You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@struts.apache.org by Lukasz Lenart <lu...@apache.org> on 2017/06/16 07:54:03 UTC

Re: struts-site git commit: update security page

Great! I have added a ToC and pushed to the top :)

http://struts.apache.org/security/


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: struts-site git commit: update security page

Posted by Greg Huber <gr...@gmail.com>.

My main site is not a struts app, so mixing defaults may be best here.

Also, the security constraints apply to the welcome files so some sort of
servlet redirect is required to make it work (via tomcat user list).

Cheers Greg

On 19 June 2017 at 11:20, Lukasz Lenart <lu...@apache.org> wrote:

> 2017-06-19 9:17 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > Tested it again tomcat (8.5.15), definitely a 403.  Will see if I can
> find
> > some more info.
>
> Hmm...but you do not need the <welcome-file-list/>, I am using
> <default-action-ref/> which does exactly the same thing.
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Re: struts-site git commit: update security page

Posted by Lukasz Lenart <lu...@apache.org>.

2017-06-19 9:17 GMT+02:00 Greg Huber <gr...@gmail.com>:
> Tested it again tomcat (8.5.15), definitely a 403.  Will see if I can find
> some more info.

Hmm...but you do not need the <welcome-file-list/>, I am using
<default-action-ref/> which does exactly the same thing.


Regards
-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: struts-site git commit: update security page

Posted by Greg Huber <gr...@gmail.com>.

Tested it again tomcat (8.5.15), definitely a 403.  Will see if I can find
some more info.

On 19 June 2017 at 08:04, Lukasz Lenart <lu...@apache.org> wrote:

> Did you test that? I think <welcome-list/> ignore security constraints
> ... or maybe it was just Jetty ;)
>
> 2017-06-16 10:50 GMT+02:00 Greg Huber <gr...@gmail.com>:
> > ...Although it blocks the <welcome-file-list> file.
> >
> > <!-- Restricts access to pure JSP files - access available only via
> Struts
> > action -->
> >     <security-constraint>
> >         <display-name>No direct JSP access</display-name>
> >         <web-resource-collection>
> >             <web-resource-name>No-JSP</web-resource-name>
> >             <url-pattern>*.jsp</url-pattern>
> >         </web-resource-collection>
> >         <auth-constraint>
> >             <role-name>no-users</role-name>
> >         </auth-constraint>
> >     </security-constraint>
> >
> >     <security-role>
> >         <description>Don't assign users to this role</description>
> >         <role-name>no-users</role-name>
> >     </security-role>
> >
> >     <welcome-file-list>
> >         <welcome-file>WEB-INF/jsps/index.jsp</welcome-file>
> >     </welcome-file-list>
> >
> > On 16 June 2017 at 08:54, Lukasz Lenart <lu...@apache.org> wrote:
> >
> >> Great! I have added a ToC and pushed to the top :)
> >>
> >> http://struts.apache.org/security/
> >>
> >>
> >> Regards
> >> --
> >> Łukasz
> >> + 48 606 323 122 http://www.lenart.org.pl/
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> >> For additional commands, e-mail: dev-help@struts.apache.org
> >>
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Re: struts-site git commit: update security page

Posted by Lukasz Lenart <lu...@apache.org>.

Did you test that? I think <welcome-list/> ignore security constraints
... or maybe it was just Jetty ;)

2017-06-16 10:50 GMT+02:00 Greg Huber <gr...@gmail.com>:
> ...Although it blocks the <welcome-file-list> file.
>
> <!-- Restricts access to pure JSP files - access available only via Struts
> action -->
>     <security-constraint>
>         <display-name>No direct JSP access</display-name>
>         <web-resource-collection>
>             <web-resource-name>No-JSP</web-resource-name>
>             <url-pattern>*.jsp</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>             <role-name>no-users</role-name>
>         </auth-constraint>
>     </security-constraint>
>
>     <security-role>
>         <description>Don't assign users to this role</description>
>         <role-name>no-users</role-name>
>     </security-role>
>
>     <welcome-file-list>
>         <welcome-file>WEB-INF/jsps/index.jsp</welcome-file>
>     </welcome-file-list>
>
> On 16 June 2017 at 08:54, Lukasz Lenart <lu...@apache.org> wrote:
>
>> Great! I have added a ToC and pushed to the top :)
>>
>> http://struts.apache.org/security/
>>
>>
>> Regards
>> --
>> Łukasz
>> + 48 606 323 122 http://www.lenart.org.pl/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
>> For additional commands, e-mail: dev-help@struts.apache.org
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
For additional commands, e-mail: dev-help@struts.apache.org

Re: struts-site git commit: update security page

Posted by Greg Huber <gr...@gmail.com>.

...Although it blocks the <welcome-file-list> file.

<!-- Restricts access to pure JSP files - access available only via Struts
action -->
    <security-constraint>
        <display-name>No direct JSP access</display-name>
        <web-resource-collection>
            <web-resource-name>No-JSP</web-resource-name>
            <url-pattern>*.jsp</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>no-users</role-name>
        </auth-constraint>
    </security-constraint>

    <security-role>
        <description>Don't assign users to this role</description>
        <role-name>no-users</role-name>
    </security-role>

    <welcome-file-list>
        <welcome-file>WEB-INF/jsps/index.jsp</welcome-file>
    </welcome-file-list>

On 16 June 2017 at 08:54, Lukasz Lenart <lu...@apache.org> wrote:

> Great! I have added a ToC and pushed to the top :)
>
> http://struts.apache.org/security/
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>

Re: struts-site git commit: update security page

Posted by Greg Huber <gr...@gmail.com>.

Thanks, good to know.

On 16 June 2017 at 08:54, Lukasz Lenart <lu...@apache.org> wrote:

> Great! I have added a ToC and pushed to the top :)
>
> http://struts.apache.org/security/
>
>
> Regards
> --
> Łukasz
> + 48 606 323 122 http://www.lenart.org.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@struts.apache.org
> For additional commands, e-mail: dev-help@struts.apache.org
>
>