New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[JBPM-8177] Security exceptions in localhost log when running kie-server on JWS #1704
Conversation
Just FYI. This will be probably break this: |
@MarianMacik |
@MarianMacik you will need to check whether the OPTIONS is accesible without auth and the rest of the methods are still needing auth. |
930b89a
to
5da5bc9
Compare
…ver on JWS setting servlet 3.1 compliant servlet http constraints
@elguardian I played with this a little bit and it seems that this configuration is not what we want. At first, by the specification: http-method or http-method-omission is used to specify which methods should be protected or which methods should be omitted from protection. An HTTP method is protected by a web-resource-collection under any of the following circumstances:
By this definition, we currently (with the current state of PR) protect every method except for OPTION. But it seems that the new feature So my final proposal, which works, is:
With this web.xml we get only: So it means that we don't protect only OPTIONS method now. For Swagger, everything is protected as per specification, although you don't need any roles to access it, so it is available as before without authentication. I have briefly tested this with both Wildfly and Tomcat. |
Hi @MarianMacik the idea of the jira is to remove the severe INFO. <security-constraint>
<web-resource-collection>
<web-resource-name>REST web resources</web-resource-name>
<url-pattern>/services/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>POST</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>kie-server</role-name>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>REST web resources unprotected</web-resource-name>
<url-pattern>/services/rest/*</url-pattern>
<http-method>OPTIONS</http-method>
</web-resource-collection>
<!-- No authentication-->
</security-constraint> plus the deny tag (it is already in the commit) |
To be honest, this SEVERE info should be warning from the tomcat side. But yes, if we want to completely get rid of these log entries, your solution is the way to go, although it looks to me like a workaround, since we are duplicating one security constraint basically just for sake of having one log entry dismissed :) But I am fine with any of solutions. |
Tested it with Tomcat and Wildfly. |
ok to test |
@mswiderski not really sure who should be cheking this one. |
@MarianMacik is already involved so I believe that is already covered. Do we have any outstanding issues or everything is done as discussed in comments? |
I think it works now as expected. OPTIONS is the only method which is not authenticated and all other unlisted methods are denied with 403. It should also work for Swagger since we cover there services/rest/* endpoints. So I am fine with that :) |
jenkins retest this |
This currently failed because of https://issues.jboss.org/browse/JBPM-8191 |
Jenkins retest this |
1 similar comment
Jenkins retest this |
setting servlet 3.1 compliant servlet http constraints.
This will remove the severe log. we will have a default deny by the entries not specified