Re: [undertow-dev] Access control examples

It depenends a bit on what you want to do. Thanks for the reply Stuart. Honestly, I'm just brainstorming a little here to see what's possible but I just couldn't find any docs or examples to help solidify what was out in there. My primary use for this as I explained just now in a separate reply is to be able to add some security rules to CommandBox servers to do things such as: - Block access to CF admins in the root (such as paths starting with */CFIDE*) - Block access to special files in any directory such as *box.json*, *server.json*, or *.cfconfig.json* - Block access to hidden files in any directory (starting with a period ) - Block access to custom folders defined by the user such as */tests/* or */workbench* I'm thinking a bit how the IIS "hidden segments" feature works. In addition to using this behind the scenes in CommandBox, I'd like to expose it to my users in the *server.json <https://commandbox.ortusbooks.com/embedded-server/server.json>* so they can configure basic access control. I generally don't expose 100% of what Undertow does since CommandBox aims to be a drop-in dead-easy way to just fire up a server, but I'm interested in the IP matching since that could be a common use case. i.e., "Block access to the administrator unless the IP is in this range or localhost" So basically, yes, I'm interested in all of those things and I don't have a super specific solution in mind, but I'm rather just looking for some better examples to help me understand what's there and what I can best expose in CommandBox. Basically you just use a predicate to decide what you want to restrict, > and then map it to a handler that either rejects the request outright or > performs an access control check. This makes sense and I think the predicate part was what I was missing, but are there examples of this anywhere? It helps me way more to see some code.

Thanks! ~Brad *Developer Advocate* *Ortus Solutions, Corp * E-mail: brad(a)coldbox.org ColdBox Platform: http://www.coldbox.org Blog: http://www.codersrevolution.com On Fri, Aug 10, 2018 at 1:47 AM Stuart Douglas <sdouglas(a)redhat.com&gt; wrote: > It depenends a bit on what you want to do. > > If you just want to block /CFIDE you can just use a PredicateHandler, > with a PathPrefixPredicate, and if it matches use ResponseCodeHandler to > return the desired response code. You could combine it > with io.undertow.server.handlers.AccessControlListHandler > or io.undertow.server.handlers.IPAddressAccessControlHandler if you want to > limit the IP range. > > Basically you just use a predicate to decide what you want to restrict, > and then map it to a handler that either rejects the request outright or > performs an access control check. > > Stuart > > > On Fri, Aug 10, 2018 at 3:59 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: > >> Anyone? >> >> Thanks! >> >> ~Brad >> >> *Developer Advocate* >> *Ortus Solutions, Corp * >> >> E-mail: brad(a)coldbox.org >> ColdBox Platform: http://www.coldbox.org >> Blog: http://www.codersrevolution.com >> >> >> >> On Sat, Aug 4, 2018 at 4:48 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: >> >>> Hi, I'm looking for some examples of locking down access to certain >>> directories, similar to how IIS has "hidden segments". For instance, I'd >>> like all URLs starting with /CFIDE to be blocked, or perhaps only access to >>> a certain range of IPs >>> >>> I swear I had looked at some examples of this about a year ago, but >>> after quite a lot of Googling today I was coming up empty handed. I found >>> some basic information on the access control handlers, but couldn't find a >>> single example of using them. >>> >>> Thanks! >>> >>> ~Brad >>> >>> *Developer Advocate* >>> *Ortus Solutions, Corp * >>> >>> E-mail: brad(a)coldbox.org >>> ColdBox Platform: http://www.coldbox.org >>> Blog: http://www.codersrevolution.com >>> >>> _______________________________________________ >> undertow-dev mailing list >> undertow-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev > >