Re: [undertow-dev] Access control examples

Is the basic auth handler part of the predicate language? I didn't see it in the docs so I wanted to see if there was a way to have a textual representation of that. Thanks! ~Brad *Developer Advocate* *Ortus Solutions, Corp * E-mail: brad(a)coldbox.org ColdBox Platform: http://www.coldbox.org Blog: http://www.codersrevolution.com On Thu, Aug 16, 2018 at 1:06 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: > Thanks for the additional information Stuart. After a bit of Googling, > the most comprehensive version of the documentation for the predicate > language appears to be here: > > > https://github.com/undertow-io/undertow-docs/blob/master/src/main/asciido... > > I'll note that Google really tends to favor the older, but less complete > versions of that page such as this one: > > > http://undertow.io/undertow-docs/undertow-docs-1.2.0/predicates-attribute... > > You may want to look into some SEO tricks to get Google to index the most > recent version so it's easier to find. That said, for the life of me, I > can't find any docs at all that talk about the *status(404)* bit you > showed. Where is that covered? > > Did you perhaps mean this: *response-code(302)* > > Also, on the note of your docs, you have a handful of old pull requests > for typos and such over here: > https://github.com/undertow-io/undertow-docs/pulls > I added one to the list. Please review and merge those :) > > Thanks! > > ~Brad > > *Developer Advocate* > *Ortus Solutions, Corp * > > E-mail: brad(a)coldbox.org > ColdBox Platform: http://www.coldbox.org > Blog: http://www.codersrevolution.com > > > > On Wed, Aug 15, 2018 at 7:05 PM Stuart Douglas <sdouglas(a)redhat.com&gt; > wrote: > >> >> >> On Sat, Aug 11, 2018 at 1:25 AM Brad Wood <bdw429s(a)gmail.com&gt; wrote: >> >>> It depenends a bit on what you want to do. >>> >>> >>> Thanks for the reply Stuart. Honestly, I'm just brainstorming a little >>> here to see what's possible but I just couldn't find any docs or examples >>> to help solidify what was out in there. My primary use for this as I >>> explained just now in a separate reply is to be able to add some security >>> rules to CommandBox servers to do things such as: >>> >>> - Block access to CF admins in the root (such as paths starting >>> with */CFIDE*) >>> - Block access to special files in any directory such as *box.json*, >>> *server.json*, or *.cfconfig.json* >>> - Block access to hidden files in any directory (starting with a >>> period ) >>> - Block access to custom folders defined by the user such as >>> */tests/* or */workbench* >>> >>> I'm thinking a bit how the IIS "hidden segments" feature works. In >>> addition to using this behind the scenes in CommandBox, I'd like to expose >>> it to my users in the *server.json >>> <https://commandbox.ortusbooks.com/embedded-server/server.json>* so >>> they can configure basic access control. I generally don't expose 100% of >>> what Undertow does since CommandBox aims to be a drop-in dead-easy way to >>> just fire up a server, but I'm interested in the IP matching since that >>> could be a common use case. i.e., "Block access to the administrator >>> unless the IP is in this range or localhost" >>> >>> So basically, yes, I'm interested in all of those things and I don't >>> have a super specific solution in mind, but I'm rather just looking for >>> some better examples to help me understand what's there and what I can best >>> expose in CommandBox. >>> >>> Basically you just use a predicate to decide what you want to restrict, >>>> and then map it to a handler that either rejects the request outright or >>>> performs an access control check. >>> >>> >>> This makes sense and I think the predicate part was what I was missing, >>> but are there examples of this anywhere? It helps me way more to see some >>> code. >>> >>> >> Most of the examples of this are in the test suite, e.g. >> PredicatedHandlersTestCase. There is also a text based representation you >> can use to configure this. e.g. to reject all box.json files: >> path-suffix(/box.json) -> status(404). >> >> Stuart >> >> >>> Thanks! >>> >>> ~Brad >>> >>> *Developer Advocate* >>> *Ortus Solutions, Corp * >>> >>> E-mail: brad(a)coldbox.org >>> ColdBox Platform: http://www.coldbox.org >>> Blog: http://www.codersrevolution.com >>> >>> >>> >>> On Fri, Aug 10, 2018 at 1:47 AM Stuart Douglas <sdouglas(a)redhat.com&gt; >>> wrote: >>> >>>> It depenends a bit on what you want to do. >>>> >>>> If you just want to block /CFIDE you can just use a PredicateHandler, >>>> with a PathPrefixPredicate, and if it matches use ResponseCodeHandler to >>>> return the desired response code. You could combine it >>>> with io.undertow.server.handlers.AccessControlListHandler >>>> or io.undertow.server.handlers.IPAddressAccessControlHandler if you want to >>>> limit the IP range. >>>> >>>> Basically you just use a predicate to decide what you want to >>>> restrict, and then map it to a handler that either rejects the request >>>> outright or performs an access control check. >>>> >>>> Stuart >>>> >>>> >>>> On Fri, Aug 10, 2018 at 3:59 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: >>>> >>>>> Anyone? >>>>> >>>>> Thanks! >>>>> >>>>> ~Brad >>>>> >>>>> *Developer Advocate* >>>>> *Ortus Solutions, Corp * >>>>> >>>>> E-mail: brad(a)coldbox.org >>>>> ColdBox Platform: http://www.coldbox.org >>>>> Blog: http://www.codersrevolution.com >>>>> >>>>> >>>>> >>>>> On Sat, Aug 4, 2018 at 4:48 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: >>>>> >>>>>> Hi, I'm looking for some examples of locking down access to certain >>>>>> directories, similar to how IIS has "hidden segments". For instance, I'd >>>>>> like all URLs starting with /CFIDE to be blocked, or perhaps only access to >>>>>> a certain range of IPs >>>>>> >>>>>> I swear I had looked at some examples of this about a year ago, but >>>>>> after quite a lot of Googling today I was coming up empty handed. I found >>>>>> some basic information on the access control handlers, but couldn't find a >>>>>> single example of using them. >>>>>> >>>>>> Thanks! >>>>>> >>>>>> ~Brad >>>>>> >>>>>> *Developer Advocate* >>>>>> *Ortus Solutions, Corp * >>>>>> >>>>>> E-mail: brad(a)coldbox.org >>>>>> ColdBox Platform: http://www.coldbox.org >>>>>> Blog: http://www.codersrevolution.com >>>>>> >>>>>> _______________________________________________ >>>>> undertow-dev mailing list >>>>> undertow-dev(a)lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>>> >>>>