Anyone? Thanks! ~Brad *Developer Advocate* *Ortus Solutions, Corp * E-mail: brad(a)coldbox.org ColdBox Platform: http://www.coldbox.org Blog: http://www.codersrevolution.com On Sat, Aug 4, 2018 at 4:48 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: > Hi, I'm looking for some examples of locking down access to certain > directories, similar to how IIS has "hidden segments". For instance, I'd > like all URLs starting with /CFIDE to be blocked, or perhaps only access to > a certain range of IPs > > I swear I had looked at some examples of this about a year ago, but after > quite a lot of Googling today I was coming up empty handed. I found some > basic information on the access control handlers, but couldn't find a > single example of using them. > > Thanks! > > ~Brad > > *Developer Advocate* > *Ortus Solutions, Corp * > > E-mail: brad(a)coldbox.org > ColdBox Platform: http://www.coldbox.org > Blog: http://www.codersrevolution.com > > _______________________________________________ undertow-dev mailing list undertow-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/undertow-dev

It depenends a bit on what you want to do. Thanks for the reply Stuart. Honestly, I'm just brainstorming a little here to see what's possible but I just couldn't find any docs or examples to help solidify what was out in there. My primary use for this as I explained just now in a separate reply is to be able to add some security rules to CommandBox servers to do things such as: - Block access to CF admins in the root (such as paths starting with */CFIDE*) - Block access to special files in any directory such as *box.json*, *server.json*, or *.cfconfig.json* - Block access to hidden files in any directory (starting with a period ) - Block access to custom folders defined by the user such as */tests/* or */workbench* I'm thinking a bit how the IIS "hidden segments" feature works. In addition to using this behind the scenes in CommandBox, I'd like to expose it to my users in the *server.json <https://commandbox.ortusbooks.com/embedded-server/server.json>* so they can configure basic access control. I generally don't expose 100% of what Undertow does since CommandBox aims to be a drop-in dead-easy way to just fire up a server, but I'm interested in the IP matching since that could be a common use case. i.e., "Block access to the administrator unless the IP is in this range or localhost" So basically, yes, I'm interested in all of those things and I don't have a super specific solution in mind, but I'm rather just looking for some better examples to help me understand what's there and what I can best expose in CommandBox. Basically you just use a predicate to decide what you want to restrict, > and then map it to a handler that either rejects the request outright or > performs an access control check. This makes sense and I think the predicate part was what I was missing, but are there examples of this anywhere? It helps me way more to see some code.

Thanks! ~Brad *Developer Advocate* *Ortus Solutions, Corp * E-mail: brad(a)coldbox.org ColdBox Platform: http://www.coldbox.org Blog: http://www.codersrevolution.com On Fri, Aug 10, 2018 at 1:47 AM Stuart Douglas <sdouglas(a)redhat.com&gt; wrote: > It depenends a bit on what you want to do. > > If you just want to block /CFIDE you can just use a PredicateHandler, > with a PathPrefixPredicate, and if it matches use ResponseCodeHandler to > return the desired response code. You could combine it > with io.undertow.server.handlers.AccessControlListHandler > or io.undertow.server.handlers.IPAddressAccessControlHandler if you want to > limit the IP range. > > Basically you just use a predicate to decide what you want to restrict, > and then map it to a handler that either rejects the request outright or > performs an access control check. > > Stuart > > > On Fri, Aug 10, 2018 at 3:59 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: > >> Anyone? >> >> Thanks! >> >> ~Brad >> >> *Developer Advocate* >> *Ortus Solutions, Corp * >> >> E-mail: brad(a)coldbox.org >> ColdBox Platform: http://www.coldbox.org >> Blog: http://www.codersrevolution.com >> >> >> >> On Sat, Aug 4, 2018 at 4:48 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: >> >>> Hi, I'm looking for some examples of locking down access to certain >>> directories, similar to how IIS has "hidden segments". For instance, I'd >>> like all URLs starting with /CFIDE to be blocked, or perhaps only access to >>> a certain range of IPs >>> >>> I swear I had looked at some examples of this about a year ago, but >>> after quite a lot of Googling today I was coming up empty handed. I found >>> some basic information on the access control handlers, but couldn't find a >>> single example of using them. >>> >>> Thanks! >>> >>> ~Brad >>> >>> *Developer Advocate* >>> *Ortus Solutions, Corp * >>> >>> E-mail: brad(a)coldbox.org >>> ColdBox Platform: http://www.coldbox.org >>> Blog: http://www.codersrevolution.com >>> >>> _______________________________________________ >> undertow-dev mailing list >> undertow-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/undertow-dev > >

