[undertow-dev] Access control examples

Brad Wood bdw429s at gmail.com
Tue Aug 21 12:51:26 EDT 2018 

Hi Stuart, did you see my notes about the unmerged pulls, the status(xxx)
call and the question about basic auth being part of the predicate language?

Thanks!

~Brad

*Developer Advocate*
*Ortus Solutions, Corp *

E-mail: brad at coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com



On Thu, Aug 16, 2018 at 1:30 PM Brad Wood <bdw429s at gmail.com> wrote:

> Is the basic auth handler part of the predicate language?  I didn't see it
> in the docs so I wanted to see if there was a way to have a textual
> representation of that.
>
> Thanks!
>
> ~Brad
>
> *Developer Advocate*
> *Ortus Solutions, Corp *
>
> E-mail: brad at coldbox.org
> ColdBox Platform: http://www.coldbox.org
> Blog: http://www.codersrevolution.com
>
>
>
> On Thu, Aug 16, 2018 at 1:06 PM Brad Wood <bdw429s at gmail.com> wrote:
>
>> Thanks for the additional information Stuart.  After a bit of Googling,
>> the most comprehensive version of the documentation for the predicate
>> language appears to be here:
>>
>>
>> https://github.com/undertow-io/undertow-docs/blob/master/src/main/asciidoc/predicates-attributes-handlers.asciidoc
>>
>> I'll note that Google really tends to favor the older, but less complete
>> versions of that page such as this one:
>>
>>
>> http://undertow.io/undertow-docs/undertow-docs-1.2.0/predicates-attributes-handlers.html
>>
>> You may want to look into some SEO tricks to get Google to index the most
>> recent version so it's easier to find.  That said, for the life of me, I
>> can't find any docs at all that talk about the *status(404)* bit you
>> showed.  Where is that covered?
>>
>> Did you perhaps mean this: *response-code(302)*
>>
>> Also, on the note of your docs, you have a handful of old pull requests
>> for typos and such over here:
>> https://github.com/undertow-io/undertow-docs/pulls
>> I added one to the list.  Please review and merge those :)
>>
>> Thanks!
>>
>> ~Brad
>>
>> *Developer Advocate*
>> *Ortus Solutions, Corp *
>>
>> E-mail: brad at coldbox.org
>> ColdBox Platform: http://www.coldbox.org
>> Blog: http://www.codersrevolution.com
>>
>>
>>
>> On Wed, Aug 15, 2018 at 7:05 PM Stuart Douglas <sdouglas at redhat.com>
>> wrote:
>>
>>>
>>>
>>> On Sat, Aug 11, 2018 at 1:25 AM Brad Wood <bdw429s at gmail.com> wrote:
>>>
>>>> It depenends a bit on what you want to do.
>>>>
>>>>
>>>> Thanks for the reply Stuart.  Honestly, I'm just brainstorming a little
>>>> here to see what's possible but I just couldn't find any docs or examples
>>>> to help solidify what was out in there.  My primary use for this as I
>>>> explained just now in a separate reply is to be able to add some security
>>>> rules to CommandBox servers to do things such as:
>>>>
>>>>    - Block access to CF admins in the root (such as paths starting
>>>>    with  */CFIDE*)
>>>>    - Block access to special files in any directory such as *box.json*,
>>>>    *server.json*, or *.cfconfig.json*
>>>>    - Block access to hidden files in any directory (starting with a
>>>>    period )
>>>>    - Block access to custom folders defined by the user such as
>>>>    */tests/* or */workbench*
>>>>
>>>> I'm thinking a bit how the IIS "hidden segments" feature works.  In
>>>> addition to using this behind the scenes in CommandBox, I'd like to expose
>>>> it to my users in the *server.json
>>>> <https://commandbox.ortusbooks.com/embedded-server/server.json>* so
>>>> they can configure basic access control.  I generally don't expose 100% of
>>>> what Undertow does since CommandBox aims to be a drop-in dead-easy way to
>>>> just fire up a server, but I'm interested in the IP matching since that
