[undertow-dev] Access control examples

Brad Wood bdw429s at gmail.com
Thu Aug 16 14:30:43 EDT 2018 

Is the basic auth handler part of the predicate language?  I didn't see it
in the docs so I wanted to see if there was a way to have a textual
representation of that.

Thanks!

~Brad

*Developer Advocate*
*Ortus Solutions, Corp *

E-mail: brad at coldbox.org
ColdBox Platform: http://www.coldbox.org
Blog: http://www.codersrevolution.com



On Thu, Aug 16, 2018 at 1:06 PM Brad Wood <bdw429s at gmail.com> wrote:

> Thanks for the additional information Stuart.  After a bit of Googling,
> the most comprehensive version of the documentation for the predicate
> language appears to be here:
>
>
> https://github.com/undertow-io/undertow-docs/blob/master/src/main/asciidoc/predicates-attributes-handlers.asciidoc
>
> I'll note that Google really tends to favor the older, but less complete
> versions of that page such as this one:
>
>
> http://undertow.io/undertow-docs/undertow-docs-1.2.0/predicates-attributes-handlers.html
>
> You may want to look into some SEO tricks to get Google to index the most
> recent version so it's easier to find.  That said, for the life of me, I
> can't find any docs at all that talk about the *status(404)* bit you
> showed.  Where is that covered?
>
> Did you perhaps mean this: *response-code(302)*
>
> Also, on the note of your docs, you have a handful of old pull requests
> for typos and such over here:
> https://github.com/undertow-io/undertow-docs/pulls
> I added one to the list.  Please review and merge those :)
>
> Thanks!
>
> ~Brad
>
> *Developer Advocate*
> *Ortus Solutions, Corp *
>
> E-mail: brad at coldbox.org
> ColdBox Platform: http://www.coldbox.org
> Blog: http://www.codersrevolution.com
>
>
>
> On Wed, Aug 15, 2018 at 7:05 PM Stuart Douglas <sdouglas at redhat.com>
> wrote:
>
>>
>>
>> On Sat, Aug 11, 2018 at 1:25 AM Brad Wood <bdw429s at gmail.com> wrote:
>>
>>> It depenends a bit on what you want to do.
>>>
>>>
>>> Thanks for the reply Stuart.  Honestly, I'm just brainstorming a little
>>> here to see what's possible but I just couldn't find any docs or examples
>>> to help solidify what was out in there.  My primary use for this as I
>>> explained just now in a separate reply is to be able to add some security
>>> rules to CommandBox servers to do things such as:
>>>
>>>    - Block access to CF admins in the root (such as paths starting
>>>    with  */CFIDE*)
>>>    - Block access to special files in any directory such as *box.json*,
>>>    *server.json*, or *.cfconfig.json*
>>>    - Block access to hidden files in any directory (starting with a
>>>    period )
>>>    - Block access to custom folders defined by the user such as
>>>    */tests/* or */workbench*
>>>
>>> I'm thinking a bit how the IIS "hidden segments" feature works.  In
>>> addition to using this behind the scenes in CommandBox, I'd like to expose
>>> it to my users in the *server.json
>>> <https://commandbox.ortusbooks.com/embedded-server/server.json>* so
>>> they can configure basic access control.  I generally don't expose 100% of
>>> what Undertow does since CommandBox aims to be a drop-in dead-easy way to
>>> just fire up a server, but I'm interested in the IP matching since that
>>> could be a common use case.  i.e., "Block access to the administrator
>>> unless the IP is in this range or localhost"
>>>
>>> So basically, yes, I'm interested in all of those things and I don't
>>> have a super specific solution in mind, but I'm rather just looking for
>>> some better examples to help me understand what's there and what I can best
>>> expose in CommandBox.
>>>
>>> Basically you just use a predicate to decide what you want to restrict,
>>>> and then map it to a handler that either rejects the request outright or
>>>> performs an access control check.
>>>
>>>
>>> This makes sense and I think the predicate part was what I was missing,
>>> but are there examples of this anywhere?  It helps me way more to see some
>>> code.
>>>
>>>
>> Most of the examples of this are in the test suite, e.g.
>> PredicatedHandlersTestCase. There is also a text based representation you
>> can use to configure this. e.g. to reject all box.json files:
>> path-suffix(/box.json) -> status(404).
>>
>> Stuart
>>
>>
>>> Thanks!
>>>
>>> ~Brad
>>>
>>> *Developer Advocate*
>>> *Ortus Solutions, Corp *
>>>
>>> E-mail: brad at coldbox.org
>>> ColdBox Platform: http://www.coldbox.org
>>> Blog: http://www.codersrevolution.com
>>>
>>>
>>>
>>> On Fri, Aug 10, 2018 at 1:47 AM Stuart Douglas <sdouglas at redhat.com>
>>> wrote:
>>>
>>>> It depenends a bit on what you want to do.
>>>>
>>>> If you just want to block /CFIDE you can just use a PredicateHandler,
>>>> with a PathPrefixPredicate, and if it matches use ResponseCodeHandler to
>>>> return the desired response code. You could combine it
>>>> with io.undertow.server.handlers.AccessControlListHandler
>>>> or io.undertow.server.handlers.IPAddressAccessControlHandler if you want to
>>>> limit the IP range.
>>>>
>>>> Basically you just use a predicate to decide what you want to restrict,
>>>> and then map it to a handler that either rejects the request outright or
>>>> performs an access control check.
>>>>
>>>> Stuart
>>>>
>>>>
>>>> On Fri, Aug 10, 2018 at 3:59 PM Brad Wood <bdw429s at gmail.com> wrote:
>>>>
>>>>> Anyone?
>>>>>
>>>>> Thanks!
>>>>>
>>>>> ~Brad
>>>>>
>>>>> *Developer Advocate*
>>>>> *Ortus Solutions, Corp *
>>>>>
>>>>> E-mail: brad at coldbox.org
>>>>> ColdBox Platform: http://www.coldbox.org
>>>>> Blog: http://www.codersrevolution.com
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Aug 4, 2018 at 4:48 PM Brad Wood <bdw429s at gmail.com> wrote:
>>>>>
>>>>>> Hi, I'm looking for some examples of locking down access to certain
>>>>>> directories, similar to how IIS has "hidden segments".  For instance, I'd
>>>>>> like all URLs starting with /CFIDE to be blocked, or perhaps only access to
>>>>>> a certain range of IPs
>>>>>>
>>>>>> I swear I had looked at some examples of this about a year ago, but
>>>>>> after quite a lot of Googling today I was coming up empty handed.  I found
>>>>>> some basic information on the access control handlers, but couldn't find a
>>>>>> single example of using them.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> ~Brad
>>>>>>
>>>>>> *Developer Advocate*
>>>>>> *Ortus Solutions, Corp *
>>>>>>
>>>>>> E-mail: brad at coldbox.org
>>>>>> ColdBox Platform: http://www.coldbox.org
>>>>>> Blog: http://www.codersrevolution.com
>>>>>>
>>>>>> _______________________________________________
>>>>> undertow-dev mailing list
>>>>> undertow-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/undertow-dev/attachments/20180816/caf093ea/attachment.html

More information about the undertow-dev mailing list