Thanks for the additional information Stuart. After a bit of Googling, the most comprehensive version of the documentation for the predicate language appears to be here: https://github.com/undertow-io/undertow-docs/blob/master/src/main/asciido... I'll note that Google really tends to favor the older, but less complete versions of that page such as this one: http://undertow.io/undertow-docs/undertow-docs-1.2.0/predicates-attribute... You may want to look into some SEO tricks to get Google to index the most recent version so it's easier to find. That said, for the life of me, I can't find any docs at all that talk about the *status(404)* bit you showed. Where is that covered? Did you perhaps mean this: *response-code(302)* Also, on the note of your docs, you have a handful of old pull requests for typos and such over here: https://github.com/undertow-io/undertow-docs/pulls I added one to the list. Please review and merge those :) Thanks! ~Brad *Developer Advocate* *Ortus Solutions, Corp * E-mail: brad(a)coldbox.org ColdBox Platform: http://www.coldbox.org Blog: http://www.codersrevolution.com On Wed, Aug 15, 2018 at 7:05 PM Stuart Douglas <sdouglas(a)redhat.com&gt; wrote: > > > On Sat, Aug 11, 2018 at 1:25 AM Brad Wood <bdw429s(a)gmail.com&gt; wrote: > >> It depenends a bit on what you want to do. >> >> >> Thanks for the reply Stuart. Honestly, I'm just brainstorming a little >> here to see what's possible but I just couldn't find any docs or examples >> to help solidify what was out in there. My primary use for this as I >> explained just now in a separate reply is to be able to add some security >> rules to CommandBox servers to do things such as: >> >> - Block access to CF admins in the root (such as paths starting >> with */CFIDE*) >> - Block access to special files in any directory such as *box.json*, >> *server.json*, or *.cfconfig.json* >> - Block access to hidden files in any directory (starting with a >> period ) >> - Block access to custom folders defined by the user such as >> */tests/* or */workbench* >> >> I'm thinking a bit how the IIS "hidden segments" feature works. In >> addition to using this behind the scenes in CommandBox, I'd like to expose >> it to my users in the *server.json >> <https://commandbox.ortusbooks.com/embedded-server/server.json>* so >> they can configure basic access control. I generally don't expose 100% of >> what Undertow does since CommandBox aims to be a drop-in dead-easy way to >> just fire up a server, but I'm interested in the IP matching since that >> could be a common use case. i.e., "Block access to the administrator >> unless the IP is in this range or localhost" >> >> So basically, yes, I'm interested in all of those things and I don't >> have a super specific solution in mind, but I'm rather just looking for >> some better examples to help me understand what's there and what I can best >> expose in CommandBox. >> >> Basically you just use a predicate to decide what you want to restrict, >>> and then map it to a handler that either rejects the request outright or >>> performs an access control check. >> >> >> This makes sense and I think the predicate part was what I was missing, >> but are there examples of this anywhere? It helps me way more to see some >> code. >> >> > Most of the examples of this are in the test suite, e.g. > PredicatedHandlersTestCase. There is also a text based representation you > can use to configure this. e.g. to reject all box.json files: > path-suffix(/box.json) -> status(404). > > Stuart > > >> Thanks! >> >> ~Brad >> >> *Developer Advocate* >> *Ortus Solutions, Corp * >> >> E-mail: brad(a)coldbox.org >> ColdBox Platform: http://www.coldbox.org >> Blog: http://www.codersrevolution.com >> >> >> >> On Fri, Aug 10, 2018 at 1:47 AM Stuart Douglas <sdouglas(a)redhat.com&gt; >> wrote: >> >>> It depenends a bit on what you want to do. >>> >>> If you just want to