>>>> could be a common use case.  i.e., "Block access to the administrator
>>>> unless the IP is in this range or localhost"
>>>>
>>>> So basically, yes, I'm interested in all of those things and I don't
>>>> have a super specific solution in mind, but I'm rather just looking for
>>>> some better examples to help me understand what's there and what I can best
>>>> expose in CommandBox.
>>>>
>>>> Basically you just use a predicate to decide what you want to restrict,
>>>>> and then map it to a handler that either rejects the request outright or
>>>>> performs an access control check.
>>>>
>>>>
>>>> This makes sense and I think the predicate part was what I was missing,
>>>> but are there examples of this anywhere?  It helps me way more to see some
>>>> code.
>>>>
>>>>
>>> Most of the examples of this are in the test suite, e.g.
>>> PredicatedHandlersTestCase. There is also a text based representation you
>>> can use to configure this. e.g. to reject all box.json files:
>>> path-suffix(/box.json) -> status(404).
>>>
>>> Stuart
>>>
>>>
>>>> Thanks!
>>>>
>>>> ~Brad
>>>>
>>>> *Developer Advocate*
>>>> *Ortus Solutions, Corp *
>>>>
>>>> E-mail: brad at coldbox.org
>>>> ColdBox Platform: http://www.coldbox.org
>>>> Blog: http://www.codersrevolution.com
>>>>
>>>>
>>>>
>>>> On Fri, Aug 10, 2018 at 1:47 AM Stuart Douglas <sdouglas at redhat.com>
>>>> wrote:
>>>>
>>>>> It depenends a bit on what you want to do.
>>>>>
>>>>> If you just want to block /CFIDE you can just use a PredicateHandler,
>>>>> with a PathPrefixPredicate, and if it matches use ResponseCodeHandler to
>>>>> return the desired response code. You could combine it
>>>>> with io.undertow.server.handlers.AccessControlListHandler
>>>>> or io.undertow.server.handlers.IPAddressAccessControlHandler if you want to
>>>>> limit the IP range.
>>>>>
>>>>> Basically you just use a predicate to decide what you want to
>>>>> restrict, and then map it to a handler that either rejects the request
>>>>> outright or performs an access control check.
>>>>>
>>>>> Stuart
>>>>>
>>>>>
>>>>> On Fri, Aug 10, 2018 at 3:59 PM Brad Wood <bdw429s at gmail.com> wrote:
>>>>>
>>>>>> Anyone?
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> ~Brad
>>>>>>
>>>>>> *Developer Advocate*
>>>>>> *Ortus Solutions, Corp *
>>>>>>
>>>>>> E-mail: brad at coldbox.org
>>>>>> ColdBox Platform: http://www.coldbox.org
>>>>>> Blog: http://www.codersrevolution.com
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sat, Aug 4, 2018 at 4:48 PM Brad Wood <bdw429s at gmail.com> wrote:
>>>>>>
>>>>>>> Hi, I'm looking for some examples of locking down access to certain
>>>>>>> directories, similar to how IIS has "hidden segments".  For instance, I'd
>>>>>>> like all URLs starting with /CFIDE to be blocked, or perhaps only access to
>>>>>>> a certain range of IPs
>>>>>>>
>>>>>>> I swear I had looked at some examples of this about a year ago, but
>>>>>>> after quite a lot of Googling today I was coming up empty handed.  I found
>>>>>>> some basic information on the access control handlers, but couldn't find a
>>>>>>> single example of using them.
>>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>> ~Brad
>>>>>>>
>>>>>>> *Developer Advocate*
>>>>>>> *Ortus Solutions, Corp *
>>>>>>>
>>>>>>> E-mail: brad at coldbox.org
>>>>>>> ColdBox Platform: http://www.coldbox.org
>>>>>>> Blog: http://www.codersrevolution.com
>>>>>>>
>>>>>>> _______________________________________________
>>>>>> undertow-dev mailing list
>>>>>> undertow-dev at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>>>>
>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20180821/62978fa2/attachment-0001.html

More information about the undertow-dev mailing list