Uploaded image for project: 'LAMS Development'
  1. LAMS Development
  2. LDEV-2110

Update conf/xdoclet/web-security.xml to include all new restricted jsp pages.

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.3
    • Fix Version/s: 2.4, 2.3.6
    • Component/s: General
    • Labels:
      None

      Description

      The web-security.xml for lams-central has to have ALL jsp files that need loggin in included in its list of constraints, otherwise they will be accessible without loggin in

        Activity

        Hide
        lfoxton Luke Foxton added a comment -
        This file looks all good for 2.3

        Re-opening and moving to 2.4 to remind this needs to be redone before 2.4
        Show
        lfoxton Luke Foxton added a comment - This file looks all good for 2.3 Re-opening and moving to 2.4 to remind this needs to be redone before 2.4
        Hide
        ernieg Ernie Ghiglione added a comment -
        Here are the jsps that need to be protected for 2.4 in lams_central:

        ./web/tutorialVideo.jsp
        ./web/portrait.jsp
        ./web/loadVars.jsp

        Show
        ernieg Ernie Ghiglione added a comment - Here are the jsps that need to be protected for 2.4 in lams_central: ./web/tutorialVideo.jsp ./web/portrait.jsp ./web/loadVars.jsp
        Hide
        ernieg Ernie Ghiglione added a comment -
        committed also to 2_3_release (2.3.6)
        Show
        ernieg Ernie Ghiglione added a comment - committed also to 2_3_release (2.3.6)
        Hide
        ernieg Ernie Ghiglione added a comment -
        done
        Show
        ernieg Ernie Ghiglione added a comment - done
        Hide
        ernieg Ernie Ghiglione added a comment -
        done
        Show
        ernieg Ernie Ghiglione added a comment - done
        Hide
        marcin Marcin Cieslak added a comment -
        Now we mark explicitly each JSP page as secured.
        In future we may consider using patterns:

        1) We can mark all JSP pages as secured:

        <security-constraint>
        <web-resource-collection>
        <web-resource-name>Secure Content</web-resource-name>
        <url-pattern>/*.jsp</url-pattern>
        ...
        <auth-constraint>
        <role-name>LEARNER</role-name>
        <role-name>MONITOR</role-name>
        <role-name>AUTHOR</role-name>
        ...
        </auth-constraint>
        </security-constraint>

        and mark only several pages as public.
        This can be done by adding <security-constraint> with <url-pattern> matching exactly these pages, for example
        <url-pattern>/somePublicFile.jsp</url-pattern>
        which matches better than secured
        <url-pattern>/*.jsp</url-pattern>

        For this unsecured <security-constraint> *no* <auth-constraint> must be given, so everyone has access to it.


        2) We can use a prefix to mark secured pages, for example:

        <security-constraint>
        <web-resource-collection>
        <web-resource-name>Secure Content</web-resource-name>
        <url-pattern>/sec*.jsp</url-pattern>
        ...
        <auth-constraint>
        <role-name>LEARNER</role-name>
        <role-name>MONITOR</role-name>
        <role-name>AUTHOR</role-name>
        ...
        </auth-constraint>
        </security-constraint>


        This would require to rename all secure pages, for example:
        /author.jsp -> /secAuthor.jsp


        3) We can combine above solutions and mark all JSP pages as secure by default,
        and mark prefixed pages as public (pub*.jsp), for example:
        /login.jsp -> /pubLogin.jsp

        Instead of prefixes, we can move secured and/or unsecured files to a certain folder, for example:
        /login.jsp -> /public/login.jsp
        Show
        marcin Marcin Cieslak added a comment - Now we mark explicitly each JSP page as secured. In future we may consider using patterns: 1) We can mark all JSP pages as secured: <security-constraint> <web-resource-collection> <web-resource-name>Secure Content</web-resource-name> <url-pattern>/*.jsp</url-pattern> ... <auth-constraint> <role-name>LEARNER</role-name> <role-name>MONITOR</role-name> <role-name>AUTHOR</role-name> ... </auth-constraint> </security-constraint> and mark only several pages as public. This can be done by adding <security-constraint> with <url-pattern> matching exactly these pages, for example <url-pattern>/somePublicFile.jsp</url-pattern> which matches better than secured <url-pattern>/*.jsp</url-pattern> For this unsecured <security-constraint> *no* <auth-constraint> must be given, so everyone has access to it. 2) We can use a prefix to mark secured pages, for example: <security-constraint> <web-resource-collection> <web-resource-name>Secure Content</web-resource-name> <url-pattern>/sec*.jsp</url-pattern> ... <auth-constraint> <role-name>LEARNER</role-name> <role-name>MONITOR</role-name> <role-name>AUTHOR</role-name> ... </auth-constraint> </security-constraint> This would require to rename all secure pages, for example: /author.jsp -> /secAuthor.jsp 3) We can combine above solutions and mark all JSP pages as secure by default, and mark prefixed pages as public (pub*.jsp), for example: /login.jsp -> /pubLogin.jsp Instead of prefixes, we can move secured and/or unsecured files to a certain folder, for example: /login.jsp -> /public/login.jsp

          People

          • Assignee:
            ernieg Ernie Ghiglione
            Reporter:
            lfoxton Luke Foxton
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development