how to block access to http get web-inf files

241 views
Skip to first unread message

Jim Boden

unread,
Jun 20, 2023, 1:22:35 PM6/20/23
to WildFly
We have wildfly 20 mostly default standalone config, deployed exploded. I can go to https://localhost/WEB-INF/web.xml and it shows me the file. It will show any file under the WEB-INF or entire root tree.

But this of course should not be GET-able. Did we just miss some simple config to block access via GET?

Thank you

Paul Ferraro

unread,
Jul 4, 2023, 7:03:36 AM7/4/23
to WildFly
This is a regression that was fixed in WildFly 24.
You should be able to workaround it by adding a security constraint to your web.xml, e.g.

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>private</web-resource-name>
            <url-pattern>/WEB-INF/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>forbidden</role-name>
        </auth-constraint>
    </security-constraint>

Jim Boden

unread,
Jul 5, 2023, 11:52:57 AM7/5/23
to WildFly
Thank you Paul,

I see how this should have worked but it still does not. Not sure if I should, but I don't see any logs either. Could it be that this constraint only applies for URLs below the app name since it's in the app's web.xml? Like localhost/myapp/etc....

But here I'm getting:

localhost/WEB-INF/web.xml

with no app in the URL and it still displays. I removed all other security-constraints to be sure, and tried with and without a role name.

I'm not sure when I can move to a later release, so very much appeciate any other ideas.

Thank you!

Paul Ferraro

unread,
Jul 12, 2023, 11:06:23 AM7/12/23
to WildFly
Are you able to reproduce this problem on a more recent release?

Jim Boden

unread,
Jul 12, 2023, 2:38:58 PM7/12/23
to WildFly
Thanks for the follow-up. I wasn't able to update to a later version so could not test. It might be a while before we upgrade. I ended up adding a location handler to the undertow default-server like:

                 <host name="default-host" alias="localhost">
                    <location name="/WEB-INF" handler="block"/>
                    <location name="/META-INF" handler="block"/>
                </host>

Then the handler is just something silly that redirects me back to the app login page:

            <handlers>
                        <file name=" block" path="${jboss.home.dir}/standalone/deployments/myapp.war/login.htm"/>
            </handlers>

This did work. I don't know why the constraint did not work, unless maybe because the web-inf is not in my app path, perhaps it did not register the constraint since that's in my app web.xml. But this handler did the trick so we moved on. :-)

Thank you!

Bartosz Baranowski

unread,
Jul 19, 2023, 5:12:47 AM7/19/23
to WildFly
WDYM "web-inf is not in my app path" ?
Could you please detail app setup in case thats a real flaw?
Reply all
Reply to author
Forward
0 new messages