Search code examples
authorizationweb.xmlhttp-status-code-403

How to handle web.xml authorization to local js/css files when returning '403 Forbidden'?

I have a website which only people with authorization can enter. If someone does not have authorization, my web.xml redirects them to a 403 error page.

However, both my application and my error pages use some external js and css files (e.g. bootstrap). Logically, the 403 error page cannot access these js/css files, as permission is forbidden to everything except for the the error page html.

How should I solve this neatly? Should I expose my libraries folder publicly? If so, how can I override my security rules for a specific folder?

I looked through the documentation here but I do not see this scenario mentioned. I presume I have to add a security-constraint to "/libraries", and somehow override the necessary roles for the HTTP-method GET?

The potentially relevant parts of my web.xml:

    <error-page>
        <error-code>403</error-code>
        <location>/errorPages/forbidden.jsp</location>
    </error-page>

  <security-role>
    <role-name>myRole</role-name>
  </security-role>

  <security-constraint>
    <display-name>MySecurityConstraint</display-name>
    <web-resource-collection>
      <web-resource-name>WebResource</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>DELETE</http-method>
      <http-method>PUT</http-method>
      <http-method>HEAD</http-method>
      <http-method>OPTIONS</http-method>
      <http-method>POST</http-method>     
    </web-resource-collection>
    <auth-constraint>
      <role-name>myRole</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
Solution

  • You could simple add an extra security-constraint with detailed path and without the auth-constraint

    <security-constraint>
    <display-name>NoSecurityConstraint</display-name>
    <web-resource-collection>
      <web-resource-name>WebResource</web-resource-name>
      <url-pattern>/library/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>DELETE</http-method>
      <http-method>PUT</http-method>
      <http-method>HEAD</http-method>
      <http-method>OPTIONS</http-method>
      <http-method>POST</http-method>     
    </web-resource-collection>
  </security-constraint>

    I hope this solves your problem