[undertow-dev] Access control examples

Brad Wood bdw429s at gmail.com
Thu Sep 13 23:02:17 EDT 2018 

Hi Stuart, did you see my note about my note about the unmerged pulls, the
status(xxx) call and the question about basic auth being part of the
predicate language?

Thanks!

~Brad

*Developer Advocate*
*Ortus Solutions, Corp *

E-mail: brad at coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com



On Tue, Aug 21, 2018 at 11:51 AM Brad Wood <bdw429s at gmail.com> wrote:

> Hi Stuart, did you see my notes about the unmerged pulls, the status(xxx)
> call and the question about basic auth being part of the predicate language?
>
> Thanks!
>
> ~Brad
>
> *Developer Advocate*
> *Ortus Solutions, Corp *
>
> E-mail: brad at coldbox.org
> ColdBox Platform: http://www.coldbox.org
> Blog: http://www.codersrevolution.com
>
>
>
> On Thu, Aug 16, 2018 at 1:30 PM Brad Wood <bdw429s at gmail.com> wrote:
>
>> Is the basic auth handler part of the predicate language?  I didn't see
>> it in the docs so I wanted to see if there was a way to have a textual
>> representation of that.
>>
>> Thanks!
>>
>> ~Brad
>>
>> *Developer Advocate*
>> *Ortus Solutions, Corp *
>>
>> E-mail: brad at coldbox.org
>> ColdBox Platform: http://www.coldbox.org
>> Blog: http://www.codersrevolution.com
>>
>>
>>
>> On Thu, Aug 16, 2018 at 1:06 PM Brad Wood <bdw429s at gmail.com> wrote:
>>
>>> Thanks for the additional information Stuart.  After a bit of Googling,
>>> the most comprehensive version of the documentation for the predicate
>>> language appears to be here:
>>>
>>>
>>> https://github.com/undertow-io/undertow-docs/blob/master/src/main/asciidoc/predicates-attributes-handlers.asciidoc
>>>
>>> I'll note that Google really tends to favor the older, but less complete
>>> versions of that page such as this one:
>>>
>>>
>>> http://undertow.io/undertow-docs/undertow-docs-1.2.0/predicates-attributes-handlers.html
>>>
>>> You may want to look into some SEO tricks to get Google to index the
>>> most recent version so it's easier to find.  That said, for the life of me,
>>> I can't find any docs at all that talk about the *status(404)* bit you
>>> showed.  Where is that covered?
>>>
>>> Did you perhaps mean this: *response-code(302)*
>>>
>>> Also, on the note of your docs, you have a handful of old pull requests
>>> for typos and such over here:
>>> https://github.com/undertow-io/undertow-docs/pulls
>>> I added one to the list.  Please review and merge those :)
>>>
>>> Thanks!
>>>
>>> ~Brad
>>>
>>> *Developer Advocate*
>>> *Ortus Solutions, Corp *
>>>
>>> E-mail: brad at coldbox.org
>>> ColdBox Platform: http://www.coldbox.org
>>> Blog: http://www.codersrevolution.com
>>>
>>>
>>>
>>> On Wed, Aug 15, 2018 at 7:05 PM Stuart Douglas <sdouglas at redhat.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Sat, Aug 11, 2018 at 1:25 AM Brad Wood <bdw429s at gmail.com> wrote:
>>>>
>>>>> It depenends a bit on what you want to do.
>>>>>
>>>>>
>>>>> Thanks for the reply Stuart.  Honestly, I'm just brainstorming a
>>>>> little here to see what's possible but I just couldn't find any docs or
>>>>> examples to help solidify what was out in there.  My primary use for this
>>>>> as I explained just now in a separate reply is to be able to add some
>>>>> security rules to CommandBox servers to do things such as:
>>>>>
>>>>>    - Block access to CF admins in the root (such as paths starting
>>>>>    with  */CFIDE*)
>>>>>    - Block access to special files in any directory such as *box.json*,
>>>>>    *server.json*, or *.cfconfig.json*
>>>>>    - Block access to hidden files in any directory (starting with a
>>>>>    period )
>>>>>    - Block access to custom folders defined by the user such as
>>>>>    */tests/* or */workbench*
>>>>>
>>>>> I'm thinking a bit how the IIS "hidden segments" feature works.  In
>>>>> addition to using this behind the scenes in CommandBox, I'd like to expose
>>>>> it to my users in the *server.json
>>>>> <https://commandbox.ortusbooks.com/embedded-server/server.json>* so