block /CFIDE you can just use a PredicateHandler, >>> with a PathPrefixPredicate, and if it matches use ResponseCodeHandler to >>> return the desired response code. You could combine it >>> with io.undertow.server.handlers.AccessControlListHandler >>> or io.undertow.server.handlers.IPAddressAccessControlHandler if you want to >>> limit the IP range. >>> >>> Basically you just use a predicate to decide what you want to restrict, >>> and then map it to a handler that either rejects the request outright or >>> performs an access control check. >>> >>> Stuart >>> >>> >>> On Fri, Aug 10, 2018 at 3:59 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: >>> >>>> Anyone? >>>> >>>> Thanks! >>>> >>>> ~Brad >>>> >>>> *Developer Advocate* >>>> *Ortus Solutions, Corp * >>>> >>>> E-mail: brad(a)coldbox.org >>>> ColdBox Platform: http://www.coldbox.org >>>> Blog: http://www.codersrevolution.com >>>> >>>> >>>> >>>> On Sat, Aug 4, 2018 at 4:48 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: >>>> >>>>> Hi, I'm looking for some examples of locking down access to certain >>>>> directories, similar to how IIS has "hidden segments". For instance, I'd >>>>> like all URLs starting with /CFIDE to be blocked, or perhaps only access to >>>>> a certain range of IPs >>>>> >>>>> I swear I had looked at some examples of this about a year ago, but >>>>> after quite a lot of Googling today I was coming up empty handed. I found >>>>> some basic information on the access control handlers, but couldn't find a >>>>> single example of using them. >>>>> >>>>> Thanks! >>>>> >>>>> ~Brad >>>>> >>>>> *Developer Advocate* >>>>> *Ortus Solutions, Corp * >>>>> >>>>> E-mail: brad(a)coldbox.org >>>>> ColdBox Platform: http://www.coldbox.org >>>>> Blog: http://www.codersrevolution.com >>>>> >>>>> _______________________________________________ >>>> undertow-dev mailing list >>>> undertow-dev(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>> >>>

Hi Stuart, did you see my notes about the unmerged pulls, the status(xxx) call and the question about basic auth being part of the predicate language? Thanks! ~Brad *Developer Advocate* *Ortus Solutions, Corp * E-mail: brad(a)coldbox.org ColdBox Platform: http://www.coldbox.org Blog: http://www.codersrevolution.com On Thu, Aug 16, 2018 at 1:30 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: > Is the basic auth handler part of the predicate language? I didn't see > it in the docs so I wanted to see if there was a way to have a textual > representation of that. > > Thanks! > > ~Brad > > *Developer Advocate* > *Ortus Solutions, Corp * > > E-mail: brad(a)coldbox.org > ColdBox Platform: http://www.coldbox.org > Blog: http://www.codersrevolution.com > > > > On Thu, Aug 16, 2018 at 1:06 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: > >> Thanks for the additional information Stuart. After a bit of Googling, >> the most comprehensive version of the documentation for the predicate >> language appears to be here: >> >> >> https://github.com/undertow-io/undertow-docs/blob/master/src/main/asciido... >> >> I'll note that Google really tends to favor the older, but less complete >> versions of that page such as this one: >> >> >> http://undertow.io/undertow-docs/undertow-docs-1.2.0/predicates-attribute... >> >> You may want to look into some SEO tricks to get Google to index the >> most recent version so it's easier to find. That said, for the life of me, >> I can't find any docs at all that talk about the *status(404)* bit you >> showed. Where is that covered? >> >> Did you perhaps mean this: *response-code(302)* >> >> Also, on the note of your docs, you have a handful of old pull requests >> for typos and such over here: >> https://github.com/undertow-io/undertow-docs/pulls >> I added one to the list. Please review and merge those :) >> >> Thanks! >> >> ~Brad >> >> *Developer Advocate* >> *Ortus Solutions, Corp * >> >> E-mail: brad(a)coldbox.org >> ColdBox Platform: http://www.coldbox.org >> Blog: http://www.codersrevolution.com >> >> >> >> On Wed, Aug 15, 2018 at 7:05 PM Stuart Douglas <sdouglas(a)redhat.com&gt; >> wrote: >> >>> >>> >>> On Sat, Aug 11, 2018 at 1:25 AM Brad Wood <bdw429s(a)gmail.com&gt; wrote: >>> >>>> It depenends a bit on what you want to do. >>>> >>>> >>>> Thanks for the reply Stuart. Honestly, I'm just brainstorming a >>>> little here to see what's possible but I just couldn't find any docs or >>>> examples to help solidify what was out in there. My primary use for this >>>> as I explained just now in a separate