http and addSecurityConstraint

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

http and addSecurityConstraint

Bruce Powell
Emerging Systems Pty Ltd ...
I am using jetty (4?) in jboss-3.2.1 (user-data-constraint not available in web.xml). I want http requests to default to https using the CONFIDENTIAL declaration. I have configured script as below. Am I on the right track here because http requests still run?
I have activated the ssl Listener with:
       <Call name="addListener">
         <Arg>
          <New class="org.mortbay.http.SocketListener">
            <Set name="Port"><SystemProperty name="jetty.port" default="80"/></Set>
            <Set name="MinThreads">10</Set>
            <Set name="MaxThreads">100</Set>
            <Set name="MaxIdleTimeMs">30000</Set>
            <Set name="LowResourcePersistTimeMs">5000</Set>
            <Set name="ConfidentialPort">443</Set>
            <Set name="IntegralPort">443</Set>
           <Set name="ConfidentialScheme">https</Set>
          </New>
         </Arg>
       </Call>
 

       <Call name="addListener">
         <Arg>
           <New class="org.mortbay.http.SunJsseListener">
            <Set name="Port">443</Set>
            <Set name="MinThreads">5</Set>
            <Set name="MaxThreads">100</Set>
            <Set name="MaxIdleTimeMs">30000</Set>
            <Set name="LowResourcePersistTimeMs">2000</Set>
            <Set name="Keystore"><SystemProperty name="jboss.server.home.dir"/>/conf/keystore</Set>
            <Set name="Password">xxxxxx</Set>
            <Set name="KeyPassword">xxxxxx</Set>
           </New>
         </Arg>
       </Call>
 
I added a data constraint in web-jetty.xml as below:
 

<Configure class="org.mortbay.jetty.servlet.WebApplicationContext">
 
   <Call name="addSecurityConstraint">
      <Arg>/svmh/*</Arg>
      <Arg> <New class="org.mortbay.http.SecurityConstraint">
            <Call name="setDataConstraint"><Arg type="int">2</Arg></Call>
                </New>
      </Arg>
   </Call>
 
   <Call name="getHttpServer">
    <Call name="addContext">
       <Arg>server.com.au</Arg>    
      <Arg>/</Arg>
      <Set name="ResourceBase">C:/jbossResources/svmhDocBase/</Set>
      <Call name="addHandler"><Arg><New class="org.mortbay.http.handler.ResourceHandler"/></Arg></Call>
      <Call name="start">
    </Call>
     </Call>
  </Call>
 
  <Call name="getHttpServer">
      <Call name="addContext">
      <Arg>/svmhDocBase/*</Arg>
     <Set name="ResourceBase">C:/jbossResources/svmhDocBase/</Set>
     <Call name="addHandler">
   <Arg><New class="org.mortbay.http.handler.ResourceHandler"/></Arg>
     </Call>
   <Call name="start">
   </Call>
      </Call>
  </Call>
 


</Configure>
Reply | Threaded
Open this post in threaded view
|

Re: http and addSecurityConstraint

Greg Wilkins-5

Why isn't user-data-constraint available in web.xml?
It is Jetty that parses the web.xml, so it should be available.
what is the error you get?

You should definitely NOT be adding contexts in the jetty-web.xml
you should only configure the current context.

Note that if /svmh is your context path, then you are
trying to secure /svmh/svmh/*

perhaps try /* for the path of the security constraint.

cheers


Bruce Powell wrote:

