Thanks for the additional information Stuart.  After a bit of Googling, the most comprehensive version of the documentation for the predicate language appears to be here: 

https://github.com/undertow-io/undertow-docs/blob/master/src/main/asciidoc/predicates-attributes-handlers.asciidoc

I'll note that Google really tends to favor the older, but less complete versions of that page such as this one:

http://undertow.io/undertow-docs/undertow-docs-1.2.0/predicates-attributes-handlers.html

You may want to look into some SEO tricks to get Google to index the most recent version so it's easier to find.  That said, for the life of me, I can't find any docs at all that talk about the status(404) bit you showed.  Where is that covered?  

Did you perhaps mean this: response-code(302)

Also, on the note of your docs, you have a handful of old pull requests for typos and such over here:
https://github.com/undertow-io/undertow-docs/pulls
I added one to the list.  Please review and merge those :)

Thanks!

~Brad

Developer Advocate
Ortus Solutions, Corp 

ColdBox Platform: http://www.coldbox.org 



On Wed, Aug 15, 2018 at 7:05 PM Stuart Douglas <sdouglas@redhat.com> wrote:


On Sat, Aug 11, 2018 at 1:25 AM Brad Wood <bdw429s@gmail.com> wrote:
It depenends a bit on what you want to do.  
 
Thanks for the reply Stuart.  Honestly, I'm just brainstorming a little here to see what's possible but I just couldn't find any docs or examples to help solidify what was out in there.  My primary use for this as I explained just now in a separate reply is to be able to add some security rules to CommandBox servers to do things such as:
  • Block access to CF admins in the root (such as paths starting with  /CFIDE)
  • Block access to special files in any directory such as box.json, server.json, or .cfconfig.json
  • Block access to hidden files in any directory (starting with a period )
  • Block access to custom folders defined by the user such as /tests/ or /workbench
I'm thinking a bit how the IIS "hidden segments" feature works.  In addition to using this behind the scenes in CommandBox, I'd like to expose it to my users in the server.json so they can configure basic access control.  I generally don't expose 100% of what Undertow does since CommandBox aims to be a drop-in dead-easy way to just fire up a server, but I'm interested in the IP matching since that could be a common use case.  i.e., "Block access to the administrator unless the IP is in this range or localhost"

So basically, yes, I'm interested in all of those things and I don't have a super specific solution in mind, but I'm rather just looking for some better examples to help me understand what's there and what I can best expose in CommandBox.

Basically you just use a predicate to decide what you want to restrict, and then map it to a handler that either rejects the request outright or performs an access control check.

This makes sense and I think the predicate part was what I was missing, but are there examples of this anywhere?  It helps me way more to see some code.


Most of the examples of this are in the test suite, e.g. PredicatedHandlersTestCase. There is also a text based representation you can use to configure this. e.g. to reject all box.json files: path-suffix(/box.json) -> status(404). 

Stuart
 
Thanks!

~Brad

Developer Advocate
Ortus Solutions, Corp 

ColdBox Platform: http://www.coldbox.org 



On Fri, Aug 10, 2018 at 1:47 AM Stuart Douglas <sdouglas@redhat.com> wrote:
It depenends a bit on what you want to do. 

If you just want to block /CFIDE you can just use a PredicateHandler, with a PathPrefixPredicate, and if it matches use ResponseCodeHandler to return the desired response code. You could combine it with io.undertow.server.handlers.AccessControlListHandler or io.undertow.server.handlers.IPAddressAccessControlHandler if you want to limit the IP range.

Basically you just use a predicate to decide what you want to restrict, and then map it to a handler that either rejects the request outright or performs an access control check.

Stuart


On Fri, Aug 10, 2018 at 3:59 PM Brad Wood <bdw429s@gmail.com> wrote:
Anyone?

Thanks!

~Brad

Developer Advocate
Ortus Solutions, Corp 

ColdBox Platform: http://www.coldbox.org 



On Sat, Aug 4, 2018 at 4:48 PM Brad Wood <bdw429s@gmail.com> wrote:
Hi, I'm looking for some examples of locking down access to certain directories, similar to how IIS has "hidden segments".  For instance, I'd like all URLs starting with /CFIDE to be blocked, or perhaps only access to a certain range of IPs

I swear I had looked at some examples of this about a year ago, but after quite a lot of Googling today I was coming up empty handed.  I found some basic information on the access control handlers, but couldn't find a single example of using them.

Thanks!

~Brad

Developer Advocate
Ortus Solutions, Corp 

ColdBox Platform: http://www.coldbox.org 

_______________________________________________
undertow-dev mailing list
undertow-dev@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/undertow-dev