[undertow-dev] Access control examples

Wed Aug 15 20:05:44 EDT 2018

On Sat, Aug 11, 2018 at 1:25 AM Brad Wood <bdw429s at gmail.com> wrote:

> It depenends a bit on what you want to do.
>
>
> Thanks for the reply Stuart.  Honestly, I'm just brainstorming a little
> here to see what's possible but I just couldn't find any docs or examples
> to help solidify what was out in there.  My primary use for this as I
> explained just now in a separate reply is to be able to add some security
> rules to CommandBox servers to do things such as:
>
>    - Block access to CF admins in the root (such as paths starting with
>    */CFIDE*)
>    - Block access to special files in any directory such as *box.json*,
>    *server.json*, or *.cfconfig.json*
>    - Block access to hidden files in any directory (starting with a
>    period )
>    - Block access to custom folders defined by the user such as */tests/*
>    or */workbench*
>
> I'm thinking a bit how the IIS "hidden segments" feature works.  In
> addition to using this behind the scenes in CommandBox, I'd like to expose
> it to my users in the *server.json
> <https://commandbox.ortusbooks.com/embedded-server/server.json>* so they
> can configure basic access control.  I generally don't expose 100% of what
> Undertow does since CommandBox aims to be a drop-in dead-easy way to just
> fire up a server, but I'm interested in the IP matching since that could be
> a common use case.  i.e., "Block access to the administrator unless the IP
> is in this range or localhost"
>
> So basically, yes, I'm interested in all of those things and I don't have
> a super specific solution in mind, but I'm rather just looking for some
> better examples to help me understand what's there and what I can best
> expose in CommandBox.
>
> Basically you just use a predicate to decide what you want to restrict,
>> and then map it to a handler that either rejects the request outright or
>> performs an access control check.
>
>
> This makes sense and I think the predicate part was what I was missing,
> but are there examples of this anywhere?  It helps me way more to see some
> code.
>
>
Most of the examples of this are in the test suite, e.g.
PredicatedHandlersTestCase. There is also a text based representation you
can use to configure this. e.g. to reject all box.json files:
path-suffix(/box.json) -> status(404).

Stuart

> Thanks!
>
> ~Brad
>
> *Developer Advocate*
> *Ortus Solutions, Corp *
>
> E-mail: brad at coldbox.org
> ColdBox Platform: http://www.coldbox.org
> Blog: http://www.codersrevolution.com
>
>
>
> On Fri, Aug 10, 2018 at 1:47 AM Stuart Douglas <sdouglas at redhat.com>
> wrote:
>
>> It depenends a bit on what you want to do.
>>
>> If you just want to block /CFIDE you can just use a PredicateHandler,
>> with a PathPrefixPredicate, and if it matches use ResponseCodeHandler to
>> return the desired response code. You could combine it
>> with io.undertow.server.handlers.AccessControlListHandler
>> or io.undertow.server.handlers.IPAddressAccessControlHandler if you want to
>> limit the IP range.
>>
>> Basically you just use a predicate to decide what you want to restrict,
>> and then map it to a handler that either rejects the request outright or
>> performs an access control check.
>>
>> Stuart
>>
>>
>> On Fri, Aug 10, 2018 at 3:59 PM Brad Wood <bdw429s at gmail.com> wrote:
>>
>>> Anyone?
>>>
>>> Thanks!
>>>
>>> ~Brad
>>>
>>> *Developer Advocate*
>>> *Ortus Solutions, Corp *
>>>
>>> E-mail: brad at coldbox.org
>>> ColdBox Platform: http://www.coldbox.org
>>> Blog: http://www.codersrevolution.com
>>>
>>>
>>>
>>> On Sat, Aug 4, 2018 at 4:48 PM Brad Wood <bdw429s at gmail.com> wrote:
>>>
>>>> Hi, I'm looking for some examples of locking down access to certain
>>>> directories, similar to how IIS has "hidden segments".  For instance, I'd
>>>> like all URLs starting with /CFIDE to be blocked, or perhaps only access to
>>>> a certain range of IPs
>>>>
>>>> I swear I had looked at some examples of this about a year ago, but
>>>> after quite a lot of Googling today I was coming up empty handed.  I found
>>>> some basic information on the access control handlers, but couldn't find a
>>>> single example of using them.
>>>>
>>>> Thanks!
>>>>
>>>> ~Brad
>>>>
>>>> *Developer Advocate*
>>>> *Ortus Solutions, Corp *
>>>>
>>>> E-mail: brad at coldbox.org
>>>> ColdBox Platform: http://www.coldbox.org
>>>> Blog: http://www.codersrevolution.com
>>>>
>>>> _______________________________________________
>>> undertow-dev mailing list
>>> undertow-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20180816/91d3051f/attachment.html 