> I am using jetty (4?) in jboss-3.2.1 (user-data-constraint not available
> in web.xml). I want http requests to default to https using the
> CONFIDENTIAL declaration. I have configured script as below. Am I on the
> right track here because http requests still run?
> I have activated the ssl Listener with:
>        <Call name="addListener">
>          <Arg>
>           <New class="org.mortbay.http.SocketListener">
>             <Set name="Port"><SystemProperty name="jetty.port"
> default="80"/></Set>
>             <Set name="MinThreads">10</Set>
>             <Set name="MaxThreads">100</Set>
>             <Set name="MaxIdleTimeMs">30000</Set>
>             <Set name="LowResourcePersistTimeMs">5000</Set>
>             <Set name="ConfidentialPort">443</Set>
>             <Set name="IntegralPort">443</Set>
>            <Set name="ConfidentialScheme">https</Set>
>           </New>
>          </Arg>
>        </Call>
>  
>
>        <Call name="addListener">
>          <Arg>
>            <New class="org.mortbay.http.SunJsseListener">
>             <Set name="Port">443</Set>
>             <Set name="MinThreads">5</Set>
>             <Set name="MaxThreads">100</Set>
>             <Set name="MaxIdleTimeMs">30000</Set>
>             <Set name="LowResourcePersistTimeMs">2000</Set>
>             <Set name="Keystore"><SystemProperty
> name="jboss.server.home.dir"/>/conf/keystore</Set>
>             <Set name="Password">xxxxxx</Set>
>             <Set name="KeyPassword">xxxxxx</Set>
>            </New>
>          </Arg>
>        </Call>
>  
> I added a data constraint in web-jetty.xml as below:
>  
>
> <Configure class="org.mortbay.jetty.servlet.WebApplicationContext">
>  
>    <Call name="addSecurityConstraint">
>       <Arg>/svmh/*</Arg>
>       <Arg> <New class="org.mortbay.http.SecurityConstraint">
>             <Call name="setDataConstraint"><Arg type="int">2</Arg></Call>
>                 </New>
>       </Arg>
>    </Call>
>  
>    <Call name="getHttpServer">
>     <Call name="addContext">
>        <Arg>server.com.au</Arg>    
>       <Arg>/</Arg>
>       <Set name="ResourceBase">C:/jbossResources/svmhDocBase/</Set>
>       <Call name="addHandler"><Arg><New
> class="org.mortbay.http.handler.ResourceHandler"/></Arg></Call>
>       <Call name="start">
>     </Call>
>      </Call>
>   </Call>
>  
>   <Call name="getHttpServer">
>       <Call name="addContext">
>       <Arg>/svmhDocBase/*</Arg>
>      <Set name="ResourceBase">C:/jbossResources/svmhDocBase/</Set>
>      <Call name="addHandler">
>    <Arg><New class="org.mortbay.http.handler.ResourceHandler"/></Arg>
>      </Call>
>    <Call name="start">
>    </Call>
>       </Call>
>   </Call>
>  
>
>
> </Configure>



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support
Reply | Threaded
Open this post in threaded view
|

Re: http and addSecurityConstraint

Bruce Powell
In reply to this post by Bruce Powell

Bruce Powell <Bruce <at> emerging.com.au> writes:

>
>
> I am using jetty (4?) in jboss-3.2.1
> (user-data-constraint not available in web.xml). I want http requests to
default
> to https using the CONFIDENTIAL declaration. I have configured script as
below.

