[undertow-dev] Access control examples
Brad Wood
bdw429s at gmail.com
Fri Aug 10 11:24:56 EDT 2018
>
> It depenends a bit on what you want to do.
Thanks for the reply Stuart. Honestly, I'm just brainstorming a little
here to see what's possible but I just couldn't find any docs or examples
to help solidify what was out in there. My primary use for this as I
explained just now in a separate reply is to be able to add some security
rules to CommandBox servers to do things such as:
- Block access to CF admins in the root (such as paths starting with
*/CFIDE*)
- Block access to special files in any directory such as *box.json*,
*server.json*, or *.cfconfig.json*
- Block access to hidden files in any directory (starting with a period )
- Block access to custom folders defined by the user such as */tests/*
or */workbench*
I'm thinking a bit how the IIS "hidden segments" feature works. In
addition to using this behind the scenes in CommandBox, I'd like to expose
it to my users in the *server.json
<https://commandbox.ortusbooks.com/embedded-server/server.json>* so they
can configure basic access control. I generally don't expose 100% of what
Undertow does since CommandBox aims to be a drop-in dead-easy way to just
fire up a server, but I'm interested in the IP matching since that could be
a common use case. i.e., "Block access to the administrator unless the IP
is in this range or localhost"
So basically, yes, I'm interested in all of those things and I don't have a
super specific solution in mind, but I'm rather just looking for some
better examples to help me understand what's there and what I can best
expose in CommandBox.
Basically you just use a predicate to decide what you want to restrict, and
> then map it to a handler that either rejects the request outright or
> performs an access control check.
This makes sense and I think the predicate part was what I was missing, but
are there examples of this anywhere? It helps me way more to see some code.
Thanks!
~Brad
*Developer Advocate*
*Ortus Solutions, Corp *
E-mail: brad at coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com
On Fri, Aug 10, 2018 at 1:47 AM Stuart Douglas <sdouglas at redhat.com> wrote:
> It depenends a bit on what you want to do.
>
> If you just want to block /CFIDE you can just use a PredicateHandler, with
> a PathPrefixPredicate, and if it matches use ResponseCodeHandler to return
> the desired response code. You could combine it
> with io.undertow.server.handlers.AccessControlListHandler
> or io.undertow.server.handlers.IPAddressAccessControlHandler if you want to
> limit the IP range.
>
> Basically you just use a predicate to decide what you want to restrict,
> and then map it to a handler that either rejects the request outright or
> performs an access control check.
>
> Stuart
>
>
> On Fri, Aug 10, 2018 at 3:59 PM Brad Wood <bdw429s at gmail.com> wrote:
>
>> Anyone?
>>
>> Thanks!
>>
>> ~Brad
>>
>> *Developer Advocate*
>> *Ortus Solutions, Corp *
>>
>> E-mail: brad at coldbox.org
>> ColdBox Platform: http://www.coldbox.org
>> Blog: http://www.codersrevolution.com
>>
>>
>>
>> On Sat, Aug 4, 2018 at 4:48 PM Brad Wood <bdw429s at gmail.com> wrote:
>>
>>> Hi, I'm looking for some examples of locking down access to certain
>>> directories, similar to how IIS has "hidden segments". For instance, I'd
>>> like all URLs starting with /CFIDE to be blocked, or perhaps only access to
>>> a certain range of IPs
>>>
>>> I swear I had looked at some examples of this about a year ago, but
>>> after quite a lot of Googling today I was coming up empty handed. I found
>>> some basic information on the access control handlers, but couldn't find a
>>> single example of using them.
>>>
>>> Thanks!
>>>
>>> ~Brad
>>>
>>> *Developer Advocate*
>>> *Ortus Solutions, Corp *
>>>
>>> E-mail: brad at coldbox.org
>>> ColdBox Platform: http://www.coldbox.org
>>> Blog: http://www.codersrevolution.com
>>>
>>> _______________________________________________
>> undertow-dev mailing list
>> undertow-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20180810/423c72b6/attachment-0001.html
More information about the undertow-dev
mailing list