reply is to be able to add some >>>> security rules to CommandBox servers to do things such as: >>>> >>>> - Block access to CF admins in the root (such as paths starting >>>> with */CFIDE*) >>>> - Block access to special files in any directory such as *box.json*, >>>> *server.json*, or *.cfconfig.json* >>>> - Block access to hidden files in any directory (starting with a >>>> period ) >>>> - Block access to custom folders defined by the user such as >>>> */tests/* or */workbench* >>>> >>>> I'm thinking a bit how the IIS "hidden segments" feature works. In >>>> addition to using this behind the scenes in CommandBox, I'd like to expose >>>> it to my users in the *server.json >>>> <https://commandbox.ortusbooks.com/embedded-server/server.json>* so >>>> they can configure basic access control. I generally don't expose 100% of >>>> what Undertow does since CommandBox aims to be a drop-in dead-easy way to >>>> just fire up a server, but I'm interested in the IP matching since that >>>> could be a common use case. i.e., "Block access to the administrator >>>> unless the IP is in this range or localhost" >>>> >>>> So basically, yes, I'm interested in all of those things and I don't >>>> have a super specific solution in mind, but I'm rather just looking for >>>> some better examples to help me understand what's there and what I can best >>>> expose in CommandBox. >>>> >>>> Basically you just use a predicate to decide what you want to >>>>> restrict, and then map it to a handler that either rejects the request >>>>> outright or performs an access control check. >>>> >>>> >>>> This makes sense and I think the predicate part was what I was >>>> missing, but are there examples of this anywhere? It helps me way more to >>>> see some code. >>>> >>>> >>> Most of the examples of this are in the test suite, e.g. >>> PredicatedHandlersTestCase. There is also a text based representation you >>> can use to configure this. e.g. to reject all box.json files: >>> path-suffix(/box.json) -> status(404). >>> >>> Stuart >>> >>> >>>> Thanks! >>>> >>>> ~Brad >>>> >>>> *Developer Advocate* >>>> *Ortus Solutions, Corp * >>>> >>>> E-mail: brad(a)coldbox.org >>>> ColdBox Platform: http://www.coldbox.org >>>> Blog: http://www.codersrevolution.com >>>> >>>> >>>> >>>> On Fri, Aug 10, 2018 at 1:47 AM Stuart Douglas <sdouglas(a)redhat.com&gt; >>>> wrote: >>>> >>>>> It depenends a bit on what you want to do. >>>>> >>>>> If you just want to block /CFIDE you can just use a PredicateHandler, >>>>> with a PathPrefixPredicate, and if it matches use ResponseCodeHandler to >>>>> return the desired response code. You could combine it >>>>> with io.undertow.server.handlers.AccessControlListHandler >>>>> or io.undertow.server.handlers.IPAddressAccessControlHandler if you want to >>>>> limit the IP range. >>>>> >>>>> Basically you just use a predicate to decide what you want to >>>>> restrict, and then map it to a handler that either rejects the request >>>>> outright or performs an access control check. >>>>> >>>>> Stuart >>>>> >>>>> >>>>> On Fri, Aug 10, 2018 at 3:59 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: >>>>> >>>>>> Anyone? >>>>>> >>>>>> Thanks! >>>>>> >>>>>> ~Brad >>>>>> >>>>>> *Developer Advocate* >>>>>> *Ortus Solutions, Corp * >>>>>> >>>>>> E-mail: brad(a)coldbox.org >>>>>> ColdBox Platform: http://www.coldbox.org >>>>>> Blog: http://www.codersrevolution.com >>>>>> >>>>>> >>>>>> >>>>>> On Sat, Aug 4, 2018 at 4:48 PM Brad Wood <bdw429s(a)gmail.com&gt; wrote: >>>>>> >>>>>>> Hi, I'm looking for some examples of locking down access to certain >>>>>>> directories, similar to how IIS has "hidden segments". For instance, I'd >>>>>>> like all URLs starting with /CFIDE to be blocked, or perhaps only access to >>>>>>> a certain range of IPs >>>>>>> >>>>>>> I swear I had looked at some examples of this about a year ago, but >>>>>>> after quite a lot of Googling today I was coming up empty handed. I found >>>>>>> some basic information on the access control handlers, but couldn't find a >>>>>>> single example of using them. >>>>>>> >>>>>>> Thanks! >>>>>>> >>>>>>> ~Brad >>>>>>> >>>>>>> *Developer Advocate* >>>>>>> *Ortus Solutions, Corp * >>>>>>> >>>>>>> E-mail: brad(a)coldbox.org >>>>>>> ColdBox Platform: http://www.coldbox.org >>>>>>> Blog: http://www.codersrevolution.com >>>>>>> >>>>>>> _______________________________________________ >>>>>> undertow-dev mailing list >>>>>> undertow-dev(a)lists.jboss.org >>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev >>>>> >>>>>