> Am I on the right track here because http requests still run?
> I have activated the ssl Listener
> with:
>       
> <Call
> name="addListener">        
> <Arg>          <New
> class="org.mortbay.http.SocketListener">           
> <Set name="Port"><SystemProperty name="jetty.port"
> default="80"/></Set>           
> <Set
> name="MinThreads">10</Set>           
> <Set
> name="MaxThreads">100</Set>           
> <Set
> name="MaxIdleTimeMs">30000</Set>           
> <Set
> name="LowResourcePersistTimeMs">5000</Set>           
> <Set
> name="ConfidentialPort">443</Set>           
> <Set
> name="IntegralPort">443</Set>          
> <Set name="ConfidentialScheme">https</Set>
>          
> </New>        
> </Arg>       </Call>
>  
>       
> <Call
> name="addListener">        
> <Arg>          
> <New
> class="org.mortbay.http.SunJsseListener">           
> <Set
> name="Port">443</Set>           
> <Set
> name="MinThreads">5</Set>           
> <Set
> name="MaxThreads">100</Set>           
> <Set
> name="MaxIdleTimeMs">30000</Set>           
> <Set
> name="LowResourcePersistTimeMs">2000</Set>           
> <Set name="Keystore"><SystemProperty
> name="jboss.server.home.dir"/>/conf/keystore</Set>           
> <Set
> name="Password">xxxxxx</Set>           
> <Set
> name="KeyPassword">xxxxxx</Set>          
> </New>        
> </Arg>       </Call>
>
>  
> I added a data constraint in
> web-jetty.xml as below:
>  
>
> <Configure
> class="org.mortbay.jetty.servlet.WebApplicationContext">
>
>  
>    <Call
> name="addSecurityConstraint">     
> <Arg>/svmh/*</Arg>     
> <Arg> <New
> class="org.mortbay.http.SecurityConstraint">           
> <Call name="setDataConstraint"><Arg
> type="int">2</Arg></Call>               
> </New>      </Arg>  
> </Call>
>
>     <Call
> name="getHttpServer">    <Call
> name="addContext">       <Arg>server.com.au</Arg> 
>     
>    <Arg>/</Arg>   
>   <Set
> name="ResourceBase">C:/jbossResources/svmhDocBase/</Set>   
>   <Call name="addHandler"><Arg><New
> class="org.mortbay.http.handler.ResourceHandler"/></Arg></Call>      <Call
> name="start">    </Call>    
> </Call>
>   </Call>
>  
>   <Call name="getHttpServer">     
> <Call name="addContext">    
>  <Arg>/svmhDocBase/*</Arg>     <Set
> name="ResourceBase">C:/jbossResources/svmhDocBase/</Set>   
>  <Call name="addHandler">   <Arg><New
> class="org.mortbay.http.handler.ResourceHandler"/></Arg>    
> </Call>   <Call name="start"> 
>  </Call>      </Call> 
> </Call>
>  
>
> </Configure>
>

In web.xml:
<security-constraint>
  <display-name>deny all</display-name>
  <web-resource-collection>
    <url-pattern>/*</url-pattern>
  </web-resource-collection>
     <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
</security-constraint>

09:36:21,182 WARN  [jetty] WARNING: ERROR@null line:59 col:29 :
org.xml.sax.SAXParseException: The content of element type "web-resource-
collection" must match "(web-resource-name,description?,url-pattern*,http-
method*)".
09:36:21,182 WARN  [jetty] WARNING: ERROR@null line:63 col:23 :
org.xml.sax.SAXParseException: The content of element type "security-
constraint" must match "(web-resource-collection+,auth-constraint?,user-data-
constraint?)".
09:36:21,198 WARN  [jetty] WARNING: ERROR@null line:64 col:11 :
org.xml.sax.SAXParseException: The content of element type "web-app" must
match "(icon?,display-name?,description?,distributable?,context-
param*,servlet*,servlet-mapping*,session-config?,mime-mapping*,welcome-file-
list?,error-page*,taglib*,resource-ref*,security-constraint*,login-
config?,security-role*,env-entry*,ejb-ref*)".
09:36:21,198 WARN  [jetty] WARNING: Configuration error on file:/C:/jboss-
3.2.5/server/default/tmp/deploy/tmp18924eskeOncPageJettyES020J.ear-
contents/svmhWar.war/
org.xml.sax.SAXParseException: The content of element type "web-resource-
collection" must match "(web-resource-name,description?,url-pattern*,http-
method*)".





-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support
Reply | Threaded
Open this post in threaded view
|

Re: http and addSecurityConstraint

Bruce Powell
In reply to this post by Bruce Powell
Bruce Powell <Bruce <at> emerging.com.au> writes:



Thanks Greg,
you are right about the url pattern to be /*.
I have added contexts for years in the web-jetty.xml. What is the problem with
doing it that way. I have never noticed any problems.
thanks
Bruce





-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support
Reply | Threaded
Open this post in threaded view
|

Re: http and addSecurityConstraint

Greg Wilkins-5

Bruce,

well if it works for you great....
but those contexts will not have any jboss features and may
even have problems with jboss security.

cheers


Bruce Powell wrote:

> Bruce Powell <Bruce <at> emerging.com.au> writes:
>
>
>
> Thanks Greg,
> you are right about the url pattern to be /*.
> I have added contexts for years in the web-jetty.xml. What is the problem with
> doing it that way. I have never noticed any problems.
> thanks
> Bruce
>
>
>
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Jetty-support mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/jetty-support
>



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Jetty-support mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/jetty-support