>>>>> they can configure basic access control.  I generally don't expose 100% of
>>>>> what Undertow does since CommandBox aims to be a drop-in dead-easy way to
>>>>> just fire up a server, but I'm interested in the IP matching since that
>>>>> could be a common use case.  i.e., "Block access to the administrator
>>>>> unless the IP is in this range or localhost"
>>>>>
>>>>> So basically, yes, I'm interested in all of those things and I don't
>>>>> have a super specific solution in mind, but I'm rather just looking for
>>>>> some better examples to help me understand what's there and what I can best
>>>>> expose in CommandBox.
>>>>>
>>>>> Basically you just use a predicate to decide what you want to
>>>>>> restrict, and then map it to a handler that either rejects the request
>>>>>> outright or performs an access control check.
>>>>>
>>>>>
>>>>> This makes sense and I think the predicate part was what I was
>>>>> missing, but are there examples of this anywhere?  It helps me way more to
>>>>> see some code.
>>>>>
>>>>>
>>>> Most of the examples of this are in the test suite, e.g.
>>>> PredicatedHandlersTestCase. There is also a text based representation you
>>>> can use to configure this. e.g. to reject all box.json files:
>>>> path-suffix(/box.json) -> status(404).
>>>>
>>>> Stuart
>>>>
>>>>
>>>>> Thanks!
>>>>>
>>>>> ~Brad
>>>>>
>>>>> *Developer Advocate*
>>>>> *Ortus Solutions, Corp *
>>>>>
>>>>> E-mail: brad at coldbox.org
>>>>> ColdBox Platform: http://www.coldbox.org
>>>>> Blog: http://www.codersrevolution.com
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Aug 10, 2018 at 1:47 AM Stuart Douglas <sdouglas at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> It depenends a bit on what you want to do.
>>>>>>
>>>>>> If you just want to block /CFIDE you can just use a PredicateHandler,
>>>>>> with a PathPrefixPredicate, and if it matches use ResponseCodeHandler to
>>>>>> return the desired response code. You could combine it
>>>>>> with io.undertow.server.handlers.AccessControlListHandler
>>>>>> or io.undertow.server.handlers.IPAddressAccessControlHandler if you want to
>>>>>> limit the IP range.
>>>>>>
>>>>>> Basically you just use a predicate to decide what you want to
>>>>>> restrict, and then map it to a handler that either rejects the request
>>>>>> outright or performs an access control check.
>>>>>>
>>>>>> Stuart
>>>>>>
>>>>>>
>>>>>> On Fri, Aug 10, 2018 at 3:59 PM Brad Wood <bdw429s at gmail.com> wrote:
>>>>>>
>>>>>>> Anyone?
>>>>>>>
>>>>>>> Thanks!
>>>>>>>
>>>>>>> ~Brad
>>>>>>>
>>>>>>> *Developer Advocate*
>>>>>>> *Ortus Solutions, Corp *
>>>>>>>
>>>>>>> E-mail: brad at coldbox.org
>>>>>>> ColdBox Platform: http://www.coldbox.org
>>>>>>> Blog: http://www.codersrevolution.com
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Sat, Aug 4, 2018 at 4:48 PM Brad Wood <bdw429s at gmail.com> wrote:
>>>>>>>
>>>>>>>> Hi, I'm looking for some examples of locking down access to certain
>>>>>>>> directories, similar to how IIS has "hidden segments".  For instance, I'd
>>>>>>>> like all URLs starting with /CFIDE to be blocked, or perhaps only access to
>>>>>>>> a certain range of IPs
>>>>>>>>
>>>>>>>> I swear I had looked at some examples of this about a year ago, but
>>>>>>>> after quite a lot of Googling today I was coming up empty handed.  I found
>>>>>>>> some basic information on the access control handlers, but couldn't find a
>>>>>>>> single example of using them.
>>>>>>>>
>>>>>>>> Thanks!
>>>>>>>>
>>>>>>>> ~Brad
>>>>>>>>
>>>>>>>> *Developer Advocate*
>>>>>>>> *Ortus Solutions, Corp *
>>>>>>>>
>>>>>>>> E-mail: brad at coldbox.org
>>>>>>>> ColdBox Platform: http://www.coldbox.org
>>>>>>>> Blog: http://www.codersrevolution.com
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>> undertow-dev mailing list
>>>>>>> undertow-dev at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>>>>>
>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20180913/aca6fd90/attachment-0001.html

More information about the undertow-dev mailing list