource-name url-pattern *.jsp /url-pattern /web-resource-collection auth-constraint !--role-name manager /role-name-- /auth-constraint /security-constraint error-page error-code403/error-code location/no-jsp-4-u.html/location /error-page /web-app - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [newbie] Container Managed Security - preventing direct access to .jsp
Sorry. I left off some info: Tomcat 5.0.25 Win2k JDK1.4.2 /robert -Original Message- From: Robert Taylor [mailto:[EMAIL PROTECTED] Sent: Monday, December 13, 2004 8:59 PM To: [EMAIL PROTECTED] Subject: [newbie] Container Managed Security - preventing direct access to .jsp Greetings, I'm new to Tomcat and this mailing list, and have a question regarding configuring Tomcat to simply disallow access to .jsp pages which I have been protected via the security-constraint/ in my web app web.xml file. From what I understand, the following should do the trick and cause a 403 error to be sent to the browser by the container. I would like to trap that error code and display a user friendly page (I chose any page so I would know it's working). I've simply modified the Tomcat jsp-examples web app. Here's a snippet of the necessary artifacts in the web.xml file. error-page error-code403/error-code location/dates/date.jsp/location /error-page security-constraint display-nameExample Security Constraint/display-name web-resource-collection web-resource-nameProtected Area/web-resource-name url-pattern/security/protected/*/url-pattern /web-resource-collection /security-constraint I believe the constraint is working, but I don't think the error-page/ is catching the 403 status code. This is probably because a 403 status code is not returned, but rather a 200 (I verified this by looking at the response headers). Anyhow, the content of the returned page is below within the content/: content You are logged in as remote user null in session D97EE937BEC953A7E82E42B3956AED86 No user principal could be identified. To check whether your username has been granted a particular role, enter it here: If you have configured this app for form-based authentication, you can log off by clicking here. This should cause you to be returned to the logon page after the redirect that is performed. /content I'm sure this has happened to someone else, I just cannot find where. I googled and didn't come up with much. I searched the archives using You are logged in as remote user null in session and no matches were found. Any help would be greatly appreciated. /robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
